Four days into Russia’s invasion, the researcher began publishing the biggest leak ever of files and data from Conti, a syndicate of Russian and Eastern Europe cybercriminals wanted by the FBI for conducting attacks on hundreds of US organizations and causing millions of dollars in losses.
The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage.
The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.
To protect his identity, CNN agreed to refer to him by a pseudonym: Danylo.
“I cannot shoot anything, but I can fight with a keyboard and mouse,” Danylo told CNN.
The trove of data Danylo leaked in late February illustrates why cybersecurity has been such a fraught issue in US-Russia relations. It includes cryptocurrency accounts the Conti hackers used to allegedly reap millions of dollars in ransom payments, their discussions of how to extort US companies and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.
But it also shows how hard it can be to disable ransomware operations. Despite Danylo unmasking their operations, the hackers continue to announce new victim organizations.
Danylo, who has worked as a cybersecurity researcher for years and studied the underground cybercriminal economy in Europe, is just one vigilante in a shadow war that has emerged between hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the biggest land war in Europe since World War II drags on.
But by disrupting a group as notorious as Conti, Danylo has gained more attention than others. The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.
The FBI declined to comment.
CNN corroborated Danylo’s claim that he was the leaker by reviewing evidence that he had access to the Twitter account that was publishing the Conti data, as well as a website that Danylo and another person, who was granted anonymity for their protection, were using to share data contained in the leaks.
Danylo hasn’t spoken with the media about his motives — until now. He did so while navigating a war-ravaged country he had only recently returned to and could hardly recognize.
“It’s my country,” he said in a phone interview. “If they [the Ukrainian government] provide me weapons, OK, I’ll go fight. But I’m better at typing.”
Danylo claims that he first gained access to computer systems used by what would become the Conti syndicate in 2016. Though he declined to explain in detail how he did this, independent security experts have verified to CNN the dataset belongs to the hackers. (Conti is both the name of malicious software and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)
“Sometimes they make mistakes,” Danylo said, referring to ransomware groups. “You need to catch them when they make a mistake. I just was in the right place at the right time. I was monitoring them.”
For years, Danylo said, he quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials.
Conti ransomware has been rampant in the last two years, with the hackers claiming numerous victims a week.
In September 2020, the hackers claimed to have stolen case files from a district court in Louisiana. In March 2021, Conti ransomware was used in a hack that hobbled the computer networks of Ireland’s $25 billion public health system, disrupting a maternity ward in Dublin.
The dark work was lucrative: hackers using the Conti ransomware received at least $25.5 million in ransom payments in the span of just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.
But something snapped in Danylo on February 25, 2022, when Conti operatives published a statement pledging their “full support” for the Russian government as it attacked Ukraine.
A Russian airstrike had landed not far from a family member’s house. The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union. He didn’t want to see it slip back into Russian hands.
Conti members tried to walk their statement back, claiming they weren’t supporting any government, but Danylo had heard enough.
Asked again why he dumped the Conti data, Danylo said with a laugh: “To prove that they are motherf**kers.” He was exhausted from a long day navigating military checkpoints in Ukraine, on the hunt for cigarettes and looking to the sky for signs of the next air raid.
Contacted by the FBI
Conti is exactly the type of prolific ransomware group that President Joe Biden last year exhorted Russian President Vladimir Putin to bring to heel amid a spate of attacks on US critical infrastructure.
The Kremlin appeared to dangle the prospect of collaborating with the US to combat cybercrime this January, when the Russian FSB intelligence agency announced the arrest of multiple accused cybercriminals. But the chances of bilateral cooperation on cybercrime have dimmed following the Russian invasion of Ukraine, which has killed more than 1,000 civilians, according to the United Nations, and made Putin an international pariah.
After he started leaking the data, Danylo said, an FBI special agent contacted him and asked him to stop. Exposing Conti infrastructure could, in theory, make it more difficult for the FBI to track the group because it might set up new computer systems.
Danylo has stopped leaking for now. But he says he still has access to some Conti computer systems.
At least one law enforcement official who spoke to CNN would have preferred that Danylo had maintained that covert access, rather than alert the ransomware syndicate to his presence by leaking the data.
“Publicly releasing information like [the leaker did] is reckless,” a US law enforcement official told CNN. “Working cooperatively with law enforcement can achieve a more substantial and lasting impact in disrupting the operations of groups like Conti.”
But John Fokker, a former cybercrime investigator with the Dutch police, said the leak could actually be useful to cops chasing cyber crooks.
“Yes, infrastructure can be burned. However, the amount of data provided in the leaks make me confident that law enforcement got the information they need to write indictments on key individuals,” said Fokker, who works closely with European law enforcement as head of cyber investigations at security firm Trellix.
A catalog of misdeeds
The Conti leaks are a startling catalog of the alleged misdeeds of a multimillion-dollar criminal enterprise.
CNN evaluated and translated the original cache of documents that Danylo shared with the world via Twitter.
The communications show Conti members, each going by aliases in the chat logs, discussing the wisdom of extorting US small businesses, seemingly refraining from hacking Russian targets, and taking an interest in a journalist writing about Navalny, the Russian opposition figure who has been jailed and poisoned.
In April 2021, Conti members “mango” and “johnyboy77” discussed plans to access files belonging to a journalist for investigative outlet Bellingcat, which had published a joint investigation with CNN in December 2020 on the alleged role of the Russia’s FSB intelligence agency in the poisoning of Navalny.
“Bro, don’t forget about Navalny, I flagged it to the boss — he’s waiting for details,” mango wrote to johnyboy77 in Russian.
It’s unclear who “the boss” is in this exchange. But Christo Grozev, Bellingcat’s lead Russian investigator, tweeted that the leaked chat corroborated an anonymous tip that Bellingcat received stating that a “‘global cyber crime group acting on an FSB order has hacked one of your contributors.'”
Conti operatives refer in their chats to Liteyny Avenue in St. Petersburg, which happens to be home to local FSB offices, according to Kimberly Goody, director of cyber crime analysis at security firm Mandiant.
“Generally speaking, it would be relatively unsurprising to learn that an operation as extensive as this would not in some way be leveraged as an asset [by the Russian government] at a point in time,” Goody told CNN.
The Russian Embassy in Washington did not respond to a request for comment. The Russian government has long denied accusations that it turns a blind eye to cybercrime.
There also appears to be a correlation between the Conti leaks and public warnings from US cybersecurity officials, suggesting that federal authorities have been closely watching the group.
On October 26, 2020, as US hospitals continued to reel from coronavirus cases, a Conti member with the alias Troy wrote to another member in Russian: “F**k clinics in the USA this week … There will be panic. 428 hospitals.”
Two days later the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a dire warning about ransomware attacks on hospitals, many of which used a piece of malicious software that the leaked documents tie to Conti operatives. It was unclear what specific intelligence prompted the federal warning about the hospitals, but the timing was striking.
‘It’s my work’
Cyberattacks have played a supporting role in the war in Ukraine. The White House has accused the Russian GRU military intelligence agency of knocking key Ukrainian government websites offline prior to the invasion. (A charge the Kremlin denies.) US officials are also investigating a hack of a satellite network serving parts of Ukraine, which occurred as the Russian invasion began, as a potential Russian state-sponsored hack, CNN previously reported.
For its part, the Ukrainian government has encouraged an “IT army” of volunteer hackers in Ukraine and abroad to conduct cyberattacks on Russian organizations.
In the free-for-all that is Ukrainian cyberspace, combatants like Danylo engage on their own terms.
Asked how he’s been in recent days, Danylo’s replies have been consistent: “Still alive.”
Seeing houses and schools turn to rubble has drained the vigor from his voice.
Danylo recalled, in the early days of the war, going into a bunker during a bombing raid, with his laptop, and working on the Conti files. Another person in the bunker was mystified that he was focused on his computer amid the shelling.
“What the f**k are you doing?” Danylo recalled the person asking him.
Danylo laughed nervously as he told the story. “It’s my work,” he told CNN. “[I do it] because I can.”
After weeks of living the war, Danylo told CNN he slipped safely out of Ukraine with his laptop this week.
After weeks of living the war, Danylo told CNN he slipped safely out of Ukraine with his laptop this week.