Moscow Man Accused of Impersonating FSB Officer to Extort Conti Ransomware Group
Russian media reporting cited by multiple outlets says Moscow resident Ruslan Satuchin has been accused of attempting to extort money from the Conti ransomware group by posing as an officer of Russia’s Federal Security Service (FSB). The alleged scheme began in September 2022, when Satuchin reportedly contacted a Conti member and claimed he could influence law-enforcement activity targeting the gang, demanding payment in exchange for avoiding prosecution; Satuchin has denied wrongdoing.
Authorities reportedly sought to keep Satuchin in pre-trial detention over concerns including potential witness intimidation, and he could face up to 10 years in prison and a fine if convicted. The reporting also reiterates Conti’s history as a major ransomware operation that extorted governments, businesses, and healthcare organizations, and notes that the group’s internal operations and apparent avoidance of Russian targets were widely exposed after leaked Conti chat logs and materials surfaced in 2022.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Russian authorities accuse Satuchin in Conti extortion case
By late February 2026, Russian authorities had accused Ruslan Satuchin of attempting to extort the Conti ransomware gang by posing as an FSB officer. He denied wrongdoing and was reported to be in pre-trial detention in Moscow, with investigators arguing detention was needed to prevent possible witness intimidation.
US and UK sanction and identify Conti-linked individuals
In 2023, the United States and the United Kingdom publicly named and sanctioned key individuals linked to the Conti ransomware operation. The action marked a formal government response targeting people associated with the group.
Satuchin allegedly contacts Conti member posing as FSB officer
According to Russian media reports, Moscow resident Ruslan Satuchin allegedly began an extortion scheme in September 2022 by contacting a Conti ransomware member while impersonating an officer of Russia’s FSB. He allegedly demanded payment in exchange for protection from criminal consequences and claimed influence over law enforcement investigations.
Conti internal leaks expose the group's operations
In 2022, a pro-Ukraine researcher published Conti chat logs, source code, and infrastructure documents, exposing the ransomware group's internal operations. The leaks reinforced suspicions that Conti avoided Russian targets and had ties aligned with Kremlin interests, contributing to the group's later collapse.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Notorious ransomware gang allegedly blackmailed by fake FSB officer
bitdefender.com
Open sourceExtorting the Extorters? Moscow man accused of posing as FSB officer to extort Conti ransomware gang - DataBreaches.Net
databreaches.net
Open sourceСК обвинил москвича в вымогательстве у "хакеров-патриотов" под видом ФСБ - РБК
rbc.ru
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
Conti Ransomware Gang Chats Leaked After Pro-Russia Threats
The **Conti** ransomware operation faced a major internal data leak after publicly backing Russia during the invasion of Ukraine and warning it would use its “full capacity” to retaliate against Western cyberattacks on Russian critical infrastructure. Researchers and media reports said activists released roughly **60,000 internal messages**, reportedly from the gang’s Jabber server, exposing more than a year of conversations and offering an unusually detailed view into one of the most prolific ransomware groups tied to Russia. The leaked chats were described as shedding light on Conti’s internal structure, tactics, and past operations, including activity linked to high-profile incidents such as the attack on Ireland’s public health service. Reporting also highlighted Conti’s use of the **ProxyShell** exploit in attacks against healthcare targets and the deployment of scripts to disable **Windows Defender** before encryption. The fallout appeared to ripple across the cybercrime ecosystem, with rival ransomware group **LockBit** publicly distancing itself from geopolitics and emphasizing that it was motivated by profit rather than allegiance to any state.
May 26, 2026
Latvian Karakurt Negotiator Sentenced for Conti-Linked Ransomware Extortion
A U.S. court sentenced Latvian national **Deniss Zolotarjovs** to **102 months in prison** for his role in a Russia-linked ransomware and data-extortion organization run by former **Conti** members and operating under brands including **Karakurt**, **Royal**, **TommyLeaks**, **SchoolBoys Ransomware**, and **Akira**. Prosecutors said Zolotarjovs acted as a primary negotiator and extortion specialist from June 2021 to August 2023, researching victims, analyzing stolen data, setting ransom pressure points, and taking a share of proceeds. He was arrested in Georgia in December 2023, extradited to the United States in August 2024, and later pleaded guilty to conspiracy to commit **wire fraud** and **money laundering**. The Justice Department said the group targeted more than **54 companies**, collected roughly **$15 million to $16 million** in confirmed ransom payments, and caused at least **$56 million** in documented losses across 13 victims, with total damage likely reaching **hundreds of millions of dollars**. Authorities said the operation exposed highly sensitive personal data, including children’s medical records stolen from a pediatric healthcare provider that were later used to threaten victims and even sent to hundreds of patients, while another attack forced a U.S. government entity’s **911 emergency system** offline. Court filings and reporting also said the syndicate relied on front companies, corrupt contacts, and access to Russian government databases, underscoring the professionalized and well-connected structure behind the extortion campaign.
Jun 8, 2026