PART 0. BACKGROUND
NET-WORKER: how a Conti hacker gave himself away with a single phrase
When you dig into the dark corners of the darknet, expect surprises. One of them is NET-WORKER, who presented himself as a young hacker with connections to LockBit and access to Russian special services.However, an analysis of his behavior, speech, and digital footprints shows: behind this persona is not a teenager at all, but Aleksey Kurashov, also known as Target â one of the leaders of the Conti Ransomware group. What gave him away was not a sophisticated exploit, but the habit of writing âĐ´Đ°Đ´Đ°Đ´Đ°â (âyeah yeah yeahâ).
The comment that launched the investigation
NET-WORKER came into my field of view on June 24, 2025, after I published my investigation about Oleg Fakeev (White) â a Conti pentester and close friend of Aleksey Kurashov. Under this material in my Telegram channel, he left a sarcastic comment:
âYeah yeah yeah little bro, Bloomberg is such a f***ing authoritative publication, sure, go on.â
At first glance â ordinary trolling. But this exact manner of speech had appeared before.In the leaked internal Conti chats, one participant with the nickname target very often used the same constructions:
Such speech habits are rarely controlled and often persist for years. In criminal investigations, this is called a behavioral marker.
2020-09-17 10:34:08 target bentley   yes yes yes yes Â2020-10-02 00:00:07 target troy    Iâm saying yes yes yesÂ2020-09-25 10:11:30 target professor  yeyayea Â2020-09-25 10:10:49 target professor  yeayea
When I wrote to NET-WORKER in private messages, calling him âAlexâ, he almost immediately deleted all his comments under the post. Well, what cybercriminal wouldnât panic after that?
The âteenage geniusâ persona
In correspondence, NET-WORKER built an elaborate legend. According to his messages, he:
- founder of the NET-WORKER ALLIANCE project
- gives interviews to the media
- consultant and contractor for SVR, FSB Cybersecurity Service, Rostec, Ministry of Defense, and Roscosmos
- organizer of DDoS operations against Moldovaâs infrastructure âon behalf of Gazpromâ
- de-anonymized members of the hacktivist group KillNet
- destroyed infrastructure of the hacker group Anonymous
- technical employee of the darknet drug marketplace MEGA, allegedly acting âfor ideological reasonsâ
- partner of LockBitSupp, involved in cryptocurrency laundering
- owns more than 6000 BTC
What was confirmed
Analysis of correspondences, chats, and activity shows that NET-WORKER is Aleksey Kurashov, who continued working in the darknet after the collapse of Conti in 2022.Facts:
- In 2023, he infiltrated the drug marketplace MEGA posing as a moderator
- https://knds.com/fr/communiques-de-presse/cyber-incident
- https://tass.ru/obschestvo/18848397
- Participated in DDoS attacks on competitors
- Engaged in de-anonymization of key hacker groups and darknet figures
- There are darknet ads where criminals themselves offer $50,000 for NET-WORKERâs de-anonymization and â$10,000 for his fingersâ
- Recorded episode of distribution of narcotic substances on a particularly large scale worth 6.4 million rubles "October 5, 2023: âTotal stash amount 6.4 million â˝â (HUSTLE FAMILY, imsg_bot)"
- There are public correspondences indicating cooperation with Russian structures and industrial espionage in the military-industrial complex
- LockBitSupp publicly confirmed their acquaintance
Threats
When it became clear he was being identified, the tone of the correspondence changed sharply.First â attempts to evoke sympathy: that my publications destroy families, peopleâs businesses collapse, he allegedly helps victims financially.
Then â threats followed:
âI have more than 6000 bitcoinsI can buy a countryTanksAirplanesI can start a war with the FBIA real oneI can declare an action like EscobarKill copsOr rather FBI agentsâ
(NET-WORKER gave consent to publish our correspondence. At the time of the dialogue, there was no photo on the avatar; the screenshot was taken later. These threats were made to me in the context that Kurashov (NET-WORKER, Target) was convinced that I was an FBI employee. Later, he repeatedly publicly reaffirmed these threats when I showed this screenshot in Telegram groups.)
There were also threats of brutal physical violence, which are not quoted here.After that, he proposed a âpeace agreementâ: delete the published materials in exchange for âreconciliationâ. The offer was declined.
Attempt to hide behind a âschoolboyâ again
After the refusal, NET-WORKER claimed that he was just trolling and âpretending to be Targetâ.
He sent voice messages (voice of a young man about 15-20 years old) and geolocation, demonstrating that he is a teenager and not hiding.In response, I suggested a simple test â put Kurashovâs passport on the avatar. He agreed and did it (it should be clarified that at that moment I had not yet published anything about Target-Kurashov; I did so only in August 2025).
He sent voice messages (voice of a young man about 15-20 years old) and geolocation, demonstrating that he is a teenager and not hiding.In response, I suggested a simple test â put Kurashovâs passport on the avatar. He agreed and did it (it should be clarified that at that moment I had not yet published anything about Target-Kurashov; I did so only in August 2025).
Additionally, a repeated stylometric analysis was performed. Result: complete match with the RED account from Contiâs Rocket-Chat, another pseudonym of Target (Kurashov).
The âdropâ role
During the investigation, the name Kirill Panteleev, born in 2008, surfaced. His videos and voice match part of the materials sent by NET-WORKER.With high probability, the teenager was used as cover, but the account is controlled by Target (Kurashov) himself. A classic scheme for communicating with the media and deflecting suspicion.
Same speech, same thinking
Final confirmation â the language.Target in Conti chats previously wrote:âThe office should pay for itself, not reach into pockets.âNET-WORKER wrote:âItâs not worth reaching into my pocket, everything is fine there.âOr:Kurashov:âSend it wherever you want â theyâll laugh at you.âNET-WORKER:âSend it to the FBI â theyâll laugh.âThis is not copying. This is the same way of formulating thoughts.
Conclusion
NET-WORKER is not a teenage genius and not a new figure in the darknet. It is Aleksey Kurashov, who after the collapse of Conti created a completely new persona for himself.But habits, language, and behavior gave him away faster than any leak.
Instead of anonymity, he left a detailed digital trail â thereby exposing not only himself, but also his activities after Conti.
Instead of anonymity, he left a detailed digital trail â thereby exposing not only himself, but also his activities after Conti.
Letâs now prove it.
PART 1
De-anonymization without content: how Telegram metadata, traffic fines, and flights form one profile
One public message in Telegram gives almost nothing.
Ten messages â also almost nothing.
Even a hundred messages â these are just recorded moments of activity: the user was online, wrote something in a public chat, and disappeared.But what if there are thousands of such messages?
What if they are distributed over time not randomly, but with repeating intervals, gaps, and bursts?
What if these points on the timeline are matched against other, external data sources?In this part, I show how even with strict OPSEC compliance and complete absence of personal information in public messages, a person leaves a stable behavioral trace that can be recorded, visualized, and analyzed.We are not talking about the content of correspondences.
Only metadata. Only correlation. Only patterns.
Ten messages â also almost nothing.
Even a hundred messages â these are just recorded moments of activity: the user was online, wrote something in a public chat, and disappeared.But what if there are thousands of such messages?
What if they are distributed over time not randomly, but with repeating intervals, gaps, and bursts?
What if these points on the timeline are matched against other, external data sources?In this part, I show how even with strict OPSEC compliance and complete absence of personal information in public messages, a person leaves a stable behavioral trace that can be recorded, visualized, and analyzed.We are not talking about the content of correspondences.
Only metadata. Only correlation. Only patterns.
Problem statement
At the center of the analysis is the Telegram account NET-WORKER @net_worker_suppport and a specific person â Aleksey Mikhailovich Kurashov, born February 23, 1986.
The task is extremely simple and at the same time complex:
At the center of the analysis is the Telegram account NET-WORKER @net_worker_suppport and a specific person â Aleksey Mikhailovich Kurashov, born February 23, 1986.
The task is extremely simple and at the same time complex:
- does the same person operate the NET-WORKER account;
- can this activity be linked to Kurashov;
- with what degree of accuracy can this be done without resorting to message content;
- are there anomalies, and how to interpret them;
- does the totality of data allow a reasoned conclusion about de-anonymization.
Data sources
The analysis used available metadata from several independent sources:
The analysis used available metadata from several independent sources:
- Telegram activity
- more than 10,000 messages from the NET-WORKER @net_worker_suppport account ID 6162917461;
- sources: Telegram bots FanStat Bot @ShamiGems_bot (permanent link to the bot http://telelog.org/) and imsg Bot @imsg_bot â they allow exporting the userâs message history from open and even some closed group chats;
- mandatory synchronization of time zones to UTC+3 (MSK) (they differ in these services).
- Traffic fine history from GIBDD
- Lamborghini Urus vehicle, license plate в888ŃĐş53, STS 9941614859;
- Tesla Cybertruck vehicle, license plate Đ°469ĐźŃ77, STS 9963939949;
- data can be obtained legally through Avtokod, Drom, Avinfo, etc. â links https://vin.drom.ru/report/b888tk53/ and https://vin.drom.ru/report/a469mp77/ (â$5 for both reports, payment only with Russian cards), but there are also free ways to get all fines;
- for 2023â2025 â 542 fines for Urus and 241 for Tesla (without duplicates);
- additionally â GIBDD fine data (including archive) can be purchased from https://probiv.space
- Photos and parking data
- both vehicles are regularly captured in parking spaces;
- parking spaces â3027, 3027, 3028 are owned by Aleksey Kurashov (see dossier);
- both vehicles were repeatedly recorded there in different months of 2024 and 2025;
- photos of these vehicles with parking spaces were legally and freely taken from Nomerogram â links https://www.nomerogram.ru/n/b888tk53-142f99e63/ and https://www.nomerogram.ru/n/a469mp77-184a93fb5/ (hundreds of photos of these vehicles available via these links)
- Flights
- data obtained through the âMagistralâ system (source https://probiv.space)
- four independent reports from different contractors were used;
- period: 2023 â December 2024.
- đ RAW Data
- Attached documents
- Main file âNET-WORKER 6162917461 Timeline.odsâ đ DOWNLOAD â all messages, fines, and flights combined into one table. Flights (green) and fines (yellow) are color-highlighted for quick search. (update: messages from user blood from the BlackBasta Matrix chat leak have been added to the general table â they are highlighted in red
Methodology
The key principle of the analysis is to reject details that distract from patterns.
At the first stage:
Value appears only when thousands of points from different sources are placed in parallel on one timeline.
The key principle of the analysis is to reject details that distract from patterns.
At the first stage:
- message text is not analyzed;
- the specific violation for which the fine was issued is not taken into account;
- flight geography is not important.
- chat message;
- camera violation recording;
- departure or arrival.
Value appears only when thousands of points from different sources are placed in parallel on one timeline.
Primary observations and timeline analysis
When analyzing the timeline, certain patterns immediately stand out. For detailed chronology, look in parallel at the NET-WORKER 6162917461 Timeline.ods table, where I marked and color-coded flights and fines for visual search convenience.
When analyzing the timeline, certain patterns immediately stand out. For detailed chronology, look in parallel at the NET-WORKER 6162917461 Timeline.ods table, where I marked and color-coded flights and fines for visual search convenience.
Absence of overlaps: fines and messages do not intersect in time
When overlaying two independent data streams â Telegram messages and GIBDD violation records â absolute absence of time overlaps is immediately noticeable.
Out of all 750+ fines, only one case showed minimal overlap (difference of tens of seconds, episode from 07.08.2025, described below). In all other cases, at least several minutes pass between the nearest NET-WORKER message and the fine recording moment.This is not random noise. This is a systematic picture over almost three years.
Out of all 750+ fines, only one case showed minimal overlap (difference of tens of seconds, episode from 07.08.2025, described below). In all other cases, at least several minutes pass between the nearest NET-WORKER message and the fine recording moment.This is not random noise. This is a systematic picture over almost three years.
Why it matters:
- GIBDD fines (mostly for speeding) are recorded at the moment when the driver is actively driving (or violated parking rules â but those are very rare).
- Active chatting in Telegram (NET-WORKER writes frequently, sometimes several messages in a row) requires attention: reading, typing, sending.
- A person can sometimes send a short message or one-word reply while driving, but maintaining a regular chat is extremely risky and atypical, especially at high speeds.
This creates a very strong marker: the âchatâ and âdrivingâ activities of the same profile are strictly separated in time. One person does not do both at the same time.The only noticeable anomaly (exception)
There is exactly one episode with minimal difference:
07.08.2025, daytime:
- 13:06:40 â message
- 13:07:00 â speeding fine
- 13:07:50 â message
- 13:08:00 â another speeding fine
- 13:08:32 â message
- at that moment someone else was driving the Tesla Cybertruck;
- or the messages were sent not by the driver (unlikely).
Using vehicles as a behavioral marker
The timeline clearly shows two lines â fines for Kurashovâs two vehicles.
Simple but telling observation:
The timeline clearly shows two lines â fines for Kurashovâs two vehicles.
Simple but telling observation:
- in the vast majority of cases, fines are recorded either on one vehicle or the other;
- on the same day, fines almost never appear on both at once;
- vehicles are not used in the morning and before lunch (12:00) â exceptions occurred a couple of times.
