A little over a year ago, during one of our corporate awareness sessions, a participant asked: “Who is the Sinaloa Cartel of cybercrime syndicates?” (clearly referring to the most notorious one). Our response was immediate: “Without a doubt, that would be CONTI.”
CONTI rose as a formidable force in cyberspace at the beginning of this decade. It was the organization to fear. Responsible for some of the most impactful cyberattacks ever seen from the takedown of Ireland’s national health service to the massive attack on the State of Costa Rica, which even led the country’s president to declare a state of war. The mere mention of its name was synonymous with chaos and digital destruction.
Composed mostly of Slavic members, this shared origin had its turning point on February 24, 2022: Russia and Ukraine went to war. That same day, in an unprecedented move, CONTI publicly declared its support for Russia, identifying Ukraine (and its allies) as future targets.
The decision triggered strong rejection from Ukrainian members of the group, who proceeded to leak internal details of the organization releasing documents, procedures, and internal communications.
This event, known as the “CONTI Leaks,” showed for the first time the inner workings of a cybercrime syndicate.
CONTI operated with a structured departmental organization (human resources, software developers, etc.), standard eight-hour workdays, regular office schedules, and an approximate staff of around 100 employees.
The leaked information reveals routine management issues, including cases where employees were fired for “disruption of workplace discipline,” such as repeatedly being caught sleeping. Cybercriminals, yes but apparently with a clear work ethic and professional standards.
One of the most striking details was the fear within the organization whenever a victim turned out to be a Chinese company or one carrying the corporate “OOO” designation (the equivalent of an LLC in CIS countries).
The only department outside the aforementioned work structure was the so-called “call centers” teams responsible for ransom negotiation with victims. They were staffed mostly by employees aged 18 to 25, with intermediate English proficiency, working from 18:00 to 23:00 GMT+3 (matching normal business hours in the Western hemisphere for obvious reasons).
Even more remarkable: this area and only a handful of higher-level leaders were aware that they were working within a criminal organization.
Contrary to what one might imagine, most employees did not know the true nature of their employer’s business.
Ultimately, due to the leaks and the growing fear of being officially designated a terrorist organization (due to their high-profile attacks), the group ceased operations a few months later, in May 2022 almost certainly continuing under a different identity.
CONTI, a criminal syndicate of devastating power, can also claim one of the “achievements” of having been among the creators of the most successful model of cybercrime ever devised: RaaS (Ransomware as a Service), involving affiliates/mercenaries who carry out attacks already described in previous articles.
The CONTI Leaks showed the world that cybercrime is not run by individuals in black hoodies locked in dark rooms, but rather by organizations well-structured, highly efficient businesses… perhaps more organized than many of their victims.