According to Crystal Blockchain’s analysis, the largest ransom amount received by Conti criminals was 725 BTC

Analysts uncovered the organization of a crypto extortion ring from Russia

18.05.2022 - 10:55


2 min

What’s new? Analytics firm Crystal Blockchain conducted a detailed analysis of the February 2022 leaked messages of members of the Conti hacker group from Russia. It found that Conti used over-the-counter brokers to cash out stolen cryptocurrency. These funds were used to pay members of the group and to rent servers. According to the investigation, some Conti employees did not know what specific activities the gang was engaged in.

Crystal Blockchain’s analysis

What is known about Conti? The hacker gang has carried out numerous attacks on public institutions and private companies around the world. The criminals are responsible for creating popular ransomware such as Ryuk and Trickbot.

Based on an analysis of the messages, Conti operates much like a regular company, with hiring, performance review, and employee of the month selection. To some applicants, Conti has been presented as an advertising agency. It also has management, finance, and human resources departments.

In 2020, during the outbreak of the coronavirus pandemic, Conti attacked Ridgeview Medical Center in Minnesota. According to the analysis of the messages and transactions, the institution sent 301 BTC (more than $4 million at the time) to the hackers as ransom.

The largest ransom payout was a transaction dated October 10, 2020, for 725 BTC (about $8 million) from an unknown company. The alleged victim of the hackers could be the printer manufacturer, Xerox, which was attacked in the same year, 2020.

Conti’s messages mention 89 institutions that were planned to be attacked, most of them based in the United States, with some more in Canada, Australia, and Europe. The exact number of successful attacks that resulted in payouts is unknown.

What happened before? In April, the US Treasury Department imposed sanctions on the Garantex crypto exchange and the Hydra darknet marketplace. The agency found that about $8 million in proceeds from ransomware such as Ryuk and Sodinokibi passed through Hydra’s accounts. An analysis of known Garantex transactions revealed that transactions worth more than $100 million related to illegal activities. Almost $6 million of these came from the Russian hacker group Conti.

In April 2022, the US authorities warned of the threat of attacks on crypto companies. The states said the threat comes from DPRK-sponsored hackers and their main target is cryptocurrency. The hackers’ methods include social engineering, encouraging victims to download malware and applications.

Cryptocurrency services Etherscan, CoinGecko, DeFi Pulse, and others also reported incidents of a malicious pop-up, offering users to connect their MetaMask crypto wallets. A preliminary investigation revealed that the phishing attack was caused by a malicious ad script on the affected sites.


Vasiliy Smirnov Vasiliy Smirnov

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy