The anonymous investigator GangExposed has pierced the veil of secrecy surrounding the Conti ransomware group, one of the world’s most infamous cybercrime syndicates.
Through meticulous analysis of leaked chats, travel records, financial data, and public records, GangExposed has unmasked core figures, including Vladimir Viktorovich Kvitko (“Professor”), Arkady Valentinovich Bondarenko (“Negotiator”), Andrey Yuryevich Zhuykov (“Defender”), and the elusive “Target,” who carries a $10 million FBI bounty.
This in-depth investigation traces Conti’s audacious attacks on hospitals during the COVID-19 pandemic and its transformation of Dubai into a global cybercrime hub, offering a critical opportunity to dismantle the group’s sprawling network.
Evolving from the TrickBot and Ryuk malware groups, Conti emerged by 2020 as a sophisticated criminal enterprise, targeting corporations, governments, and most heinously hospitals.
Operating with corporate-like precision, the group leveraged physical offices, a disciplined hierarchy, and advanced technical infrastructure to extort millions in Bitcoin.
GangExposed’s leaks, including Conti Jabber, RocketChat, Black Basta Matrix-Chat, and Telegram messages from Vitaly Kovalev (“Stern,”@tguser1), reveal internal communications, financial flows, and operational details.
Despite attempts to erase evidence, recovered chats expose Conti’s schemes, from hospital attacks to money laundering, providing a roadmap for investigators.
The Dubai Hub: Conti’s 2021 Offensive
In autumn 2021, Conti transformed Dubai into its operational nerve center, orchestrating a wave of ransomware attacks targeting Western, Middle Eastern, and Chinese organizations.
Led by “Target,” the group operated from physical offices equipped with dedicated attack infrastructure, supported by negotiator Arkady Bondarenko, system administrator Andrey Zhuykov, and coordinators like Mikhail Mikhailovich Tsaryov (“Mango,” born April 20, 1989).
The campaign unfolded with chilling precision: on October 1, 2021, Mango referenced Bondarenko as a “Canadian negotiator from a recovery company” in leaked chats, coinciding with his flight from Dubai to Moscow (flight EK-133) after discussing payment issues via the Suex exchange.
By October 2, Target coordinated the setup of a Dubai office, procuring equipment with deputy Sergey Khitrov, while Zhuykov ensured server and proxy stability.
Between October 10–14, key members, including Kvitko, Marat Nurtdinov, Oleg Fakeev, and Elizaveta Suchkova, arrived in Dubai via flights SU-520 and G9-956.
From October 17 to November 6, Conti executed peak attacks: 7 on October 17 (e.g., Graff Diamonds, JVCKenwood), 11 on October 23 (e.g., Obeikan Investment Group in the UAE), and 13 on November 6, including ARM China and TRINA SOLAR (UAE).
These attacks exploited Dubai’s lack of extradition agreements, targeting a global array of victims.
When GangExposed began leaking these secrets, Conti offered $4 million for a Telegram exploit to retaliate, as reported by Habr.
The investigator, undeterred, remarked, “I poked the hornet’s nest,” promising further revelations about Target’s identity.
Vladimir Kvitko: The “Professor” of Carding
Vladimir Viktorovich Kvitko (born October 23, 1984), known as “Professor,” is a core Conti leader specializing in real-world carding schemes targeting vulnerable banking systems in countries like India, Cuba, and Iran.
Relocating from Moscow to Dubai in autumn 2020, Kvitko has not returned to Russia since August 2022, managing visa extensions through trips to the Netherlands and Austria.
GangExposed’s evidence ties Kvitko to “Professor” through synchronized travel and chat inactivity: Russian records place him in the Altai Republic from June 15–17, 2021, matching periods when “Professor” was silent in Conti’s Jabber chats, resuming communication on June 18.
His dossier, detailing passports, phone numbers, emails, social media, and income from RM RAIL Management Company and Rosselkhozbank, is included in GangExposed’s archive Mega link.
Arkady Bondarenko: The Negotiator
Arkady Valentinovich Bondarenko (born August 2, 1970), a dual Russian-Canadian citizen, served as Conti’s key negotiator, managing victim communications and ransom payments.
Leaked chats from October 1, 2021, identify him as the “Canadian from a recovery company,” coinciding with his flight from Dubai to Moscow.
His travel frequently overlapped with Kvitko’s, notably on January 17, 2020 (Kvitko on SU-522, Bondarenko on EK-134), May 2022, and February 2019, suggesting discreet in-person meetings.
Bondarenko’s financial profile, with over 107 million RUB from VTB Bank, luxury Moscow properties, premium vehicles (e.g., Infiniti QX80), and shell companies like LLC “Jewelry House Millennium,” points to money laundering.
His dossier link lists multiple phones (e.g., +7 926 686-00-00) and emails (e.g., [email protected]), confirming his role as a financial intermediary.
Andrey Zhuykov: The Technical Mastermind
Andrey Yuryevich Zhuykov (born February 18, 1982), alias “Defender,” is Conti’s principal system administrator, operating from Russia’s Sverdlovsk Region and Sochi.
Responsible for servers, domains, proxies, VPNs, and control panels, Zhuykov’s technical expertise and strict management style make him a critical “single point of failure.”
He coordinated payments for infrastructure, conducted security audits, and managed team access, ensuring operational anonymity.
Despite his pivotal role, Zhuykov’s personal finances are strained, with debts exceeding 2 million RUB and enforcement cases for child support.
Target: The $10 Million Shadow
“Target,” operating under aliases like “Bloodrush” and “Red,” is Conti’s ruthless leader, commanding a near-corporate enterprise with a $10 million FBI bounty.
Boasting ties to Russia’s FSB and amassing millions in Bitcoin while paying operatives $200 weekly, he orchestrated Conti’s most egregious attacks, targeting 428 U.S. hospitals in October 2020 during the COVID-19 pandemic.
His chilling chats—“428 hospitals… I’m satisfied” and “make them die or pay up”—reveal a callous disregard for human suffering.
Target’s offline offices, strict oversight, and efforts to erase digital traces via Jabber and RocketChat underscore his operational savvy, though GangExposed recovered critical messages through metadata analysis.
Additional figures like Vitaly Kovalev (“Stern”), whose Telegram messages reveal network connections despite his plastic surgery to evade detection, and Mikhail Tsaryov (“Mango”), who referenced Bondarenko’s role, complete the leadership network.
The exposure of Conti’s Dubai hub and dossiers on Kvitko, Bondarenko, Zhuykov, and others offers actionable intelligence for UAE authorities to investigate local victims like Obeikan Investment Group and TRINA SOLAR, for Chinese authorities to probe ARM China’s breach, and for Western agencies to leverage Target’s bounty.
Bondarenko’s dual citizenship and Zhuykov’s financial trails provide avenues for international cooperation to seize illicit funds.
GangExposed’s relentless investigation has shattered Conti’s anonymity, exposing Kvitko’s carding schemes, Bondarenko’s negotiations, Zhuykov’s technical backbone, and Target’s hospital attacks.
With detailed dossiers and leaked data, this breakthrough empowers law enforcement and victims to dismantle a global cybercrime empire, marking a pivotal moment in the fight against ransomware.
