The Conti ransomware gang was on top of the world. The sprawling network of cybercriminals extorted $180 million from its victims last year, eclipsing the earnings of all other ransomware gangs. Then it backed Vladimir Putin’s invasion of Ukraine. And it all started falling apart.
Conti’s implosion started with a single post on the group’s website, usually reserved for posting the names of its victims. Hours after Russian troops crossed Ukrainian borders on February 24, Conti offered its “full support” to the Russian government and threatened to hack critical infrastructure belonging to anyone who dared to launch cyberattacks against Russia.
But while many Conti members live in Russia, its scope is international. The war has divided the group; privately, some had railed against Putin’s invasion. And while Conti’s ringleaders scrambled to retract their statement, it was too late. The damage had been done. Especially because the dozens of people with access to Conti’s files and internal chat systems included a Ukrainian cybersecurity researcher who had infiltrated the group. They proceeded to rip Conti wide open.
On February 28, a newly created Twitter account called @ContiLeaks released more than 60,000 chat messages sent among members of the gang, its source code, and scores of internal Conti documents. The scope and scale of the leak is unprecedented; never before have the daily inner workings of a ransomware group been laid so bare. “Glory to Ukraine,” @ContiLeaks tweeted.
The leaked messages, reviewed in depth by WIRED, provide an unrivaled view into Conti’s operations and expose the ruthless nature of one of the world’s most successful ransomware gangs. Among their revelations are the group’s sophisticated businesslike hierarchy, its members’ personalities, how it dodges law enforcement, and details of its ransomware negotiations.
“We see the gang progressing. We see the gang living. We see the gang committing crimes and changing over the course of several years,” says Alex Holden, whose company Hold Security has tracked Conti members for most of the last decade. Holden, who was born in Ukraine but lives in America, says he knows the cybersecurity researcher who leaked the documents but says they are staying anonymous for safety reasons.
The Conti ransomware gang runs like any number of businesses around the world. It has multiple departments, from HR and administrators to coders and researchers. It has policies on how its hackers should process their code, and shares best practices to keep the group’s members hidden from law enforcement.
At the top of the business is Stern, who also goes by Demon and acts as the CEO—Conti members call Stern the “big boss.” All Conti members have pseudonymous usernames, which can change. Stern regularly chases people on their work and wants to account for their time. “Hello, how are you doing, write the results, successes or failures,” Stern wrote in one message sent to more than 50 Conti members in March 2021.
The Conti chat logs span two years, from the start of 2020 until February 27, 2022—the day before the messages leaked. In February WIRED reported on a small number of the messages, after they were provided by another source. The conversations are fragmented—think of taking your WhatsApp or Signal messages out of context—and were released in their original Russian form. WIRED reviewed a machine-translated version of the messages.