How I De-Anonymized Devman (aka Oleg Nefedov, Tramp, Sozdatel): Stylometry, OSINT, and an Operational Game
In recent months, a new ransomware group has emerged on the cybercrime scene, rapidly gaining momentum. The first activity of Devman Ransomware was recorded on April 6, 2025. At the time of writing, the group already had 51 victims and 11 affiliates. In a short time, Devman became a notable figure in the darknet, his name synonymous with aggression and technical sophistication.
I am GangExposed, and from the very beginning, I made it clear that I was investigating Conti and related actors. Interestingly, it was Devman himself who first reached out to me: he started leaving comments under my posts in my Telegram channel, where I publish exposés of Conti members. That’s how our communication began.
Later, when I became a member of the elite hacker chat Club31337 (where Devman was one of the admins), our interaction continued more informally and publicly. We exchanged friendly banter: he boasted about successful attacks on hospitals and the public sector, while I joked that I would visit him in Alcatraz prison someday. We both knew who the other was, and we both studied each other.
Stylometry and Profile Matches: How I Tracked Down Tramp
My first step was stylometric analysis. I collected over 4,500 messages from Devman (Telegram handle Sozdatel) from open Telegram groups and compared them with 160 samples from Conti members taken from Jabber and Rocket.Chat leaks. The result was unambiguous: a complete stylometric match with "Tramp" from Conti chats, and a partial match with the nickname "Thomas." The analysis was repeated several times with different parameters, and the result was always identical.
Stylometry was supplemented by analyzing profile characteristics from Devman’s (Sozdatel’s) public messages. Appearance: height over 190 cm, athletic build, weightlifter, about 95 kg—all of this matches both photos and his own descriptions in chats. Age: 25–35, with mentions of 2001 and 1993 as possible birth years. He frequently uses prison and criminal slang, which is also characteristic of "Tramp" from Conti.
The Operational Game: How Devman Started to Slip and Make Mistakes
In June 2025, I conducted the first doxing of Devman (Tramp) right in his own chat—posting several of his photos, a dossier, and the results of the stylometric analysis. For me, the goal was not just to publish the data, but to observe his reaction. And the reaction was telling: he changed his username the same day, deleted several messages from the group (which was unusual for him), was rude even to his own associates, and threatened one participant with severe physical violence for mentioning Nefedov’s family. The next day, he tried to "play it off" with trolling and memes, even "jokingly" setting a photo of Oleg Nefedov as his avatar in an attempt to revive his OPSEC and confuse others. He also began claiming that Oleg Nefedov (Tramp) was not him, but rather his older mentor or close friend.
In July 2025, I launched the second, more sophisticated phase of the operational game against Devman. This time, I didn’t just hint at having an informant in his circle—I orchestrated a staged public conflict with maximum psychological pressure. The culmination was when I posted a selfie of Oleg Nefedov, taken on his own phone, in the Club31337 chat.
Devman’s reaction was immediate and highly revealing. Within minutes, he began to lose his composure and make mistakes he had never made before:
Obsessive questions and panic. Within a few minutes, he asked more than ten similar questions in a row: "Where did the photo come from?", "Who leaked it?", "Name the rat", "You’ll get money." This looked like a panicked attempt to quickly localize the source of the leak.
No denial. Not once did he directly say "that’s not me" or "that’s not my photo." Formally, he only clarified that the selfie was "from Oleg’s phone," but did not deny his involvement.
Threats and promises of retribution. He publicly promised to "eliminate" the leak and punish the "rat," further exposing his nervousness and loss of control.
Attempt to buy the source. Devman immediately offered money for information about the "rat," which in the darknet is a clear sign of real threat to the subject.
Resorting to dirty tactics. Under pressure and in an attempt to seize the initiative, two minutes before my ultimatum expired, he broke the chat’s unwritten rules and posted our private messages in the public chat—even though I had only allowed this after the discussion, not before. This was a clear breakdown and an attempt to discredit me, but in reality, it only demonstrated his confusion and desperation.
Loss of OPSEC caution. At this point, he began acting impulsively, not considering the consequences. His messages became emotional, sometimes illogical, and he started grasping at any opportunity to "play off" the situation, but appeared increasingly vulnerable.
All of this unfolded in front of dozens of experienced chat participants, many of whom understood exactly what was happening. I deliberately kept the conversation public, not moving it to private messages, to ensure maximum transparency.
Psychological effect. My goal was not to get a confession, but to provoke Devman into making mistakes that could only be explained by a real threat of de-anonymization. His behavior—from panic to dirty tactics—became the best confirmation that I had hit the mark.
