March 7, 2022

Three stories here last week pored over several years’ worth of internal chat records stolen from the Conti ransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how Conti evaded law enforcement and intelligence agencies, what it was like on a typical day at the Conti office, and how Conti secured the digital weaponry used in their attacks. This final post on the Conti conversations explores different schemes that Conti pursued to invest in and steal cryptocurrencies.

When you’re perhaps the most successful ransomware group around — Conti made $180 million last year in extortion payments, well more than any other crime group, according to Chainalysis — you tend to have a lot digital currency like Bitcoin.

This wealth allowed Conti to do things that regular investors couldn’t — such as moving the price of cryptocurrencies in one direction or the other. Or building a cryptocurrency platform and seeding it with loads of ill-gotten crypto from phantom investors.

One Conti top manager — aptly-named “Stern” because he incessantly needled Conti underlings to complete their assigned tasks — was obsessed with the idea of creating his own crypto scheme for cross-platform blockchain applications.

“I’m addicted right now, I’m interested in trading, defi, blockchain, new projects,” Stern told “Bloodrush” on Nov. 3, 2021. “Big companies have too many secrets that they hold on to, thinking that this is their main value, these patents and data.”

In a discussion thread that spanned many months in Conti’s internal chat room, Stern said the plan was to create their own crypto universe.

“Like Netherium, Polkadot and Binance smart chain, etc.,” Stern wrote. “Does anyone know more about this? Study the above systems, code, principles of work. To build our own, where it will already be possible to plug in NFT, DEFI, DEX and all the new trends that are and will be. For others to create their own coins, exchanges and projects on our system.”

It appears that Stern has been paying multiple developers to pursue the notion of building a peer-to-peer (P2P) based system for “smart contracts” — programs stored on a blockchain that run whenever predetermined conditions are met.

It’s unclear under what context the Conti gang was interested in smart contracts, but the idea of a ransomware group insisting on payments via smart contracts is not entirely new. In 2020, researchers from Athens University School of Information Sciences and Technology in Greece showed (PDF) how ransomware-as-a-service offerings might one day be executed through smart contracts.

Before that, Jeffrey Ladish, an information security consultant based in Oakland, Calif., penned a two-part analysis on why smart contracts will make ransomware more profitable.

“By using a smart contract, an operator can trustlessly sell their victims a decryption key for money,” Ladish wrote. “That is, a victim can send some money to a smart contract with a guarantee that they will either receive the decryption key to their data or get their money back. The victim does not have to trust the person who hacked their computer because they can verify that the smart contract will fairly handle the exchange.”

The Conti employee “Van” appears to have taken the lead on the P2P crypto platform, which he said was being developed using the Rust programming language.

“I am trying to make a p2p network in Rust,” Van told “Demon” on Feb. 19, 2022 [Demon appears to be one of Stern’s aliases]. “I’m sorting it out and have already started writing code.”

“It’s cool you like Rust,” Demon replied. “I think it will help us with smart contracts.”

Stern apparently believed in his crypto dreams so much that he sponsored a $100,000 article writing contest on the Russian language cybercrime forum Exploit, asking interested applicants to put forth various ideas for crypto platforms. Such contests are an easy way to buy intellectual property for ongoing projects, and they’re also effective recruiting tools for cybercriminal organizations.

“Cryptocurrency article contest! [100.000$],” wrote mid-level Conti manager “Mango,” to boss Stern, copying the title of the post on the Exploit forum. “What the hell are you doing there…”

A few days later Mango reports to Stern that he has “prepared everything for both the social network and articles for crypto contests.”

DISTRIBUTED DENIAL OF DISCORD?

On June 6, 2021, Conti underling “Begemot” pitched Stern on a scheme to rip off a bunch of people mining virtual currencies, by launching distributed denial-of-service (DDoS) attacks against a cryptocurrency mining pool.

“We find young forks on exchanges (those that can be mined), analyze their infrastructure,” Begemot wrote.

Begemot continues:

“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate (discord, etc. ). Let’s find out the IP of the node. Most likely it will be IPv6. We start ddosing. We fly into the chat that we found earlier and write that there are problems, the crypt is not displayed, operations are not carried out (because the crypt depends on mining, there will really be problems ). Holders start to get nervous and withdraw the main balance. Crypto falls in price. We buy at a low price. We release ddos. Crypto grows again. We gain. Or a variant of a letter to the creators about the possibility of a ransom if they want the ddos ​​to end. From the main problem points, this is the implementation of Ipv6 DDoS.”

Stern replies that this is an excellent idea, and asks Begemot to explain how to identify the IP address of the target.

SQUID GAMES

It appears Conti was involved in “SQUID,” a new cryptocurrency which turned out to be a giant social media scam that netted the fraudsters millions of dollars. On Oct. 31, 2021, Conti member “Ghost” sent a message to his colleagues that a big “pump” moneymaking scheme would be kicking off in 24 hours. In crypto-based pump-and-dump scams, the conspirators use misleading information to inflate the price of a currency, after which they sell it at a profit.

“The big day has arrived,” Ghost wrote. “24 hours remaining until the biggest pump signal of all time! The target this time will be around 400% gains possibly even more. We will be targeting 100 million $ volume. With the bull market being in full effect and volumes being high, the odds of reaching 400% profit will be very high once again. We will do everything in our power to make sure we reach this target, if you have missed our previous big successful pumps, this is also the one you will not want to miss. A massive pump is about to begin in only 24 hours, be prepared.”

Ghost’s message doesn’t mention which crypto platform would be targeted by the scam. But the timing aligns with a pump-and-dump executed against the SQUID cryptocurrency (supposedly inspired by the popular South Korean Netflix series). SQUID was first offered to investors on Oct. 20, 2021.

The now-defunct website for the cryptocurrency scam SQUID.

As Gizmodo first reported on Nov. 1, 2021, just prior to the scam SQUID was trading at just one cent, but in less than a week its price had jumped to over $2,856.

Gizmodo referred to the scam as a “rug pull,” which happens when the promoter of a digital token draws in buyers, stops trading activity and makes off with the money raised from sales. SQUID’s developers made off with an estimated $3.38 million (£2.48m).

“The SQUID crypto coin was launched just last week and included plenty of red flags, including a three-week old website filled with bizarre spelling and grammatical errors,” Gizmodo’s Matt Novak wrote. “The website, hosted at SquidGame.cash, has disappeared, along with every other social media presence set up by the scammers.”


14 thoughts on “Conti Ransomware Group Diaries, Part IV: Cryptocrime

  1. bobl

    In the second paragraph of this article, Brian mentions that Conti had “sales” of ~180 million dollars.
    Where does all that money go? As mentioned in the previous articles in this series, the worker bees don’t make all that much money. Who controls the war chest? How much does the Russian government take?

  2. Mainline

    What happens when Conti is sanctioned and it’s no longer legal for legit companies to pay them in crypto?
    Does the revenue dry up? Does the crypto price crash?

    1. not-a-bad-guy

      How would sanctioning them even work. in practical terms? If the fed reserve forbids dumping currency into a range of crypto accounts couldn’t conti just shift accounts and/or use a dummy real company with “real” accounts? The work-arounds seem trivial and obvious, no?

      1. JamminJ

        The way OFAC works is pretty complex. But long story short, they don’t care how currencies are exchanged, tumbling wallets or any other laundering methods.
        If the US Treasury dept, which runs OFAC (not the Federal Reserve), suspects a violation of sanctions… their investigation can determine if money made its way to a sanctioned entity.

        Generally, this is done mostly to stop funding of terrorist organizations. Normal criminal organizations do not get sanctioned. North Korea, Iran and Syria are the 3 big “regional” sanctioned entities. If the WH decides to increase sanctions by listing all Russian cyber crime groups… there will be a lot more investigations into ransomware payments.

        They’ve been at this for decades, dealing with “shell” companies that receive money, and they can tie them to the sanctioned entity. It may take some time, but eventually the fines for violating do get applied.
        Both the US Treasury and the DOJ are experienced in following the money trail even when both the sender and receiver are using laundering techniques. It is probably easier to trace money when the sender is a victim paying a ransom. Crypto tumbling makes this more difficult to pin down an individual identity, but the transparency of the transaction ledger is proving easier to make a determination as to which general entity/country is likely the recipient.

        If there is a very high probability that the ransom payment would end up in Russia, then that is enough incentive to prevent victims from playing Russian Roulette with sanction violation fines.

