A skull and crossbones on a computer screen are surrounded by ones and zeroes.

For months, members of Conti, among the most ruthless of the dozens of gangs in existence, bragged about publicly sharing the data they stole from the victims they hacked. Now, members are learning what it's like to be on the receiving end of a major breach that spills all their dirty laundry, not just once, but repeatedly.

The leaks began on Sunday when a new account called "ContiLeaks" began posting links to internal chat messages that members had sent among themselves.

The new messages were published two days later.

Burn it to the ground

On Wednesday, there were more leaked chats. The latest dispatch showed a date from Tuesday and Wednesday that indicated that the leaker continued to have access to the gang's internal server.

In a Wednesday message to a gang colleague named Green, a Conti worker called Tort wrote, "Hello, how are things with us?" It was reported that someone had deleted all the farms with a shredder and cleaned the server in order to prevent the leaks from exposing members to law enforcement investigators around the world.

The leak was motivated at least in part to respond to a statement posted to the dark web that group members.

The founder of the Milwaukee-based cyber intelligence firm Hold Security has reported that the ContiLeaks is a Ukrainian security researcher. The leaker is thought to be a Ukrainian employee or business associate of a Russian leader who broke with their support for the Kremlin.

Advertisement

The leaks are worth almost two years of the group's inner workings. On September 22, 2020, for instance, a leader of a crime group using the handle Hof revealed that something appeared to be wrong with a for-rent botnet that they used to deploy their software.

Hof wrote that the one who made this garbage did it very well and that someone had installed an implant that would cause machines to be disconnected from the command and control server. He uploaded the config to the admin panel with an encoder and private key. It is just some kind of sabotage.

There will be panic... and groveling

The Washington Post reported that the sabotage was done by the US Cyber Command, an arm of the Department of Defense, headed by the director of the National Security Agency.

428 medical facilities in the US were included in the network of infected systems that the Conti members attempted to rebuild in late October. The leadership decided to use the opportunity to restart the operations of the company by using its software to attack health care organizations that were affected by the global epidemic.

A manager with the handle Target wrote on October 26, 2020, "Fuck the clinics in the USA this week." There are 428 hospitals.

The chat logs analyzed by KrebsOnSecurity show workers complaining about low pay, long hours, and bureaucratic inefficiencies.

On March 1, 2021, a low-level employee named Carter reported to superiors that the fund used to pay for new server and domain registration was short by over $1,000.

Carter was groveling again eight months later.

Carter wrote that they are out of bitcoins. There are two weeks left for the renewal of $960 in bitcoin. Thank you for sending some bitcoins to this wallet.