Result of the operational game:
- Devman lost control of the situation, started making mistakes, breaking his own rules and the darknet’s unwritten "code."
- He failed to build a coherent defense, offered no alternative versions, and did not deny his connection to the photo.
- His circle saw his real reaction, not a rehearsed mask—which became a key factor for most observers.
Consequences and Conclusions
As a result of a comprehensive OSINT analysis (stylometry, profile matches, behavioral markers), it was established with very high confidence: Devman (Sozdatel) is Oleg Nefedov, also known as "Tramp" from Conti, for whom the FBI has announced a $10 million reward.
The publication of the first dox in June 2025 and several photos of Nefedov caused a stir in the chat: some participants believed the de-anonymization, some remained neutral, but no serious alternative versions appeared. In several Telegram channels, the news of the de-anonymization spread quickly, and the situation went beyond the chat. After the first dox, Sozdatel (Devman) changed his username; after the second dox in July 2025, he deleted his username completely, suffered a deep moral defeat, but still remains active. All of this is preparation for my next, third phase of the attack—targeting Tramp specifically, and the Conti group as a whole.
Attached to the article:
- Full personal dossier on Oleg Nefedov (aka Tramp, Devman) (see below)
- Full chat discussion fragment with the "Nefedov selfie" operation (see below)
- Archive of Sozdatel’s (Devman’s) messages from open Telegram groups for independent stylometric and linguistic analysis (see link below)
- Selection of "Tramp" messages from Conti chats (see link below)
- Selection of my messages ("X" @HackIntel) and "Sozdatel" messages from the Club31337 group (see link below)
https://mega.nz/file/BsBTVBYZ#UHPPe6PHsH0Tj7qE6HrOzwHiYZ6HsyDazOdOsB5gbmM
Telegram-chat Club31337 - deanon Devman Sozdatel
Here is the full translation of chat log into English, preserving the structure:
| ID | Date & Time | Sender | Message |
| 34066 | 2025-07-05T13:44:54 | X | |
| 34067 | 2025-07-05T13:46:20 | RastaFireEye | oleg nichaev |
| 34068 | 2025-07-05T13:46:24 | RastaFireEye | tramp |
| 34069 | 2025-07-05T13:46:57 | RastaFireEye | and who am I, remind me |
| 34070 | 2025-07-05T13:47:02 | X | tram taram pam tramp |
| 34071 | 2025-07-05T13:47:33 | X | that's you oleg nichaev, he's oleg nefedov |
| 34072 | 2025-07-05T13:47:39 | RastaFireEye | nefedov oleg? |
| 34073 | 2025-07-05T13:47:44 | RastaFireEye | no |
| 34074 | 2025-07-05T13:47:49 | RastaFireEye | he's oleg nichaev |
| 34075 | 2025-07-05T13:47:50 | X | YEE |
| 34076 | 2025-07-05T13:47:52 | RastaFireEye | I'm nefedov |
| 34077 | 2025-07-05T13:48:35 | Sozdatel | where did the photo come from? |
| 34078 | 2025-07-05T13:48:40 | X | you're tramp too) |
| 34079 | 2025-07-05T13:48:53 | Sozdatel | where is this photo from? |
| 34080 | 2025-07-05T13:48:56 | X | from a special archive |
| 34081 | 2025-07-05T13:49:05 | RastaFireEye | why so? |
| 34082 | 2025-07-05T13:49:12 | RastaFireEye | I'm oleg nefedov |
| 34083 | 2025-07-05T13:49:20 | RastaFireEye | maybe I created Zeus botnet |
| 34084 | 2025-07-05T13:50:14 | X | well, Zeus or not, I don't know, but your skills, Rasta, are really cool) |
| 34085 | 2025-07-05T13:50:28 | RastaFireEye | I'm flattered) |
| 34086 | 2025-07-05T13:51:03 | Sozdatel | where from |
| 34087 | 2025-07-05T13:51:04 | Sozdatel | the photo |
| 34088 | 2025-07-05T13:51:10 | Sozdatel | who leaked it? |
| 34089 | 2025-07-05T13:51:17 | RastaFireEye | you got sold out, bro |
