Conti source code leaked by Ukrainian researcher
Source code hits the public domain as fallout continues over ransomware group's support for Russia


The researcher who leaked internal chats from the Conti ransomware group has now published its source code and appears to have doxxed one of its developers.
The leaker, going under the Twitter name @Contileaks, had originally published internal chats from the group on Sunday in response to its declaration of support for the Russian invasion of Ukraine. They followed it up by publishing the source code overnight.
The researcher published the code as a password-protected file, prompting a flurry of requests for access. They explained that they would release the password to trusted parties, saying in a tweet: "conti src password shared only with trusted ppl for now. to avoid more damage!"
However, earlier this week, another researcher appeared to have cracked the password and shared the code online.
Other code released in the ContiLeaks dumps appears to include the source for the TrickBot command dispatcher and data collector. The researcher also published access details for several storage servers used by the Conti group yesterday.
The leak also extended to personal information. The researcher tweeted what they claim is the GitHub page and Gmail address gleaned from the code. The address is flagged in the code as an developer for the Conti group, but responses to the tweet suggest that the developer did not know that he was writing back-end code for a ransomware operation.
Amid the data posts, the researcher continued to criticize the Russian government for its attack on Ukraine, posting: "more sanctions! they destroy hospitals, and a lot of ppl died! even some of my friends !"
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Screenshots have appeared of the Conti recovery dashboard and the BazarLoader command and control panel used to control infected devices.
Others claimed that the source code is not the latest version. The leaked code allegedly dates back to September 2020.
Since the initial leaks occurred, various analyses have appeared online detailing the bitcoin addresses used by the group, along with lists of email addresses found it its correspondence. Other information now freely available online includes hundreds of data points detailing domains used in the ransomware's command and control infrastructure, along with the gang's active dark web chat IDs.
Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.
Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs