Experts at the Swiss information security company Prodaft have calculated that over the past five months, Conti ransomware operators have earned at least $ 25.5 million from their attacks.
The company said it has partnered with blockchain analysts at Elliptic to track 113 cryptocurrency addresses and over 500 bitcoins that Conti operators have collected from their victims over the past five months. This data is the first and only attempt to measure Conti’s earnings to date.
Experts at Prodaft and Elliptic say they recorded several transactions that split $ 6.2 million from Conti’s profits and were sent to a so-called “consolidation wallet.” The discovery of this wallet is good news, as it could become a target for law enforcement and allow the authorities to confiscate a significant portion of the hack group’s profits, as the US Justice Department previously did with one of REvil’s partners .
However, Prodaft notes that Conti’s operators manage the consolidation wallet themselves, and the group’s partners are not involved. They usually launder profits through shadow exchanges, Wasabi, and through Russian-language marketplaces like Hydra.
“In August 2021, 0.07 bitcoin was sent from this cluster to a well-known exchange known to be used by ransomware groups. In addition, Conti has not attempted to cash out or exchange the received Bitcoins from this cluster. The group’s activity indicates that the remaining 123.06 bitcoins are currently held in an unhosted wallet, ”the researchers write.
In addition, the researchers said they also tracked ransom payments and how the group distributed profits to its partners.
“One cluster was identified that was receiving payments from Conti and DarkSide, which may indicate that this is an individual who worked as a partner of both of these groups.”
It is worth pointing out that after the termination of such ransomware as Avaddon, REvil, DarkSide and BlackMatter, the Conti group, along with LockBit, became the most active RaaS platforms in the world. This explains the interest in hackers both on the part of information security experts and on the part of special services.