A Ukranian computer specialist spoke exclusively to CNN about his efforts to disrupt a notorious Russian ransomware gang after the Russian invasion
Washington CNN  — 

As Russian artillery began raining down on his homeland last month, one Ukrainian computer researcher decided to fight back the best way he knew how – by sabotaging one of the most formidable ransomware gangs in Russia.

Four days into Russia’s invasion, the researcher began publishing the biggest leak ever of files and data from Conti, a syndicate of Russian and Eastern Europe cybercriminals wanted by the FBI for conducting attacks on hundreds of US organizations and causing millions of dollars in losses.

The thousands of internal documents and communications include evidence that appears to suggest Conti operatives have contacts within the Russian government, including the FSB intelligence service. That supports a longstanding US allegation that Moscow has colluded with cybercriminals for strategic advantage.

The Ukrainian computer specialist behind the leak spoke exclusively to CNN and described his motivation for seeking revenge after Conti operatives published a statement in support of the Russian government immediately after the invasion of Ukraine. He also described his desperate efforts to track down loved ones in Ukraine in recent weeks.

To protect his identity, CNN agreed to refer to him by a pseudonym: Danylo.

“I cannot shoot anything, but I can fight with a keyboard and mouse,” Danylo told CNN.

Service members of pro-Russian troops drive armoured vehicles past local residents in the course of Ukraine-Russia conflict in the besieged southern port city of Mariupol, Ukraine March 24, 2022.

The trove of data Danylo leaked in late February illustrates why cybersecurity has been such a fraught issue in US-Russia relations. It includes cryptocurrency accounts the Conti hackers used to allegedly reap millions of dollars in ransom payments, their discussions of how to extort US companies and their apparent targeting of a journalist investigating the poisoning of Kremlin critic Alexey Navalny.

But it also shows how hard it can be to disable ransomware operations. Despite Danylo unmasking their operations, the hackers continue to announce new victim organizations.

Danylo, who has worked as a cybersecurity researcher for years and studied the underground cybercriminal economy in Europe, is just one vigilante in a shadow war that has emerged between hackers and cybersecurity executives who have pledged support for the Ukrainian and Russian governments as the biggest land war in Europe since World War II drags on.

But by disrupting a group as notorious as Conti, Danylo has gained more attention than others. The FBI, Danylo said, contacted him after he began to leak the Conti files, asking him to stop leaking.

The FBI declined to comment.

Firefighters work to extinguish a fire at a warehouse after it was hit by Russian shelling on March 28, 2022 in Kharkiv, Ukraine.

CNN corroborated Danylo’s claim that he was the leaker by reviewing evidence that he had access to the Twitter account that was publishing the Conti data, as well as a website that Danylo and another person, who was granted anonymity for their protection, were using to share data contained in the leaks.

Danylo hasn’t spoken with the media about his motives – until now. He did so while navigating a war-ravaged country he had only recently returned to and could hardly recognize.

“It’s my country,” he said in a phone interview. “If they [the Ukrainian government] provide me weapons, OK, I’ll go fight. But I’m better at typing.”

Digital retribution

Danylo claims that he first gained access to computer systems used by what would become the Conti syndicate in 2016. Though he declined to explain in detail how he did this, independent security experts have verified to CNN the dataset belongs to the hackers. (Conti is both the name of malicious software and the cybercriminal syndicate that uses it. The group is also affiliated with TrickBot, another hacking tool used in numerous ransomware attacks.)

“Sometimes they make mistakes,” Danylo said, referring to ransomware groups. “You need to catch them when they make a mistake. I just was in the right place at the right time. I was monitoring them.”

For years, Danylo said, he quietly lurked on the hackers’ computer servers and would pass along information on the group’s operations to European law enforcement officials.

Conti ransomware has been rampant in the last two years, with the hackers claiming numerous victims a week.

In September 2020, the hackers claimed to have stolen case files from a district court in Louisiana. In March 2021, Conti ransomware was used in a hack that hobbled the computer networks of Ireland’s $25 billion public health system, disrupting a maternity ward in Dublin.

The dark work was lucrative: hackers using the Conti ransomware received at least $25.5 million in ransom payments in the span of just four months in 2021, according to Elliptic, a firm that tracks cryptocurrency transactions.

Collapsed building is seen as civilians are evacuated along humanitarian corridors from the Ukrainian city of Mariupol under the control of Russian military and pro-Russian separatists, on March 26, 2022.

But something snapped in Danylo on February 25, 2022, when Conti operatives published a statement pledging their “full support” for the Russian government as it attacked Ukraine.

A Russian airstrike had landed not far from a family member’s house. The cybersecurity researcher grew up in Ukraine when it was part of the Soviet Union. He didn’t want to see it slip back into Russian hands.

Conti members tried to walk their statement back, claiming they weren’t supporting any government, but Danylo had heard enough.

Asked again why he dumped the Conti data, Danylo said with a laugh: “To prove that they are motherf**kers.” He was exhausted from a long day navigating military checkpoints in Ukraine, on the hunt for ci