Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jack Cable Profile picture
Jack Cable
@jackhcable
Ethical hacker. CEO & Co-founder @Corridor. Prev @CISAgov @Stanford

May 5, 2023, 12 tweets

Excited to share new research with Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy.

This is the first in-depth peer-reviewed research into the Conti leaks. We mapped over $80 million in new payments to Conti.

Read the paper:

Some takeaways 🧵 arxiv.org/abs/2304.11681

This paper was published as part of the APWG Symposium on Electronic Crime Research, for which we received the best paper award.

In February 2022, over 168,000 internal chat messages of the Conti ransomware group were leaked. Conti is one of the most prominent ransomware groups of all time. We sought to build a picture of Conti's (quite profitable) business based on on-chain analysis of Bitcoin payments.

To do so, we manually annotated all 666 Bitcoin addresses present in the leaks based on message context (our team included a native Russian speaker).

We tag addresses as either a salary, reimbursement, or ransom payment address.

We then used Crystal Blockchain to track destinations and origins of payments. Notably, a large portion of salary payments went to "low risk exchanges" -- exchanges that adhere to Know Your Customer requirements, which may present an opportunity to identify ransomware affiliates.

Given the public nature of Bitcoin and that Conti rarely used mixers, this gave an opportunity to track back victim payments. Since salary payments almost always originate from victim payments, we leveraged Blockchain data to identify victim payments based on 3 criteria:

An address:
1. Sent money (directly or indirectly) to an address in the leaked dataset
2. Exhibited splitting behavior consistent with documented affiliate splits.
3. Had received more than 99% of its funds from a low risk exchange, where victims would most likely send money from

We validated this criteria with the @ransomwhere_ dataset (), where 17 of 32 known Conti payment addresses exhibited splitting behavior with affiliates. Others have also documented Conti's splitting behavior: ransomwhe.re
elliptic.co/blog/conti-ran…

We ultimately identified over $80M in new victim payments to Conti -- over five times as much in previous public datasets. We have published this data at and on . github.com/cablej/conti-p…
ransomwhe.re

This allowed us to construct a balance sheet for Conti. While this likely doesn't encapsulate all payments, it gives us a good sense of Conti's profitability.

We also built a picture of Conti's org chat and recruitment structure. Conti operated much like any other business, with robust HR teams, recruitment strategies, and management.

There's a lot more in the paper, which you should read!

And thanks to tremendous collaborators Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy on the paper, and to Crystal Blockchain for providing access for academic research.arxiv.org/pdf/2304.11681…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling