Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Jack Cable Profile picture
@jackhcable
May 5, 2023 12 tweets 5 min read Read on X
Excited to share new research with Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy.

This is the first in-depth peer-reviewed research into the Conti leaks. We mapped over $80 million in new payments to Conti.

Read the paper:

Some takeaways 🧵 arxiv.org/abs/2304.11681
Image
This paper was published as part of the APWG Symposium on Electronic Crime Research, for which we received the best paper award.

In February 2022, over 168,000 internal chat messages of the Conti ransomware group were leaked. Conti is one of the most prominent ransomware groups of all time. We sought to build a picture of Conti's (quite profitable) business based on on-chain analysis of Bitcoin payments.
To do so, we manually annotated all 666 Bitcoin addresses present in the leaks based on message context (our team included a native Russian speaker).

We tag addresses as either a salary, reimbursement, or ransom payment address.
We then used Crystal Blockchain to track destinations and origins of payments. Notably, a large portion of salary payments went to "low risk exchanges" -- exchanges that adhere to Know Your Customer requirements, which may present an opportunity to identify ransomware affiliates. Image
Given the public nature of Bitcoin and that Conti rarely used mixers, this gave an opportunity to track back victim payments. Since salary payments almost always originate from victim payments, we leveraged Blockchain data to identify victim payments based on 3 criteria:
An address:
1. Sent money (directly or indirectly) to an address in the leaked dataset
2. Exhibited splitting behavior consistent with documented affiliate splits.
3. Had received more than 99% of its funds from a low risk exchange, where victims would most likely send money from Image
We validated this criteria with the @ransomwhere_ dataset (), where 17 of 32 known Conti payment addresses exhibited splitting behavior with affiliates. Others have also documented Conti's splitting behavior: ransomwhe.re
elliptic.co/blog/conti-ran…
We ultimately identified over $80M in new victim payments to Conti -- over five times as much in previous public datasets. We have published this data at and on . github.com/cablej/conti-p…
ransomwhe.re
Image
This allowed us to construct a balance sheet for Conti. While this likely doesn't encapsulate all payments, it gives us a good sense of Conti's profitability. Image
We also built a picture of Conti's org chat and recruitment structure. Conti operated much like any other business, with robust HR teams, recruitment strategies, and management.
Image
Image
There's a lot more in the paper, which you should read!

And thanks to tremendous collaborators Ian Gray, Ben Brown, Vlad Cuiujuclu and Damon McCoy on the paper, and to Crystal Blockchain for providing access for academic research.arxiv.org/pdf/2304.11681…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jack Cable

Jack Cable Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jackhcable

Jack Cable Profile picture
May 13, 2022
Excited to be presenting work @stanfordio by @f00th0ld, @GSmaragdakis, and myself analyzing the ransomware payments ecosystem (based on $101M in payments from @ransomwhere_!)

See agenda at cryptosymposium.org

Read the preprint at arxiv.org/pdf/2205.05028…. Some takeaways 👇 Image
While ransomware has been around a while, the advent of Ransomware as a Service (RaaS) has led to a massive increase in profit for ransomware cybercriminals. Image
RaaS is characterized by more sophisticated payment receipt and laundering techniques. RaaS actors most often generate a unique bitcoin address per victim and launder transactions within days of receiving them. ImageImage
Read 5 tweets
Jack Cable Profile picture
Jul 8, 2021
Today, I'm excited to launch Ransomwhere, the open, crowdsourced ransomware payment tracker. Check out the site and contribute data at ransomwhe.re and follow @ransomwhere_ for updates.

Thread on where I see this going:
Today, there's no comprehensive public data on the total number of ransomware payments. Without such data, we can't know the full impact of ransomware, and whether taking certain actions changes the picture.

Ransomwhere aims to fill that gap by tracking bitcoin transactions associated with ransomware groups. It's public, so anyone can view and download the data. And it's crowdsourced, so anyone can submit reports of ransomware they've been infected with or otherwise observed.
Read 6 tweets
Jack Cable Profile picture
May 13, 2021
Just finished 2x read-through of the new Executive Order. The EO can significantly shift not only how the federal gov treats cybersecurity, but also the state of security across industry and broader public sector. A thread on what I’m hoping to see from it. 🧵
First: CISA! @CISAgov is at a defining moment coming out of 2020 as a several years-old agency. The EO entrusts CISA with well-deserved responsibilities, and this will further elevate its role leading the charge to secure the federal gov and critical infrastructure.
To further “early detection of vulnerabilities” in sec 7, in addition to the mentioned CDM efforts, CISA can more widely deploy Crossfeed to assess the public attack surface of federal agencies. A refresher on Crossfeed:
Read 11 tweets
Jack Cable Profile picture
Apr 19, 2021
Read this bipartisan letter from election officials charting a path forward for CISA to keep fighting disinformation about electoral processes.
CISA has gained remarkable trust from election officials in a few years. Why? Election security is not political
sos.state.co.us/pubs/newsRoom/…
Remember where we came from: in 2017, the National Association of Secretaries of State passed a resolution opposing the designation of elections as critical infrastructure, expressing concerns in interfering with state sovereignty over elections.

static.politico.com/21/52/bbea4304…
CISA did it right: in 3 years, CISA rapidly built election security experience/capacity, and trust with state & local election officials, thanks to the work of @mastersonmv @C_C_Krebs and many others.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(