A mystery whistleblower calling himself GangExposed has exposed key figures behind the Conti and Trickbot ransomware crews, publishing a trove of internal files and naming names.

The leaks include thousands of chat logs, personal videos, and ransom negotiations tied to some of the most notorious cyber-extortion gangs —believed to have raked in billions from companies, hospitals, and individuals worldwide.

It’s part of his “fight against an organized society of criminals known worldwide,” GangExposed told The Register via Signal chat. He claims that he’s not interested in the $10 million bounty that the Feds have put up for information about one key Conti leader that he’s already named, as well as a second that he says will soon be identified on Telegram.

“I take pleasure in thinking I can rid society of at least some of them,” GangExposed said. “I simply enjoy solving the most complex cases.”

After creating his latest Telegram channel on May 5 — GangExposed says two earlier accounts were shut down days ago — he published his first “revelation” and outed Stern, the leader of Trickbot and Conti, as 36-year-old Russian named Vitaly Nikolaevich Kovalev. Stern’s identity was later confirmed by German police.

I take pleasure in thinking I can rid society of at least some of them

A couple of days later, GangExposed claimed to identify another key Conti crim who goes by Professor as Vladimir Viktorovich Kvitko, a 39-year-old Russian national who reportedly relocated from Moscow to Dubai. According to chat logs and other communications leaked by GangExposed, Kvitko and other Conti leaders moved to Dubai in 2020 and set up shop in the United Arab Emirates to continue their cyberattacks against Western organizations.

“Kvitko maintains a modest lifestyle, with known property in Moscow and several vehicles registered to family members,” GangExposed posted. “Income mostly originates from RM RAIL Management Company and Rosselkhozbank. In contrast, other Conti leaders (e.g., ‘Target’) display significant luxury assets, including a Moscow City apartment, Ferrari, and 2 multiple Maybach vehicles.”

He also published a video of what GangExposed says is six Conti ransomware members on a private jet, celebrating the birthday of another key leader, Target. 

The US government has offered up to $10 million for information leading to the identification or location of five key Conti operators, including “Professor” and “Target.” GangExposed says he’s going to identify Target next.

“Essentially I burned $10 million when I published Professor,” he told The Register. “And I’m about to burn another $10 million when I publish Target.”

And on Thursday, he posted a whopping 15 photos of alleged Conti members along with a more detailed write-up of Conti’s lead sysadmin Defender, aka Andrey Yuryevich Zhuykov, and Mango, aka Mikhail Mikhailovich Tsaryov, a senior manager within the group.

This is no longer just a leak — it’s a high-stakes intelligence war

“This is no longer just a leak — it’s a high-stakes intelligence war,” FalconFeeds threat intel analysts posted on social media.

Who is GangExposed?

GangExposed calls himself an “independent anonymous investigator” without any formal IT background, and said he hasn’t had “a ‘real’ name in years.”

“My toolkit includes classical intelligence analysis, logic, factual research, OSINT methodology, stylometry (I am a linguist and philologist), human psychology, and the ability to piece together puzzles that others don’t even notice,” he said. “I am a cosmopolitan with many homes but no permanent base — I move between countries as needed. My privacy standards are often stricter than those of most subjects of my investigations.”

GangExposed says he obtained all of the data he leaked via “semi-closed databases, darknet services (for probing state records through corrupt officials), and I often purchase information. I have access to the leaked FSB border control database,” which he says was being sold on the darkweb for $250,000. 

He hopes his investigation can achieve three objectives. First, he wants to publicly identify all of the gangs’ key criminal participants — GangExposed puts this number at around 50 — see them sanctioned, and also named on Interpol’s wanted persons list.

Second, GangExposed says he wants to “disrupt their current enrichment schemes by exposing the organizers of the Blockchain Life forum, which serves as a breeding ground for fraudulent pyramid schemes.” 

Blockchain Life, according to the internal chat logs, was a scheme organized by Khitrov and Kovalev (aka Stern) that aimed to legitimize Trickbot’s and Conti’s illegally obtained cryptocurrency earnings

Finally, GangExposed says he wants to “deprive them of a safe haven in the UAE. The respected authorities of the UAE strictly uphold their laws, and while they lack extradition agreements for cybercriminals, I’ve managed to investigate and prove that Conti used the UAE specifically for carrying out attacks. In other words, they physically committed a series of crimes while being present there.”

Some security researchers think he could in fact be a disgruntled former ransomware criminal looking to burn his bosses or simply resurface the 2022 Conti leaks.

“The data we’ve reviewed provides strong indicators that the source behind the leak is either an ex-member or a disgruntled insider from within the group — given the level of access, context, and internal coordination reflected in the communications,” Technisanct founder and CEO Nandakishore Harikumar told The Register. Technisanct owns FalconFeeds.

Harikumar’s threat-intel group has analyzed all of GangExposed’s leaks, and shared a 34-page analysis with The Register about the massive data dump. He recommends that law enforcement pursue investigative leads from the newly disclosed personally identifiable information about key Conti leaders detailed in the leaks. ®

https://www.theregister.com/2025/05/31/gangexposed_coni_ransomware_leaks/