Internal chat logs leaked from the notorious Russian ransomware gang Conti reveal unfiltered conversations between ultranationalist hackers in which they repeat Russian President Vladimir Putin’s conspiratorial lies about Ukraine, discuss the impact of early Western sanctions against their country, and make antisemitic comments about Ukraine’s Jewish president.
The logs were leaked late last month, reportedly by a Ukrainian security researcher, after Conti publicly announced its support for Putin’s invasion of Ukraine and threatened to retaliate against any cyber warfare targeted at the Russian-speaking world. The logs span two years and multiple chat services and were released alongside training documentation, hacking tools, and source code.
The Intercept reviewed the most recent month of logs, focusing on those originating from RocketChat, a group-chat system similar to Discord or Slack, that Conti hosted on the anonymity network Tor. The messages are full of typos, slang, and a heavy use of mat — vulgar Russian profanity. We translated these messages using Google Translate and DeepL, and then a native Russian speaker manually corrected them. As with any translations, there are sometimes multiple possible interpretations, so we are making the original Russian available here. All time stamps from chat messages are in Coordinated Universal Time.
Logs of only some chat rooms appear to have been leaked. Most of the recent messages are from the #general channel, a room where the hackers candidly discussed non-ransomware topics like drug use, pornography, cryptocurrency, an obsession with investigative journalist Brian Krebs, and occasionally technical topics. While the #general channel had 160 users — Conti is a very large criminal enterprise — only a handful of these users actually posted messages during the monthlong period.
The conversations quickly turned political on February 21 when Putin announced that Russia recognized the separatist territories Donetsk and Luhansk in eastern Ukraine as independent nations, and on February 24 when Russian troops invaded Ukraine. The Russian hackers openly repeated Putin’s falsehoods as fact, such as that Ukraine is run by a “neo-Nazi junta” and that its government is seeking nuclear weapons. Members of the chat continually shared news updates that exaggerated Russia’s success so far in the war.
The chat logs also include a heavy dose of misogyny, including discussions of child sexual abuse content and jokes about rape, as well as antisemitism aimed at Ukrainian President Volodymyr Zelenskyy.
Also on February 21, Conti announced internally to its employees that the leader of the criminal enterprise had gone into hiding. While it’s unclear exactly what happened, the announcement said that “close attention to the company from the outside has led to the fact that the boss apparently decided to lay low.” It added that Conti did not have enough money to pay everyone’s salaries and asked that they take two to three months of vacation. While Conti’s active operations had ceased, the server hosting RocketChat was still up, so the conversations after that were purely about Russia’s war in Ukraine. CyberScoop this week quoted sources saying Conti recovered from the leaks and is operational.
Conti is the most successful ransomware gang in operation today. As Check Point Research has reported, the gang appears to operate much like a large corporation, with twice-monthly payroll, five-day workweeks, staggered shifts to ensure around-the-clock operation, and even physical offices. According to a 2022 report on cryptocurrency crime from the company Chainalysis, Conti extorted at least $180 million from its hacking victims last year.
Many of the victims have been in the health care sector, including, Ireland’s public care system. In May 2021, in the midst of the Covid-19 pandemic, Conti encrypted data on 85,000 Irish health care computers and demanded a $20 million ransom payment in exchange for the decryptor, according to a report in CPO Magazine. Ireland’s Health Service Executive refused to pay the ransom, but it’s still costing Ireland 100 million euros to recover from the attack. The FBI also warned that Conti ransomware attacks targeted at least 16 health care networks in the United States.
Conti employees appear to be active during work hours in the Moscow time zone and all internal communication is in Russian, though some people involved don’t live in Russia. One frequent poster in the chat rooms, who goes by the username “Patrick,” appears to be a Russian citizen living in Australia. An older member of Conti is a 55-year-old Latvian woman, according to reporting by Krebs. Based on these chat logs, Conti appears to be an independent criminal enterprise without formal ties to the Russian government.
But it appears that Russian intelligence reached out to members of Conti on at least one occasion. After the ContiLeaks were published, Christo Grozev, executive director of the investigative journalism group Bellingcat, tweeted that his organization had been warned that “a global cyber crime group acting on an FSB [Russia’s security agency] order has hacked one of your contributors,” and they were looking for information about Alexey Navalny, the imprisoned Russian opposition leader. In 2020, FSB agents were implicated in a poisoning attack on Navalny.
Last year, we got an anonymous tip that "a global cyber crime group acting on an FSB order has hacked one of your contributors. The only thing they were interested on, was anything related to your @navalny investigation". We took enormous measures to upgrade our e-security (1/n)— Christo Grozev (@christogrozev) February 28, 2022
Chat logs in ContiLeaks, from a chat service called Jabber, seem to indicate that Conti was this cybercrime group, acting on an order from the FSB. A user called “Mango” told a user called “Professor” that he had encrypted chat messages from a Bellingcat journalist but didn’t know how to decrypt them. Mango pasted a snippet from a separate chat that he had with a user called “Johnnyboy77,” who told him about targeting a Bellingcat journalist and mentioned “NAVALNI FSB.”
2021-04-09 18:13:13 mango: So, are we really interested in such data?
2021-04-09 18:13:24 mango: I mean, are we patriots or what?)))
2021-04-09 18:13:31 professor: Of course we are patriots
2021-04-09 18:13:49 mango: I understand. if they decipher it there – I will beacon
2021-04-09 18:14:23 mango: and I also wrote there the other day to you about the auction, but as I understand it, you are still busy and did not delve into)
2021-04-09 18:31:25 mango:
[21:21:02] <johnyboy77> in short, there is a person’s mail from bellingcat
[21:21:06] <johnyboy77> who specifically works in the RU and UA direction
[21:21:06] <johnyboy77> say so
[21:21:08] <johnyboy77> and all his passwords are
[21:21:17] <johnyboy77> and she’s still valid
[21:30:56] <mango> well, pull the correspondence, at least screen them
[21:31:05] <mango> need specifics bro what to talk about
[21:31:07] <johnyboy77> now download files
[21:31:12] <johnyboy77> NAVALNI FSB
[21:31:13] <johnyboy77> even this
[21:31:18] <johnyboy77> right now
2021-04-09 18:31:26 mango: :)
2021-04-09 18:35:42 professor: why not just dump the whole thing
The day after Russian troops began their invasion of Ukraine, Conti posted a statement on its website, a site normally used used for publishing data from companies that refuse to pay ransom. Conti announced its “full support of Russian government,” and warned that if anyone attacked Russia, cyber or otherwise, they would use “all possible resources to strike back at the critical infrastructures of an enemy.”
Hours later, they tempered their statement, but many had already noticed their unequivocal support for Russia in its war against Ukraine.
When Russian soldiers invaded Ukraine on February 24, people in Conti’s #general channel began discussing the war. One member of the chat, Patrick, was by far the most swayed by Putin’s lies about Ukraine. Patrick insisted that war was inevitable because Ukraine was attempting to obtain nuclear weapons. This is false, but this conspiracy theory made up a large part of a speech Putin gave on February 21 just prior to the invasion.
2022-02-24 09:53:54 patrick: war was inevitable, ukraine made an application for nuclear weapons
2022-02-24 09:54:37 patrick: in their possession
2022-02-24 09:55:00 weldon: monkeys don’t explain things, they climb trees
2022-02-24 09:55:02 elijah: @patrick well done and done. Still, no one will ever use it. Yes, just to scare
2022-02-24 09:56:38 elijah: Look, missiles from North Korea periodically arrive in the territorial waters of the Russian Federation. But no one cares. And they have nuclear weapons, by the way. But somehow no one was alarmed
2022-02-24 09:56:47 patrick: old man, you’re wrong, there is no doubt about north korea now
2022-02-24 09:58:42 patrick: no one is happy about the war, brothers, but it is high time to put this neo-Nazi gang of Canaris’s foster kids on trial
In his speech, Putin also falsely claimed that Ukraine’s democratic government is a neo-Nazi dictatorship. Throughout the first days of fighting, Patrick repeatedly insisted that Ukraine is run by a “neo-Nazi junta.” It’s not. Ukraine does a have a legitimate Nazi problem (so does the United States and Russia), but Ukranian neo-Nazis are a small minority and don’t hold any positions in government.
Zelenskyy is Jewish. His grandfather, Semyon Ivanovich Zelenskyy, fought the Nazis during World War II. All three of Zelenskyy’s grandfather’s brothers were shot and killed by Nazi soldiers occupying Ukraine.