        1. Rob Shein

          I can confirm all of this. The simplest way to explain it is this:
          -OFAC can designate a person by legal name or alias, or an organization.
          -Paying money to that person or group, by any means or by any other name, is illegal.
          -It doesn’t matter how you send the money, the path it takes between you and them, or how they receive it…it’s the act of paying them that is illegal.

          There is an affirmative defense if you didn’t know who you were actually paying. But it’s an affirmative defense…which means the burden of proof is upon you to demonstrate that you didn’t know. And if you’re paying a ransomware fee I think you’ll have an uphill battle to prove that you were absolutely certain (incorrect as you may have been) that it wasn’t Conti…especially since the malware itself and the wallet(s) would likely be publicly identified as being theirs. (Yes, you might not have looked into it, either…but having that admission on the public record won’t look particularly good for your company, either.)

          That said, ransomware actors have been sanctioned by OFAC before and it hasn’t done much. There was some reporting about how paying a ransom might lead to criminal prosecution, sure. But the optics of the FBI arresting a ransomware victim for doing the same thing that most businesses do under the same circumstances are not great, and I am unaware of any arrests or prosecutions.

          1. JamminJ

            I’ve seen the previous reporting threatening fines, but no threats of criminal prosecution or arrests for being a victim and paying a sanctioned entity. “OFAC may impose civil penalties for sanctions violations based on strict liability”. For the FBI to indict a victim under criminal law, they would need to prove conspiracy, not just cooperation.

            I agree that existing OFAC sanctions against cyber crime actors, such as Lazarus and Evil Corp, has not done much. But I think we must reach a minimum threshold of ransomware groups. If 1% of ransomware is coming from a sanctioned group, companies will take their chances and pay.
            If/when all Russian cyber crime groups are added to the SDN, then it will be a HIGH RISK for a business to pay. Medium and large companies have people designated to evaluate risk. For years, they have seen that reputational risk and the costs to recover operations without paying for a decryption key, far outweigh the small chance of being caught paying a sanctioned entity. It was unprecedented that OFAC goes after a victim of ransomware.
            Once a significant number of ransomware groups are sanctioned, and OFAC files its first civil action, the risk profile flips. The sanctions will be effective then.

  3. PHP

    Forbidding companies to pay ransom, making it equivalent to fund terror organizations, and it would stop.
    Throw a few CEOs in jail and it will quickly stop. Fine them twice the fee paid to lower the fee.
    Of course, disallowing any tax deductions would help a little as well / lowering the amount.

  4. Hunter Biden

    Hay.. this yor boy Hunter, the prez son and wh artist in residence. Anyone setup NFTs for my art work? Looking for alternative funding sources since my bros in Russia and Uk are tied up, my monthly stipends are not coming through. Also looking for introductions to Disney mgmt so I can pitch being an NFT agent for their movie cell art, ping me

  5. Donald Trump Jr.

    Hay.. this yor boy DJTJ, the prez son and wh artist in residence. Anyone setup NFTs for my art work? Looking for alternative funding sources since my bros in Russia and Uk are tied up, my monthly stipends are not coming through. Also looking for introductions to Disney mgmt so I can pitch being an NFT agent for their movie cell art, ping me

  6. Christoph

    Pardon my ignorance, but:
    “That is, a victim can send some money to a smart contract with a guarantee that they will either receive the decryption key to their data or get their money back. The victim does not have to trust the person who hacked their computer because they can verify that the smart contract will fairly handle the exchange.”

    How exactly does this guarantee that what the smart contract releases to the payer is actually a working decryption key, not not an ASCII-file just reading “You have been had, sucker”?

    1. Matt

      For that you’d need a proof the object is the decryptor key. If it’s not on a blockchain, you could work out some ZK proof I’m sure.

      Still, there are problems using blockchains for this purpose. You can’t really hide data in smart contracts. Everything is public and visible, you’d have to make it call to some third party service that is hiding the decryptor. The public nature of blockchains prevents you from hiding the result of a smart contract.

    2. botmando

      I don’t believe this is ignorance at all. Send them 256 characters of gibberish. No one outside of technology would know better. My thoughts mirrored yours when I read those lines.

Comments are closed.