| 34090 | 2025-07-05T13:51:38 | X | taken with the selfie camera on your phone |
| 34091 | 2025-07-05T13:51:53 | Sozdatel | that's clear, that it's from Oleg's phone |
| 34092 | 2025-07-05T13:51:54 | Sozdatel | but from where |
| 34093 | 2025-07-05T13:52:16 | RastaFireEye | maybe Oleg sent it himself |
| 34094 | 2025-07-05T13:52:32 | X | my sources |
| 34095 | 2025-07-05T13:52:45 | Sozdatel | got it |
| 34096 | 2025-07-05T13:52:47 | Sozdatel | they're fucked |
| 34097 | 2025-07-05T13:52:59 | RastaFireEye | or maybe X is Stern deflecting suspicion like Chikatilo) |
| 34098 | 2025-07-05T13:53:40 | RastaFireEye | you know too much about Conti, even more than Stern himself |
| 34099 | 2025-07-05T13:54:15 | X | well, Conti is my hobby) |
| 34100 | 2025-07-05T13:54:24 | Sozdatel | who leaked the photo? |
| 34101 | 2025-07-05T13:54:30 | Sozdatel | name the rat |
| 34102 | 2025-07-05T13:54:32 | RastaFireEye | you think he'll say? |
| 34103 | 2025-07-05T13:54:32 | Sozdatel | you'll get money |
| 34104 | 2025-07-05T13:54:39 | Sozdatel | he'll sell the rat |
| 34105 | 2025-07-05T13:54:41 | Sozdatel | you'll see |
| 34106 | 2025-07-05T13:54:47 | RastaFireEye | deal |
| 34107 | 2025-07-05T14:07:38 | X | you can argue with Rasta) would be interesting |
| 34108 | 2025-07-05T14:08:16 | Sozdatel | this is all fun |
| 34109 | 2025-07-05T14:08:18 | Sozdatel | I need to go to tsar |
| 34110 | 2025-07-05T14:08:19 | Sozdatel | need to |
| 34111 | 2025-07-05T14:09:14 | takatisho | rent some coals |
| 34112 | 2025-07-05T14:09:18 | takatisho | let them carry |
| 34113 | 2025-07-05T14:11:08 | D0C | which of these Olegs is Marat? |
| 34114 | 2025-07-05T14:12:49 | X | Marat's last name is actually Nurtinov) he's not Oleg |
| 34115 | 2025-07-05T14:13:09 | D0C | I meant the joke from Comedy Club |
| 34116 | 2025-07-05T14:30:49 | X | wouldn't recommend. it's safer in CAO. |
| 34117 | 2025-07-05T17:27:44 | X | The photo was of Oleg Nefedov (Tramp). Now, some questions. 1. Would Sozdatel be so worried if the photo was of someone else and not himself? 2. Why such an instant reaction and certainty that the photo was leaked? 3. Would he so quickly make a decision and offer money for someone else, especially for his "boss"? 4. Why did he immediately and clearly decide it was an insider, a "rat", that it was specifically a leak from his own people? Doesn't all this convincingly show everyone that he is Tramp (Oleg Nefedov)? (You can ban me, but you can't hide the truth anymore, it's all obvious) |
| 34118 | 2025-07-05T17:27:45 | X | where did the photo come from? |
| 34119 | 2025-07-05T17:27:45 | X | where is this photo from? |
| 34120 | 2025-07-05T17:27:45 | X | where from |
| 34121 | 2025-07-05T17:27:45 | X | the photo |
| 34122 | 2025-07-05T17:27:45 | X | who leaked it? |
| 34123 | 2025-07-05T17:27:45 | X | that's clear, that it's from Oleg's phone |
| 34124 | 2025-07-05T17:27:45 | X | but from where |
| 34125 | 2025-07-05T17:27:45 | X | who leaked the photo? |
| 34126 | 2025-07-05T17:27:45 | X | name the rat |
| 34127 | 2025-07-05T17:27:45 | X | you'll get money |
| 34133 | 2025-07-05T17:30:21 | X | P.S. all these messages were forwarded not from private, but from here, from this chat (I never share info from private messages with anyone). |
| 34134 | 2025-07-05T17:47:42 | RastaFireEye | yeah, right)) |
| 34135 | 2025-07-05T17:47:54 | RastaFireEye | Olezha says you sold out the rat |
| 34136 | 2025-07-05T17:48:13 | RastaFireEye | so Olezha won the bet |
| 34137 | 2025-07-05T17:48:31 | RastaFireEye | I thought a bit better of you |