2022-02-24 10:01:33 patrick: Putin will answer all questions today, I hope that by the evening Kyiv will be ours
2022-02-24 10:02:47 biggie: what’s the point
2022-02-24 10:03:02 elijah: `by the evening kiev will be ours` – and??? What is the profit in this, well, besides boosting the guy’s ego and an additional reason for the quilted jackets [patriots/nationalists] to fap on the king?
2022-02-24 10:03:07 biggie: only people will die and that’s it
2022-02-24 10:05:11 patrick: the neo-Nazi junta will be liquidated and prosecuted, civilians will not suffer
In another message, Patrick says he’s not fighting in the separatist regions of eastern Ukraine because he’s in Australia, donating money to “the victims of the genocide of the neo-Nazi junta.” Putin accused Ukraine of committing genocide against Russian-speaking civilians in Donbas—this also isn’t true.
2022-02-24 11:02:25 kermit: and why are you here and not a volunteer in the DNR or LNR?
2022-02-24 11:03:34 patrick: I’m in australia helping the the victims of the genocide of the neo-Nazi junta with money
2022-02-24 11:03:45 kermit: you’re hiding far away
2022-02-24 11:04:24 kermit: in any such movement you have to back it up with deeds. right now you’re just another spectator and instigator
2022-02-24 11:04:33 kermit: money is bullshit in a matter like this
2022-02-24 11:04:58 patrick: Zelia [Zelensky] is the one hiding, it’s his last day, our people are already in the suburbs of Kiev
Although Putin has justified his invasion by framing it as a war on Nazi ideology, numerous discussions in the chats point toward antisemitic sentiment within Conti. Such bigotry has been a prominent part of an ascendant far-right movement throughout the U.S. and Europe, including in Russia and Ukraine. On February 21, a user named “Weldon” pointed out that Zelenskyy is Jewish. Several others joined in with antisemitic jokes.
2022-02-21 13:03:18 weldon: Zelensky is a jew
2022-02-21 13:03:24 kermit: oh fuck
2022-02-21 13:03:26 kermit: Jews
2022-02-21 13:03:28 kermit: great
2022-02-21 13:03:31 kermit: my favorite
2022-02-21 13:03:39 weldon: that’s right, not Jewish, but a Jew
2022-02-21 13:04:26 kermit: fuck, I wish I was a jew
2022-02-21 13:04:55 kermit: just be born Jewish and you’re considered a member of a secret society and you mess up the Russians’ life
2022-02-21 13:05:46 weldon: come on. A Tatar was born – a Jew cried :joy:
2022-02-21 13:06:58 kermit: a Crimean Tatar?
2022-02-21 13:08:07 gelmut: black Crimean Tatar born in Odessa, who received Russian citizenship :-D
2022-02-21 13:09:11 weldon: obama?
2022-02-21 13:19:39 gelmut: A Jewish boy approaches his parents and says – I want to be Russian. To which the parents reply: – If you want to be Russian, you go to the corner and stand there all day without food. Half a day later, his parents ask: “How do you live as a Russian? And the boy answers: – I’ve only been Russian for two hours, but I already hate you Jews!
After Russia’s invasion was in full swing, the topic of Jews appeared again. This time, Patrick suggested that Jews ruined the Russian empire, and a user named “Biggie” said that it’s necessary to “de-Jewishize” Israel by force. “Pindo” is a slightly pejorative term for an American, and “Pindostan” is slang for the United States.
2022-02-25 09:10:45 patrick: everyone, up to and including the pindostan [America], must answer for the destruction of my homeland – the USSR, so be it
2022-02-25 09:11:53 patrick: Vinnytsia is surrounded
2022-02-25 09:14:19 biggie: that’s how sovok [Soviet Union, or Soviet nationalists] responded to the breakup of the Russian empire
2022-02-25 09:14:41 biggie: All’s fair
2022-02-25 09:15:52 angelo: wait Soviet factories were built by Americans and Europeans with the hands of our comrades. The empire was ruined by Jews with English money
2022-02-25 09:15:59 angelo: I’m getting confused who got what for what and why.
2022-02-25 09:16:38 angelo: we need Jesus, only he will judge and tell the truth, who God is for!
