Hunting the Shadow of Conti
How I found what the FBI, NSA, and an army of researchers couldn’t
Imagine you’re hunting the most disciplined cybercriminal group in the world — Conti. These guys practically wrote the textbooks on OPSEC. Impeccable digital hygiene. In 2022, all their internal work chats (hundreds of thousands of messages) leaked online. Conti just laughed — then encrypted an entire country, Costa Rica, changed their banner, and kept working.
Intelligence agencies, analysts, and independent researchers spent years looking for even a single lead. No results. The FBI, admitting defeat, offered a $10 million reward for the names of the leaders. Three years of gold rush, thousands of analysts, endless reports — and zero results.
But I decided to take on the challenge. This is the story of how I, step by step, uncovered the connections, flights, and identities of the key figures in the group, relying on leaked FSB “Border” control databases, fragments of Conti chats, and pure OSINT. These anonymized actors had no faces — only shadows. I turned on the spotlight, and their own shadows caught them. That’s how the hackers got names.
The First Lead: Kurashov and His Travel Companions
They weren’t tourists flying to Dubai
It all started with Alexey Kurashov. His name emerged after analyzing thousands of leads pointing to Moscow City. No hard proof — only stylistic analysis of Conti chats indicated he was “Target,” a key figure in the group. Stylometry and intuition. I decided to act directly — messaged him on Telegram. After a brief conversation, I knew — yes, it was him. The first key participant found. But irrefutable evidence was needed.
I collected data on every time Kurashov crossed borders over the past 10 years. Dozens of flights, hundreds of travel companions. Gradually, a network of his closest contacts emerged — people he flew with repeatedly. Particularly notable were trips to the UAE starting in 2021. These were not random vacations: the same people, flights back and forth like clockwork. It was as if the hackers were following a schedule. But why? I decided to dig deeper.
Timeline: Mapping Their Secrets
To understand how this network operated, I created a visual timeline of Kurashov’s flights and those of his travel companions. Each flight was a piece of the mosaic, revealing their movements. At the same time, I dove into reading Conti chats and started comparing. All participants maintained strict operational security and encrypted communication from each other.
Systematic work paid off. In the Rocket.Chat, I found a message from user RED — an account Target used for just a few hours:
2021-10-12 15:35:49 red: “We’ll send the guys early in the morning”
Seems like nothing? At first glance. But flight data revealed more: on October 13, 2021, Marat Nurtdinov and Oleg Fakeev flew to Dubai on SU-520 — close friends of Kurashov. Coincidence? Unlikely.
This was the first lead connecting the digital world to the real one.
The Clue Leading to the Dubai Conti Office
Another lead surfaced in Jabber. User Bloodrush (aka Target, identified through stylistic analysis and fact-checking) wrote:
13.10.2021: “I don’t have access to the online wallet until Friday, I only have clean crypto.”
On October 14 — guess what?
Kurashov flew to Dubai.
On the same flight SU-520 with him — Vladimir Kvitko.
Bloodrush disappears and reappears online on October 15. Friday. Everything matched perfectly.
💥
Vladimir Kvitko — One Small OPSEC Slip
Next, I’ll tell you who Vladimir Kvitko is and how one tiny OPSEC mistake overturned a decade of perfect operational discipline.
The shadows revealed in Kurashov’s timeline (Target) led straight to Dubai — the unofficial capital of their operations. There, in the shadow of the Burj Khalifa, hackers exchanged crypto and planned attacks, posing as businessmen at conferences. But one careless chat message and a single flight — and an analyst has a golden clue. Our next focus: Vladimir Kvitko, Kurashov’s companion on three joint UAE trips.
This man was a ghost even among ghosts.
The Professor — A Genius Tripped by “On the Road”
Vladimir Kvitko was a digital perfectionist. His LinkedIn read like a polished museum exhibit: MBA from IE Business School, PhD, patents, work at reputable companies, numerous achievements. Not a single scratch on his digital profile.
A casual businessman? Probably. But one detail stuck out: birth year 1984.
Hint — Target once joked about the Professor in Conti chats:
2020-08-20 09:43:15 target → dandis: “Well, the Prof is just a pesky guy and old )))))))))”
2020-08-20 09:43:38 dandis → target: “Why old? :D”
2020-08-20 09:44:33 target → dandis: “Because, as it turns out, he’s a couple of years older )”
Kurashov — born 1986. Kvitko — 1984. A difference of a couple of years. “Prof” — the Professor, Conti general, strategist, operational brain, with a $10 million reward for his identification by the FBI. A master of conspiracy, a genius who never made mistakes.
No wonder FBI analysts gave up: too clean. I scoured Rospassport reports, the “Magistral” database, flight records. Kvitko was cautious: his flights were usually on weekends, when chats were quiet. Studying thousands of Professor messages (aka Alter, aka TeamLead2) — a complete labyrinth. Then — an unexpected discovery! One line like a bullet piercing the armor of mystery. Not just text. Golden evidence:
2021-06-14 16:57:26 professor paranoik
“decrypt the file for people please”
Silence. Total silence until June 18. Then:
2021-06-18 10:40:33 professor pin
“ku
in a couple hours I’ll be
on the road”
I checked: Kvitko was indeed in Altai on those dates. Flight Moscow–Novosibirsk and back — confirmed by the “Magistral” database.
Perfect anonymity collapsed because of a single phrase. The Professor identified. Another “$10 million” target caught.
But Kvitko wasn’t alone; he had interesting travel companions I investigated. Yet the most intriguing figure was another mysterious person near him on the timeline — someone he avoided flying with. The Professor crossed paths in Dubai seven times with Arkady Bondarenko — always separated by 1–2 days to avoid appearing on passenger lists.
Next target in our scope:
Next: Arkady Bondarenko — Canadian “Negotiator” with a Russian Accen