| 34138 | 2025-07-05T17:48:34 | X | he's lying |
| 34139 | 2025-07-05T17:48:45 | RastaFireEye | I believe him more |
| 34140 | 2025-07-05T17:48:56 | X | ask him for proof) |
| 34141 | 2025-07-05T17:48:58 | RastaFireEye | and I believe Spider-Man |
| 34142 | 2025-07-05T17:49:47 | Sozdatel | |
| 34143 | 2025-07-05T17:50:08 | X | let him show the transaction ID) |
| 34144 | 2025-07-05T17:52:00 | Sozdatel | no one paid |
| 34145 | 2025-07-05T17:52:04 | Sozdatel | but he was ready |
| 34146 | 2025-07-05T17:52:06 | Sozdatel | to sell |
| 34147 | 2025-07-05T17:53:13 | X | so you should have paid and checked, not just shared your assumptions, right? |
| 34148 | 2025-07-05T18:03:55 | X | you decided to talk shit about me? Let's check what your word is worth. bc1qch7mr9w7kevz69g9n3nhqwdy300t8rpn50n0sw send any symbolic payment here, one bitcoin for example I'll send you the source of the leak right here and now. If you back out – then you're a fake, and your place is under the bunk. React if you see this message. |
| 34149 | 2025-07-05T18:05:20 | Sozdatel | skhahamkh='a |
| 34150 | 2025-07-05T18:05:56 | Sozdatel | yeah |
| 34151 | 2025-07-05T18:05:59 | Sozdatel | well listen |
| 34152 | 2025-07-05T18:06:00 | Sozdatel | mister |
| 34153 | 2025-07-05T18:06:06 | Sozdatel | my informants are important to me) |
| 34154 | 2025-07-05T18:06:16 | Sozdatel | I'm not going to put on a circus for you here |
| 34155 | 2025-07-05T18:06:18 | Sozdatel | but the fact is |
| 34156 | 2025-07-05T18:06:25 | Sozdatel | that you're literally ready to sell your informants |
| 34157 | 2025-07-05T18:06:30 | Sozdatel | and you confirmed it publicly |
| 34158 | 2025-07-05T18:06:35 | Sozdatel | thanks for playing my game |
| 34159 | 2025-07-05T18:08:11 | X | you're making a serious accusation. I've argued my position above. You have the opportunity to check—go ahead. Let's check. |
| 34160 | 2025-07-05T18:08:27 | Sozdatel | oh listen |
| 34161 | 2025-07-05T18:08:28 | Sozdatel | well fuck |
| 34162 | 2025-07-05T18:08:31 | Sozdatel | here's the position |
| 34163 | 2025-07-05T18:08:38 | Sozdatel | do you give permission for me to post a couple of messages? |
| 34164 | 2025-07-05T18:08:40 | Sozdatel | from our DMs |
| 34165 | 2025-07-05T18:10:10 | X | don't just talk here, and don't look for loopholes. Post them later, I'll give permission, if you first show what your word is worth. |
| 34166 | 2025-07-05T18:10:46 | Sozdatel | Hahahahaha |
| 34167 | 2025-07-05T18:10:48 | Sozdatel | You're a character |
| 34168 | 2025-07-05T18:10:50 | X | the address is there. everyone sees it. send, don't just talk. I'll post the result right away. |
| 34169 | 2025-07-05T18:11:08 | Sozdatel | No, I won't send anything) |
| 34170 | 2025-07-05T18:11:10 | Sozdatel | What's the point |
| 34171 | 2025-07-05T18:12:00 | X | then your words are worthless. I already said where your place is. |
| 34172 | 2025-07-05T18:12:47 | Sozdatel | Ahahahaha |
| 34173 | 2025-07-05T18:12:59 | Sozdatel | If you don't delete the channel, you're a bitch |
| 34174 | 2025-07-05T18:13:21 | Sozdatel | Same level |
| 34175 | 2025-07-05T18:13:25 | Sozdatel | Ultimatums |
| 34176 | 2025-07-05T18:14:24 | X | you have 5 minutes to decide. After that, you'll fall in my eyes completely. And I won't take you seriously at all. |
| 34177 | 2025-07-05T18:14:35 | Sozdatel | Same here |
| 34178 | 2025-07-05T18:16:34 | X | well, check. I'm a man of my word. And who are you? I'm giving you a chance to save face now. Don't take this lightly. Your reputation is on the line. |