2022-02-25 09:16:55 angelo: @jesus !
2022-02-25 09:17:18 biggie: yeah, that means we have to conduct a military operation in Israel for de-Jewishization
Earlier in the month, the user named “Thomas” joked with the user “Angelo” that he’d be sentenced to eight years in prison for “anti-patriotism” but quickly said he was kidding. Angelo said, “I know you’re kidding. We are brothers!” Thomas made a casual Nazi joke about being Aryan brothers, adding that “the skinhead theme is my favorite.”
2022-02-16 08:43:42 angelo: we are brothers!
2022-02-16 08:43:48 thomas: Slavs?
2022-02-16 08:43:51 thomas: or Aryans?
2022-02-16 08:44:01 thomas: Ooh, the skinhead theme is my favorite.
2022-02-16 08:44:05 thomas: whoever has cleaner blood
In early February, the 75-year-old ultranationalist Vladimir Zhirinovsky, a demagogic politician and leader of Russia’s Liberal Democratic Party of Russia, was reportedly hospitalized for Covid-19 and in critical condition.
Zhirinovsky is a far-right authoritarian populist known for decades of controversial views. According to a 1994 article in the New York Times, Zhirinovsky called for “the preservation of the white race” in a 1992 television appearance to the U.S., which he warned was being turned over by the white population to black and Hispanic people. In 2016, Zhirinovsky strongly supported the election of Donald Trump for U.S. president over Hillary Clinton, telling Bloomberg, “Trump and I could impose order on the whole planet. … Everyone would shut up. There wouldn’t be any extremists, no Islamic State, and white Europeans could feel at ease as we’d send all the immigrants home.”
The Conti hackers seem more than just Putin-supporting Russian patriots — they identify with Zhirinovsky’s far-right, authoritarian, racist politics. In the chat room, they discussed Zhirinovsky’s condition, as well as conspiracy theories about why he’s really in the hospital and if he’s even really sick.
2022-02-16 13:59:48 kermit: everything is okay in the kremlin
2022-02-16 14:00:00 thomas: how’s Zhirik [Zhirinovsky] doing?
2022-02-16 14:00:03 thomas: is he alive?
2022-02-16 14:00:07 thomas: It’s gonna be sad without him.
2022-02-16 14:00:09 kermit: I don’t know, he’s sick
2022-02-16 14:00:15 kermit: he’s not in the kremlin
2022-02-16 14:00:32 thomas: there was a video that said he is not being treated for covid, his lovers poisoned him
2022-02-16 14:00:35 thomas: and on the news
2022-02-16 14:00:42 kermit: lol
2022-02-16 14:00:43 thomas: not mistresses but male lovers
2022-02-16 14:00:46 weldon: :joy:
2022-02-16 14:00:52 kermit: yeah that’s a known fact
2022-02-16 14:01:31 weldon: *Petrosyans *fuck with Stepanenkas :rofl:
2022-02-16 14:01:36 kermit: https://www.youtube.com/watch?v=8aDxfJ-eCxw
2022-02-16 14:07:11 gelmut: By the way, everything is bullshit about Zhirik. Their party man said that everything is fine with him, it’s just hype and journalist faggots. In fact he is just lying in the hospital just in case and working there, feeling fine. They bring him documents to sign right there.
2022-02-16 14:09:18 kermit: Trust the party members from the LDPR
2022-02-16 14:09:22 kermit: That’s just the way it is.
2022-02-16 14:10:01 kermit: They’ll tell you that Volfovich [Zhirinovsky] is dying out there and people don’t know what to do
On February 24, at the very beginning of the West’s sanctions against Russia, members of Conti were clearly already feeling squeezed, including by their inability to buy digital gear from Apple. After urging from Ukraine, Apple had quickly cut off sales of products like iPhones and MacBooks to Russia. The value of Russian’s ruble had plummeted to 85 rubles for each U.S. dollar (by March 7, each dollar cost 150 rubles).
2022-02-24 07:04:43 angelo: I take it now the latest model iPhone and Macbook are the ones you have now and that’s it
2022-02-24 07:05:22 weldon: so it is
2022-02-24 07:10:26 biggie: as long as the dollar is 85
2022-02-24 07:11:09 weldon: screw GDP on the dollar
2022-02-24 07:11:25 biggie: What about the iPhone?
