Conti Ransomware Gang Chats Leaked After Pro-Russia Threats
The Conti ransomware operation faced a major internal data leak after publicly backing Russia during the invasion of Ukraine and warning it would use its “full capacity” to retaliate against Western cyberattacks on Russian critical infrastructure. Researchers and media reports said activists released roughly 60,000 internal messages, reportedly from the gang’s Jabber server, exposing more than a year of conversations and offering an unusually detailed view into one of the most prolific ransomware groups tied to Russia.
The leaked chats were described as shedding light on Conti’s internal structure, tactics, and past operations, including activity linked to high-profile incidents such as the attack on Ireland’s public health service. Reporting also highlighted Conti’s use of the ProxyShell exploit in attacks against healthcare targets and the deployment of scripts to disable Windows Defender before encryption. The fallout appeared to ripple across the cybercrime ecosystem, with rival ransomware group LockBit publicly distancing itself from geopolitics and emphasizing that it was motivated by profit rather than allegiance to any state.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers report Conti resumed operations after leak disruption
By early March, multiple security firms assessed that the Conti ransomware gang had quickly recovered from the late-February chat leaks and was again conducting breaches, phishing activity, command-and-control operations, and posting new victim data. Analysts said the leak caused only brief disruption and was unlikely to dismantle the group without law enforcement action.
Second leak exposes Conti ransomware source code and tools
A follow-on leak exposed screenshots of Conti storage servers, the BazarBackdoor API, and the source code for the gang's ransomware encryptor, decryptor, and builder. The disclosure reportedly occurred after a password-protected archive was cracked, expanding the earlier leak beyond internal chat logs.
Researchers begin analyzing leaked Conti chats
Security researchers and vendors began reviewing the leaked chat archive and publishing early findings about Conti's structure, tactics, and operations. The disclosures highlighted the leak's significance for understanding the ransomware group's internal workings.
Activists leak Conti's internal chat logs
After Conti's pro-Russia statement, activists leaked roughly 60,000 internal Conti messages, reportedly from Jabber and spanning about 13 months. Researchers said the leak offered rare insight into the gang's internal operations and past attacks.
Conti threatens retaliation over cyberattacks on Russia
Conti published a statement warning it would use its "full capacity" to retaliate if the US or its allies launched cyber operations against Russia or targeted Russian critical infrastructure during the Ukraine conflict. The group also said it was not formally allied with the Russian government while signaling support for Russia.
Sources
11 references tracked. Mallory keeps watching after this page renders.
‘I can fight with a keyboard’: How one Ukrainian IT specialist exposed a notorious Russian ransomware gang | CNN Politics
cnn.com
Open sourceRansomware gang Conti has already bounced back from damage caused by chat leaks, experts say | CyberScoop
cyberscoop.com
Open sourceConti ransomware gang's source code leaked
theregister.com
Open sourceConti Ransomware Group Internal Chats Leaked | Rapid7 Blog
rapid7.com
Open sourceConti ransomware's internal chats leaked after siding with Russia
bleepingcomputer.com
Open sourceConti ransomware group announces support of Russia, threatens retaliatory attacks | CyberScoop
cyberscoop.com
Open sourceConti Ransomware Group Warns Retaliation if West Launches Cyberattack on Russia - CNET
cnet.com
Open sourceConti Ransomware Gang Internal Chats Leaked by Ukraine Security Researcher
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Conti Ransomware Syndicate Dismantles Brand and Splinters Into Smaller Operations
The **Conti** ransomware syndicate took key parts of its digital infrastructure offline, including sections of its leak site, victim negotiation portal, and internal systems, in what researchers described as a deliberate reorganization rather than a direct law-enforcement takedown. Security firms and reporting tied the move to mounting pressure after a pro-Ukraine insider leaked Conti’s internal chats and tools, exposing the group’s structure, workflows, and links to Russia. The leaks followed Conti’s public declaration of support for Russia after the invasion of Ukraine, a stance that triggered internal backlash and gave investigators an unusually detailed view into one of the world’s most prolific ransomware operations. Researchers said Conti’s shutdown did not mark the end of its activity but a **rebranding and dispersal of personnel** into smaller, harder-to-track units and other extortion groups, including operations such as **ALPHV/BlackCat**. Subsequent reporting indicated former Conti members continued to repurpose the gang’s tooling in campaigns tied to Ukraine, including lures exploiting the **Follina** vulnerability and impersonation themes involving Elon Musk. The episode also underscored why sanctions and disruption efforts struggle to permanently dismantle ransomware groups: even when a major brand collapses, its operators, malware, and playbooks often persist across successor crews.
May 25, 2026
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
Moscow Man Accused of Impersonating FSB Officer to Extort Conti Ransomware Group
Russian media reporting cited by multiple outlets says Moscow resident **Ruslan Satuchin** has been accused of attempting to extort money from the **Conti** ransomware group by posing as an officer of Russia’s **Federal Security Service (FSB)**. The alleged scheme began in **September 2022**, when Satuchin reportedly contacted a Conti member and claimed he could influence law-enforcement activity targeting the gang, demanding payment in exchange for avoiding prosecution; Satuchin has denied wrongdoing. Authorities reportedly sought to keep Satuchin in **pre-trial detention** over concerns including potential witness intimidation, and he could face up to **10 years in prison** and a fine if convicted. The reporting also reiterates Conti’s history as a major ransomware operation that extorted governments, businesses, and healthcare organizations, and notes that the group’s internal operations and apparent avoidance of Russian targets were widely exposed after **leaked Conti chat logs and materials** surfaced in 2022.
Mar 21, 2026