- noticeable when vehicles are used alternately, day after day (visually as a snake of dots on the graph).
- first day after purchasing the Tesla;
- several episodes starting from July 2025.
Flights and activity gaps
An additional layer â flights.
On the timeline it is noticeable:
An additional layer â flights.
On the timeline it is noticeable:
- during flight periods, activity in Telegram chats sharply disappears;
- after return, activity resumes;
- these âgapsâ coincide in time with flights.
TABLE UPDATE: important correction, the Sochi-Moscow flight on 07.10.24 was canceled, ticket refunded.
07.10.24 20:10 ADLER - SOCHI SHEREMETYEVO (MOSCOW) REFUNDI found out that Kurashov flew first from Sochi to St. Petersburg, and then from SPb to Moscow â on the same day. The time shifted by 1 hour 50 minutes. That is, there were 2 flights that day, not one. He flew via Piter.
07.10.24 16:40 07.10.24 20:55 SOCHI () PULKOVO () 07.10.24 16:12 BOARDING07.10.24 22:00 07.10.24 23:30 PULKOVO () SHEREMETYEVO () 07.10.24 21:30 BOARDING
07.10.24 20:10 ADLER - SOCHI SHEREMETYEVO (MOSCOW) REFUNDI found out that Kurashov flew first from Sochi to St. Petersburg, and then from SPb to Moscow â on the same day. The time shifted by 1 hour 50 minutes. That is, there were 2 flights that day, not one. He flew via Piter.
07.10.24 16:40 07.10.24 20:55 SOCHI () PULKOVO () 07.10.24 16:12 BOARDING07.10.24 22:00 07.10.24 23:30 PULKOVO () SHEREMETYEVO () 07.10.24 21:30 BOARDING
Other important patterns:
- when Kurashov departs from Moscow â GIBDD fines are completely absent. When he arrives â fines appear.
Anomalies and their interpretation
As in any living dataset, there are deviations here:
As in any living dataset, there are deviations here:
- individual days with overlapping fines on both vehicles;
- pattern changes in mid-2025.
- emphasize that we are dealing with real behavior, not synthetic data;
- allow several interpretations: change of habits, vehicle handover, schedule change.
Key questions and answers
Is the same person behind the NET-WORKER account?
On the considered time interval, the data indicate a high probability of this.
On the considered time interval, the data indicate a high probability of this.
Can this activity be linked to Kurashov?
The correlation between Telegram activity, fines, flights, and daily habits points to the same person.
The correlation between Telegram activity, fines, flights, and daily habits points to the same person.
Can a definitive conclusion be made?
Absolute â no.
Reasoned with a high degree of confidence â yes.
Absolute â no.
Reasoned with a high degree of confidence â yes.
Can one âhideâ while complying with OPSEC?
Content can be hidden.
But hiding the rhythm of life is significantly more difficult.
Content can be hidden.
But hiding the rhythm of life is significantly more difficult.
Conclusion
Each date and time a message is sent is just a tiny trace.
But when there are thousands of such traces, and other independent markers appear nearby, they form a clear behavioral profile.This story is about de-anonymization for 500 rubles.It is about how metadata that seems harmless turns out to be far more dangerous than any text.
And about the fact that perfect anonymity does not exist â there is only the illusion of it until someone assembles the full timeline.
Each date and time a message is sent is just a tiny trace.
But when there are thousands of such traces, and other independent markers appear nearby, they form a clear behavioral profile.This story is about de-anonymization for 500 rubles.It is about how metadata that seems harmless turns out to be far more dangerous than any text.
And about the fact that perfect anonymity does not exist â there is only the illusion of it until someone assembles the full timeline.
PART 2
Contextual facts: Finishing the de-anonymization with additional confirmations
To dispel any remaining doubts, letâs add a layer of context. Although the main analysis in PART 1 relies exclusively on metadata, rare âanomaliesâ in the data are not weaknesses, but additional evidence. Letâs take two cases where NET-WORKER activity continued during Kurashovâs flights (international flights with onboard Wi-Fi internet; domestic flights within Russia have no internet onboard). At first glance, this might suggest a second person behind the account. But upon closer examination of the message context (without violating the âno contentâ rule â only for interpreting anomalies), everything falls into place. These episodes do not destroy the hypothesis, but strengthen it, showing a real person in a real situation.