2022-02-24 07:12:07 weldon: Shove your iPhones up your ass
2022-02-24 07:12:58 biggie: what about macbooks
They joked about Russia joining NATO so they could switch from the free-falling ruble to the euro. Angelo said he couldn’t even buy a brand of juice because it’s American.
2022-02-24 07:17:23 biggie: we should join NATO, then the euro would replace the ruble and nothing would drop
2022-02-24 07:17:34 angelo: I even couldn’t buy Dobry Juice now – it’s American
2022-02-24 07:18:31 angelo: you should take Viagra, nothing will drop.
2022-02-24 07:19:20 weldon: @biggie you shouldn’t miss the shitter when you piss
2022-02-24 07:19:44 biggie: :smiley:
2022-02-24 07:43:20 biggie: “In half an hour, a quarter of Russia’s stock market is like a cow lapped it up… MOEX index -28,8%”.
2022-02-24 07:43:41 biggie: we’re broke.
2022-02-24 07:45:42 biggie: on the other hand we could soon be stocked up
2022-02-24 07:46:12 angelo: but
2022-02-24 07:46:15 angelo: but
2022-02-24 07:46:19 angelo: I haven’t fucking figured it out yet
2022-02-24 07:46:48 weldon: close up before they close you down
The Conti members even discussed a rumor that PornHub, the major American pornography site, would block Russian users. This was false; PornHub didn’t actually block Russians from using its service.
2022-02-24 22:02:38 thomas: Some American senators suggest blocking PornHub in Russia in addition to social networks!
2022-02-24 22:02:44 thomas: That’s it, we’re done)
2022-02-24 22:02:49 thomas: They will take away our last joys!
In late January, during a conversation about drug use, the user “Kermit” said, “We should send our correspondence to Krebs.” Angelo replied, “The worst that can happen.” They’re referring to Krebs, the investigative journalist who covers cybercrime groups like Conti. This is especially interesting because since ContiLeaks was published, Krebs has, in fact, been analyzing the group’s correspondence.
2022-01-28 20:01:08 kermit: we should send our correspondence to krebs
2022-01-28 20:01:10 angelo: the worst that can happen
2022-01-28 20:02:03 angelo: I come back once in the evening,
Stoned on hash.
Life becomes beautiful
And it’s madly good.
2022-01-28 20:02:17 angelo: going….. smoking…
2022-01-28 20:02:26 angelo: he’s freaking out, he’s gonna say the Chelyabinsk delinquents
2022-01-28 20:02:48 stanton: Cannabis is supposed to be good for your head.
2022-01-28 20:03:04 angelo: everything is relative
2022-01-28 20:03:24 angelo: if you’re prone to schizophrenia you might end up in a mental hospital
2022-01-28 20:04:30 kermit: or join the KPRF [Communist Party of the Russian Federation]
It’s clear that members of Conti read Krebs’s work. They frequently mention him when they’re talking about anything particularly inappropriate. For example, on February 2, in a conversation about porn, masturbation and articles about performing oral sex on yourself, Kermit posted, “that’s the kind of correspondence krebs won’t leak :/”.
2022-02-02 20:56:41 elliott: :rofl:
2022-02-02 20:57:01 kermit: that’s the kind of correspondence krebs won’t leak :/
2022-02-02 20:57:08 angelo: he was reading something about giving himself a blowjob
On February 16, Conti members discussed how to remain anonymous using different Jabber clients, chat programs that can be used to connect decentralized chat servers. They discuss Jabber clients called Pidgin, Psi+, and MCabber, how cool and hackery using them looks, and how well their encryption plugins work. They also discuss how their different anonymous Jabber accounts could get linked if they lose internet access and disconnect from multiple accounts at once. Thomas described his technique for mitigating this threat as “Krebs level.”
2022-02-16 08:34:19 thomas: i have each Jabber account on a different client or in a different sandbox
2022-02-16 08:34:22 thomas: and turn them on manually
2022-02-16 08:34:27 thomas: so there could be no timing attacks
2022-02-16 08:34:34 thomas: no autostarts
2022-02-16 08:35:00 thomas: in short, the security is krebs level
The messages in this RocketChat channel #general include the sort of misogyny, casual sexism, and crude anatomical references that have historically been endemic among certain groupings of young computer hackers. In one message, Angelo explained that the #general channel was for “pussy and boobs” and the #announcements channel and private messages were for work.
