Cryptocurrency – Krebs on Security

Three stories here last week looked at several years of internal chat records stolen from the Conti ransomware group, the most profitable ransomware gang in operation today. The candid messages revealed how Conti evaded law enforcement and intelligence agencies, what a typical day at Conti’s office was like, and how Conti secured the digital weapons used in their attacks. This latest article on Conti’s Conversations explores different schemes that Conti has pursued to invest in and steal cryptocurrencies.

When you might be the most successful ransomware group around, Conti earned $180 million last year in extortion payments, far more than any other criminal group, according to On-chain analysis – you tend to have a lot of digital currency like Bitcoin.

This wealth allowed Conti to do things that regular investors couldn’t, like move the price of cryptocurrencies in one direction or the other. Or build a cryptocurrency platform and seed it with tons of ill-gotten crypto from ghost investors.

One Conti top manager — aptly named”Back“Because he endlessly needled Conti underlings to complete their assigned tasks, he was obsessed with creating his own encryption scheme for cross-platform blockchain applications.

“I’m hooked right now, I’m into trading, challenge, blockchain, new projects,” Stern said.A fit of rageon November 3, 2021. “Big companies have too many secrets they cling to, thinking that’s their main value, those patents and that data.

In a thread that spanned several months in Conti’s internal chat room, Stern said the plan was to create their own crypto universe.

“Like Netherium, Polkadot and Binance smart chain etc,” Stern wrote. “Does anyone know more about this? Study the above systems, code and working principles. To build our own, where it will already be possible to plug in NFT, DEFI, DEX and all new trends who are and will be.For others to create their own coins, exchanges and projects on our system.

It appears that Stern paid several developers to pursue the idea of ​​creating a peer-to-peer (P2P) based system for “smart contracts” – programs stored on a blockchain that run whenever conditions arise. predetermined are met.

It’s unclear in what context the Conti gang became interested in smart contracts, but the idea of ​​a ransomware group insisting on payments through smart contracts isn’t entirely new. In 2020, researchers from Athens University School of Information Science and Technology in Greece showed (PDF) how ransomware-as-a-service offerings could one day be executed through smart contracts.

Before that, Jeffrey Ladishan information security consultant based in Oakland, Calif., has written a two-part analysis on why smart contracts will make ransomware more profitable.

“Using a smart contract, an operator can confidently sell their victims a decryption key for money,” Ladish wrote. “That is, a victim can send money to a smart contract with the guarantee that they will either receive the decryption key to their data or get their money back. The person who hacked into their computer should not be trusted because they can verify that the smart contract will handle the exchange fairly.

Conti’s employee”Van” seems to have taken the lead on the P2P encryption platform, which he said was developed using the Rust programming language.

“I’m trying to build a p2p network in Rust,” Van told a colleague.Devilon February 19, 2022. “I’m sorting it out and I’ve already started writing code.

“It’s cool that you like Rust,” Demon replied. “I think it will help us with smart contracts.”

Stern apparently believed in his crypto dreams so much that he sponsored a $100,000 article-writing contest on the Russian-language cybercrime forum Exploit, asking interested applicants to come up with various ideas for crypto platforms. These contests are an easy way to purchase intellectual property for ongoing projects, and they are also effective recruiting tools for cybercriminal organizations.

“Cryptocurrency Article Contest! [100.000$]Conti’s middle manager “Mango” wrote to boss Stern, copying the title of the Exploit forum post. “What are you doing here…”

A few days later, Mango reports to Stern that he has “prepared everything for both the social network and the articles for the crypto competitions”.


On June 6, 2021, Conti underling “Begemot” Stern launched on a scheme to scam a group of people mining virtual currencies, by launching distributed denial of service (DDoS) attacks against a cryptocurrency mining pool.

“We find young forks on exchanges (those that can be exploited), analyze their infrastructure,” Begemot wrote.

Begemot continues:

“Where are the servers, nodes, capitalization, etc. Find a place where crypto holders communicate (discord, etc.). Let’s find out the IP address of the node. Most likely it will be IPv6. We start We fly in the chat we found earlier and write that there are problems, the crypt is not displayed, operations are not performed (because the crypt depends on mining, it There will really be trouble). Holders start to get nervous and withdraw the main balance. The crypto drops in price. We buy low. We release ddos. The crypto grows again. We gain. Or some variation of a letter to the creators about the possibility of a ransom if they want the ddos ​​to end.Among the main pain points is the implementation of Ipv6 DDoS.

Stern replies that it’s a great idea and asks Begemet to explain how to identify the target’s IP address.


It seems that Conti was involved in “SQUIDa new cryptocurrency that turned out to be a giant social media scam that brought in millions of dollars for fraudsters. On October 31, 2021, Conti member “Phantomsent a message to his colleagues that a big “pump” program to earn money was going to start in 24 hours. In crypto-based scams, conspirators use misleading information to inflate the price of a currency, after which they resell it for a profit.

“The big day has arrived,” Ghost wrote. “There are 24 hours left until the biggest pump signal ever! The goal this time will be around 400% gain, maybe even more. We will aim for a volume of 100 million dollars. With the bull market in full effect and high volumes, the chances of hitting 400% profit will again be very high. We will do everything in our power to make sure we achieve this goal, if you missed our previous big hit pumps, this is also the one you won’t want to miss. A massive pump is about to start in just 24 hours, be ready.

Ghost’s message does not mention which crypto platform would be targeted by the scam. But the timing lines up with a pump-and-dump run against the SQUID cryptocurrency (supposedly inspired by the popular South Korean Netflix series). SQUID was first offered to investors on October 20, 2021.

The now defunct SQUID cryptocurrency scam website.

As Gizmodo First reported on November 1, 2021, just before the scam, SQUID was trading at just one cent, but within a week its price had jumped to over $2,856.

Gizmodo called the scam a “carpet pull,” which occurs when the promoter of a digital token attracts buyers, halts trading activity, and runs off with the money raised from the sales. The SQUID developers earned around $3.38m (£2.48m).

“The SQUID crypto coin launched last week and came with many red flags, including a three-week-old website filled with bizarre spelling and grammatical errors,” Gizmodo said. Matt Novak wrote. “The website, hosted at, is gone, along with all other social media presences set up by the scammers.”

Jennifer C. Burleigh