The group quickly shifted funds through an intricate web of crypto asset accounts to evade capture.

The organisation even enlists a team to handle public relations and personnel affairs, just like a large corporation.

The group is a major force in the underworld of cyber crimes.

Of all the companies that have publicly disclosed being victimised by ransomware, approximately 20%, or 824 businesses, have been hit by Conti, according to Singaporean analytics platform DarkTracer.

The US government recently offered a bounty of up to US$10 million for information that leads to the identification and location of Conti leaders.

When Conti put out a statement in February in support of Russia’s invasion of Ukraine, members supporting the Kyiv government retaliated by leaking internal chat logs.

The dumped data, spanning a period between June 2020 and March of this year, contained about 170,000 messages written entirely in Russian using 1.18 million characters.

Nikkei pored over the chat logs alongside Takashi Yoshikawa, a senior malware analyst at Mitsui Bussan Secure Directions, a Tokyo-based cyber security firm.

The exchanges provided a behind-the-scenes look at Conti’s criminal operations.

“The chats appear to be authentic,” said Yoshikawa, noting they reveal behind-the-scenes exchanges about specific attacks and that the virus source codes used for the attacks were also leaked simultaneously.

Conti had 645 digital wallets containing a total of 2,321 bitcoins, making them worth over US$90 million at the time the chat logs were leaked.

When accounting for overlaps and other factors, Conti held at least 1,953 bitcoins – or more than US$77 million – in the form of ransom payments or transfers from outside parties.

The wallet with the most deposits received about US$23 million between September and November 2020 over the course of multiple transfers, each approaching US$8 million.

Those funds were later disbursed to multiple wallets.

“The funds were moved within a short timespan to ward off investigators tracing ransom payments, with the aim of converting the assets into cash at exchanges or on the dark web,” said Yoshikawa.

The chats included roughly 350 participants.

Of that number, 35 members posted more than 1,000 messages individually.

At the same time, 30% of the participants posted 100 messages or fewer.

A number of principals oversaw key functions, such as public relations and personnel management.

Conti rotated through hundreds of active members adept in programming and other skills, just like using gig workers.

In some cases, members came on board apparently unaware that they were involved in criminal activities.

Conti has set up an underground business offering compensation for skill sets that help the group carry out attacks.

Some of the chat messages suggested links to Russia’s Federal Security Service.

Many fear Conti will ramp up activities if Russia experiences further economic hardships under sanctions imposed by western nations.

Conti’s actions since 2020 represent just the tip of the iceberg when it comes to the virtually countless scale of cyber crimes.

Ransomware attacks alone doubled last year to about 623 million instances globally, according to US cyber security company SonicWall.

In recent months, Toyota Motor was subject to an attack that briefly halted its supply chain.

The financial damages associated with ransomware-induced system stoppages, along with attorney’s fees and other expenses, add up to about seven times the ransom payments themselves, according to estimates by Check Point Software Technologies, an Israeli-American cyber security firm.

Investigators are unable to keep pace with the cyber criminals, likely creating the conditions for massive organisations such as Conti to thrive.