logo
Back to Blog

They Made $180 Million – Then It All Collapsed. The Crazy Story of The Most Sophisticated Hacker Gang

EM

Eron Mahmuti

2 min read
They Made $180 Million – Then It All Collapsed. The Crazy Story of The Most Sophisticated Hacker Gang

Introduction

Ransomware has evolved far beyond simple malware. Today, many ransomware groups operate like organized businesses with teams, budgets, and global reach. One of the most notorious examples was Conti, a powerful cybercriminal organization active from 2019 to 2022.

Conti became known for attacking hospitals, governments, and major companies while generating millions in ransom payments. Its story reveals how ransomware became a large-scale criminal industry.

What Was Conti?

Conti was both a ransomware program and the name of the group behind it. It is believed to have grown from earlier operations like Ryuk, using faster encryption and more advanced targeting methods.

The group relied on malware such as:

  • Emotet for initial access
  • Trickbot for spreading through networks
  • Conti for encrypting systems and demanding payment

This layered attack model made Conti highly effective.

How Conti Operated

Conti did not behave like a loose hacker gang. It reportedly had:

  • More than 100 members
  • Dedicated technical teams
  • Managers and recruiters
  • Salaried workers
  • Large operating budgets

This showed that ransomware had become professionalized crime.

Most attacks followed five stages:

  1. Phishing email or stolen credentials
  2. Network reconnaissance
  3. Data theft
  4. File encryption
  5. Ransom negotiation

Victims were pressured to pay not only to restore systems, but also to prevent stolen data from being leaked.

The Ireland HSE Attack

In May 2021, Conti launched a major attack on Ireland’s Health Service Executive (HSE), disrupting healthcare services nationwide.

The incident showed how ransomware can impact real lives, delaying appointments and causing widespread operational chaos. Reports also suggested the attack created internal controversy within Conti, as some members opposed targeting healthcare organizations.

Russian Ties and Internal Collapse

Security researchers linked Conti to Russian-speaking cybercrime networks. In 2022, after Russia invaded Ukraine, Conti publicly supported Russia.

That decision triggered backlash. Soon after, an insider leaked internal chat logs, source code, and operational details. These leaks exposed the group’s structure and weakened trust among members.

By mid-2022, Conti’s infrastructure disappeared and the organization effectively collapsed.

Legacy of Conti

Although the Conti name vanished, many former members likely moved into new ransomware groups. Its tactics—double extortion, structured teams, and large-scale targeting—are still widely used today.

Conti proved that ransomware is no longer just a technical threat. It is a business-driven criminal ecosystem that continues to evolve.

Conclusion

The rise and fall of Conti marked a major moment in cybersecurity history. It showed how organized and profitable ransomware had become, while also proving that internal leaks and poor decisions can destroy even powerful criminal groups.

Conti may be gone, but the ransomware model it helped build remains active worldwide.

This article was researched and written by Eron Mahmuti

Share this article

All posts