2022-02-08 14:56:47 angelo: you see, in general, pussy and boobs and announcements, in PM work
In one conversation on February 3, Angelo joked with others about raping a girl in her sleep. The replies included “iconic move” and “no, don’t touch them, they’re for meat when the pigeons and bums run out.”
Members of Conti also frequently used homophobic slurs in the chats. Human rights groups have denounced Russian prohibitions, under Putin, of so-called gay propaganda — acts considered to promote homosexuality — saying it contributes to an increasingly homophobic environment where acts of brutality against gay people are common.
On February 25, Patrick posted about how the Safe Internet League, an internet censorship organization in Russia, was going to declare Yuri Dud a foreign agent after a video he published about Ukraine. Dud is a well-known Russian journalist and YouTuber who identifies as Ukrainian. Patrick ended with “Kill the faggots!”
On February 28, Angelo and Kermit discussed child sexual abuse videos (what Kermit openly referred to as “child pornography”) and the ages of girls they liked to watch.
On February 21, the user “Frances,” who had only posted twice before that month strictly about work, posted a long and surprising update in the #general channel.
The “boss” of the Conti ransomware gang apparently disappeared and couldn’t be reached, probably because of “too much attention to the company from outside” and because of internal leaks. Conti didn’t have enough money in emergency reserves to even pay everyone’s salaries. Frances asked everyone to send him up-to-date contact information, take two to three months of vacation from work, and erase their tracks and clean up their accounts used for hacking in the meantime.
It’s unclear why Conti didn’t have enough money to pay salaries. John Shier, a senior security adviser at the security firm Sophos, told CyberScoop that Conti reportedly has a bitcoin wallet with $2 billion in it. And despite the request for employees to take vacation, there have been nearly two dozen news posts with hacked documents from ransomware victims on Conti’s extortion website since February 21.
2022-02-21 13:30:25 frances: @all
I sincerely apologize for having to ignore your questions the last few days. About the boss, Silver, salaries, and everything else. I was forced to because I simply had nothing to say to you. I was dragging my feet, screwing around with the salary as best I could, hoping that the boss would show up and give us clarity on our next steps. But there is no boss, and the situation around us is not getting any softer, and pulling the cat by the balls further does not make sense.
We have a difficult situation, too much attention to the company from outside resulted in the fact that the boss has apparently decided to lay low. There have been many leaks, post-New Year’s receptions, and many other circumstances that incline us all to take some time off and wait for the situation to calm down.
The reserve money that was set aside for emergencies and urgent team needs was not even enough to cover the last paycheck. There is no boss, no clarity or certainty about what we will do in the future, no money either. We hope that the boss will appear and the company will continue to work, but in the meantime, on behalf of the company I apologize to all of you and ask for patience. All balances on wages will be paid, the only question is when.
Now I will ask all of you to write to me in person: (ideally on Jabber:))
– Up-to-date backup contact for communication (preferably register a fresh, uncontaminated public Jabber account
– Briefly your job responsibilities, projects, PL [programming language] (for coders). Who did what, literally in a nutshell
In the near future, we, with those team leaders, who stayed in line – will think how to restart all the work processes, where to find money for salary payments and with renewed vigor to run all our working projects. As soon as there is any news about payments, reorganization and getting back to work – I will contact everyone. In the meantime, I have to ask all of you to take 2-3 months off. We will try to get back to work as soon as possible. From you all, please be concerned about your personal safety! Clean up the working systems, change your accounts on the forums, VPNs, if necessary, phones and PCs. Your security is first and foremost your responsibility! To yourself, to your loved ones and to your team too!
Please do not ask about the boss in a private message – I will not say anything new to anyone, because I simply do not know. Once again, I apologize to my friends, I’m not excited about all these events, we will try to fix the situation. Those who do not want to move on with us – we naturally understand. Those who will wait – 2-3 months off, engaged in personal life and enjoy the freedom :)
All working rockets and internal Jabbers will soon be off, further communication – only on the private Jabbers. Peace be with you all!