The Conti Leaks Series 2022
The recent Conti internal data leaks have led to previously inaccessible findings on the inner workings of a modern-day criminal network. Read the insights our investigations and analytics team has collected so far in Part 1 and Part 2
Conti is an extortion group that has been observed since early 2020, and it has since been used by criminals to attack organizations throughout the world.
Around February 27, 2022, a cache of internal chat logs belonging to Conti were leaked online thanks to an apparent insider, who claimed to have objected to the group’s support for the Russian invasion of Ukraine.
Crystal’s analytics and investigations team have thoroughly assessed the provided information from 2020 and 2021 chat logs between Conti members and are ready to share specific key insights that have been verified.
Key findings:
- Conti is an extortion group originally discovered in early 2020, and it has since been used by criminals to attack organizations throughout the world. In February 2022, a pro-Ukrainian insider leaked over 12 months’ worth of internal communications from the group
- Through our analysis, the Crystal Blockchain analytics and investigations team has found potential financial links between Conti and other ransomware groups such as Ryuk. It is also likely that individuals financially associated with Conti were involved in the hack of the Japan-based crypto exchange, Liquid, on August 19, 2021
- Several previously unreported victims of Conti were identified in the chat logs, including details of ransom payments made by the victims. Questions over the ethics of ransom payments remain, as there is not yet any regulation by US regulators or EU regulators in place to prohibit ransom payments
- Having said that, the responsibility is on VASPs (virtual asset service providers) as well as the victims paying a ransom to conduct due diligence on the attacker’s identity to comply with government prohibitions and to mitigate the risk of incurring possible civil and criminal penalties
- The Conti Leaks Part Two includes previously unseen chat logs from 2020, as well as more insights 2021
- From their logs, we know that Conti planned to attack 20-30 companies per day, and if a business didn’t comply with the ransom they would destroy the business
- There is evidence of huge anti-US sentiment amongst Conti members, where businesses in CIS regions were majoritively saved from any ransom attack
- We’ve researched and verified that of the 89 named companies we found in the Conti chat logs, 76 were US-based and only 13 come from other global regions
- The biggest payment request that Crystal observed in the logs so far was 3,000 BTC, and the biggest single ransom payment received by Conti was 725 BTC
- One of the biggest names mentioned in the logs was Pfizer, and we’ve included original chat logs between members relating to the Pfizer attack, as well as logs related to other companies, along with English translations of each chat
- The Crystal team noted that the overwhelming majority of Conti ransom attacks were not made public or reported to law enforcement by the business involved