Istanbul â Zhukovsky (Moscow) flight, 10.09.2023
(Translated from Russian. The original message text is provided in the Russian version of the article)
Kurashovâs flight was scheduled for 13:00. NET-WORKER activity does not stop completely, but its context perfectly fits the âpassenger on boardâ scenario:
- 50â55 minutes before departure (12:07â12:08): NET-WORKER actively jokes about stewardesses in the chat. Messages are full of enthusiasm: âFuck the stewardesses are so sexyâ, âWhat milfs damnâ, âHereâs first class on some Aeroflotâ, âFuck there are such stewardessesâ. This is typical âairportâ humor â the person has just passed check-in or boarded the plane and sees the crew. The stewardess topic directly refers to the flight, and the timing matches the pre-departure period.
- During takeoff (13:23â13:25): Activity continues, but you can see NET-WORKER trying to end the conversation: âI paid you too much attention, enough for today, bye)â, âI didnât say that never happened) Iâm going to do things, and you keep sitting in telegram chats 24/7)â. Final message: âSend whatever you wantâ â and silence. This is classic: the passenger ends the chat because the plane starts takeoff, Wi-Fi drops, or the stewardess asks to put away devices. No messages during the flight â connection cuts off exactly at the start of the flight.
Dubai â Domodedovo (Moscow) flight, 14.09.2023
(Translated from Russian. The original message text is provided in the Russian version of the article)
Kurashovâs flight from 15:00 to 20:15 (including landing). NET-WORKER activity resumes closer to the end of the flight, and again the context screams âIâm on the planeâ:
- During flight/landing (20:02â20:17): NET-WORKER suddenly starts joking about âhijacking planesâ â â@blxckfromway why did you hijack a plane?â, âBlackie hijacked a planeâ, âGaspacho hijacked a planeâ, âPLANES WHY DID YOU HIJACKâ, âLittle planes launched into towersâ. The topic is 9/11 (flight a few days after the anniversary), but with humor about âplane hijackingâ. This is not random flooding: a person on a plane, possibly joking with a neighbor, referencing the tragedy.
- Key fact: On this flight, Kurashov was traveling with his friend and partner Ivan Shvaikov (both participants in the Conti hacker group, as confirmed by my investigations on the GangExposed channel). The nicks mentioned in the messages (âBlackieâ or âGaspachoâ) may refer to Shvaikov or their mutual acquaintances in the chat. Activity occurs during the landing phase â when Wi-Fi works, but the flight is not yet over, then breaks for 20 minutes after landing (exiting the plane), and then messages continue.
This is not an anomaly â it is a real âleakâ of OPSEC in real time, where flight context breaks through the metadata.
Here is another interesting episode related to NET-WORKER messages and Kurashovâs flight â pay attention to the messages highlighted in yellow, and the scheduled flight time.
(Translated from Russian. The original message text is provided in the Russian version of the article)
And I found several more similar examples after adding flight information to the messages table and highlighting them in color. This method made it easy to find previously invisible OPSEC mistakes.
Why this âfinishes offâ the de-anonymization?
These two onboard communication cases â out of 30+ flights â and both are explained by the presence of Wi-Fi on international flights (unlike domestic Russian ones with no internet). The message context is not neutral â it directly refers to the flight situation: stewardesses, takeoff, plane hijacking jokes. Add all the conclusions from the first part of the article. These are not random coincidences â this is a behavioral profile where metadata + minimal context of anomalies leave zero room for doubt: NET-WORKER is Aleksey Kurashov.
In the end, even attempts to find a âsecond personâ lead to the opposite: everything points to one person, with his rhythm of life, habits, and environment. De-anonymization complete.
These two onboard communication cases â out of 30+ flights â and both are explained by the presence of Wi-Fi on international flights (unlike domestic Russian ones with no internet). The message context is not neutral â it directly refers to the flight situation: stewardesses, takeoff, plane hijacking jokes. Add all the conclusions from the first part of the article. These are not random coincidences â this is a behavioral profile where metadata + minimal context of anomalies leave zero room for doubt: NET-WORKER is Aleksey Kurashov.
In the end, even attempts to find a âsecond personâ lead to the opposite: everything points to one person, with his rhythm of life, habits, and environment. De-anonymization complete.
Final conclusion:
I conducted this work to demonstrate how even the most cunning hackers hide, and to show the tools, methods, and techniques by which they can be de-anonymized. In my next publications, I will show several related exposĂŠs based on similar sources of information, and I will also reveal the real identity of the leader of the LockBit group.
Additional information for researchers (unedited, drafts)