| 34179 | 2025-07-05T18:17:18 | Sozdatel | Yeah |
| 34180 | 2025-07-05T18:17:33 | Sozdatel | So, fuck, if you don't delete the channel, you're a fake and a bitch |
| 34181 | 2025-07-05T18:17:36 | Sozdatel | Argument? |
| 34182 | 2025-07-05T18:17:40 | RastaFireEye | well look |
| 34183 | 2025-07-05T18:17:44 | RastaFireEye | you're selling him out |
| 34184 | 2025-07-05T18:17:47 | Sozdatel | Your reputation |
| 34185 | 2025-07-05T18:17:49 | Sozdatel | Is on the line |
| 34186 | 2025-07-05T18:17:50 | Sozdatel | Ahahahaha |
| 34187 | 2025-07-05T18:17:51 | RastaFireEye | even sent BTC |
| 34188 | 2025-07-05T18:18:25 | X | don't jump from topic to topic. this is a specific question, and a specific situation. We can discuss everything else later. |
| 34189 | 2025-07-05T18:19:50 | X | I'm giving you a chance. I'll post the evidence right here and now. My word is reliable. And you know it. Show that your word is worth something. |
| 34190 | 2025-07-05T18:20:20 | X | you have 2 minutes left to decide. |
| 34191 | 2025-07-05T18:20:51 | Sozdatel | I'm ready to tell everything, don't worry. |
| 34192 | 2025-07-05T18:20:51 | Sozdatel | I'm ready to tell everything, don't worry. |
| 34193 | 2025-07-05T18:20:54 | Sozdatel | Alright, here( |
| 34194 | 2025-07-05T18:21:28 | X | "I'll send you the source of the leak. Right here and now." |
| 34195 | 2025-07-05T18:22:35 | X | well, check now. Waiting for the transfer and I'll provide what I promised above. |
| 34196 | 2025-07-05T18:22:48 | Sozdatel | I mean this) |
| 34197 | 2025-07-05T18:23:16 | Sozdatel | Not nice, right? |
| 34198 | 2025-07-05T18:23:21 | Sozdatel | That you're revealing your sources |
| 34199 | 2025-07-05T18:23:29 | X | send it. I'll post the result. |
| 34200 | 2025-07-05T18:24:08 | X | I'll reveal the source. Yes. |
| 34201 | 2025-07-05T18:24:30 | X | last time I'm asking—are you sending or are you a fake? then I'll reveal for free. |
| 34202 | 2025-07-05T18:25:10 | Sozdatel | I'll never send you a single cent in my life) |
| 34203 | 2025-07-05T18:25:16 | Sozdatel | And your arguments are bullshit |
| 34204 | 2025-07-05T18:25:36 | Sozdatel | that's what was needed |
| 34205 | 2025-07-05T18:25:37 | Sozdatel | a sign that you'll reveal your sources |
| 34206 | 2025-07-05T18:25:41 | Sozdatel | As I said) |
| 34207 | 2025-07-05T18:25:56 | Sozdatel | Again, thanks for playing my game |
| 34208 | 2025-07-05T18:26:37 | Not Genius 01 | |
| 34209 | 2025-07-05T18:27:42 | X | You showed who you are, and what your word is worth. Publicly. You're a fake and a liar. Period. |
| 34210 | 2025-07-05T18:27:55 | X | source of the leak—demonstrating for free |
| 34211 | 2025-07-05T18:29:26 | X | This photo is from a closed information system. I got it from there. |
| 34212 | 2025-07-05T18:38:39 | X | |
| 34213 | 2025-07-05T18:38:39 | X | |
| 34214 | 2025-07-05T18:38:40 | X | |
| 34215 | 2025-07-05T18:38:40 | X | |
| 34216 | 2025-07-05T18:38:40 | X | |
| 34217 | 2025-07-05T18:38:40 | X | |
| 34218 | 2025-07-05T18:38:40 | X | |
| 34219 | 2025-07-05T18:38:40 | X | |
| 34220 | 2025-07-05T18:38:40 | X | |
| 34221 | 2025-07-05T18:38:40 | X | |
| 34222 | 2025-07-05T18:38:40 | X | |
| 34223 | 2025-07-05T18:39:51 | Sozdatel | Where's the Bentley |
| 34224 | 2025-07-05T18:40:28 | X | crawl under the bunk |
| 34225 | 2025-07-05T18:44:29 | X | and I didn't give you permission. you acted badly in this too. |
| 34226 | 2025-07-05T18:44:32 | Sozdatel | Yourself |
| 34227 | 2025-07-05T18:44:33 | Sozdatel | ? |
| 34228 | 2025-07-05T18:44:57 | X | |
| 34229 | 2025-07-05T18:45:12 | Sozdatel | Quiet, Mr. Kapoor |
