Tracing the Ghosts of Conti: Mapping a Defunct Ransomware Giant’s Infrastructure
Conti’s operations may have ended in 2022, but the group’s infrastructure has remained scattered across the darkweb. Leak portals, recovery domains, and malware artifacts tied to the collective continue to resurface, offering a window into how Conti organized its ecosystem and where traces of it can still be found today.
Using StealthMole’s monitoring tools, we mapped these remnants into a broader picture. The investigation identified multiple onion portals, some well known, others obscure or inactive, alongside clearnet recovery sites, hundreds of malware hashes, and several ProtonMail addresses tied to ransom notes. In several cases, overlaps between artifacts, such as identical hashes appearing on different portals, provided direct links between otherwise separate pieces of infrastructure.
By mapping these traces through StealthMole, we build a clearer picture of how Conti maintained its ecosystem and the types of assets it relied on. The goal is not to revisit the group’s history, but to create a practical reference that security teams can use to identify future activity that bears Conti’s fingerprints.
Background
Conti first appeared in early 2020 and quickly established itself as one of the most aggressive ransomware groups of its time. Built on the earlier Ryuk operation, the group ran a “ransomware-as-a-service” model, working with affiliates to compromise networks, exfiltrate data, and deploy file-encrypting malware. Conti distinguished itself by combining high-profile data leaks with large ransom demands, often targeting enterprises, government agencies, and critical services.
The group gained wider attention in 2021 and 2022 as its leak site filled with hundreds of victims from across the globe. Its activities culminated in a high-profile attack on Costa Rica’s government, which disrupted public services and prompted the country to declare a national emergency. Not long after, internal Conti chat logs were leaked by a Ukrainian researcher, exposing details of the group’s structure, negotiations, and internal disputes.
By mid-2022, the Conti brand was officially dissolved. However, its members did not disappear. Many analysts believe they regrouped under different banners, including BlackBasta, Royal, and other emerging ransomware outfits, while the infrastructure linked to Conti remained scattered across the darkweb. It is these remnants, and the patterns they reveal, that form the focus of this report.
Incident Trigger & Initial Investigation
Our investigation began with StealthMole’s ransomware monitoring tool, which recorded 868 victims of Conti between January 2020 and May 2022, reflecting the group’s scale during its active years. The dataset provides a reliable baseline for understanding how Conti operated, with each entry tied to a public leak, a recovery interaction, or both.
Out of these 868 victims, the vast majority, 838 cases, were posted on the group’s primary leak site:
- http://contin******************************************ad.onion
Earlier in its lifecycle, Conti briefly used additional portals to publish victim data. In August 2020, six victims appeared on:
- http://htc*********************************************yd.onion
Between September and December 2020, another 24 victims were listed on:
- http://fy***********if.onion
After these initial experiments, the group consolidated operations under the http://contin...ad.onion domain, which became the primary outlet for publishing victim information until the brand was dissolved in mid-2022.
The final entry in this dataset was The Contact Company, a UK-based business services provider. Its listing appeared on a Conti leak portal in May 2022, just weeks before the group formally dissolved. This timing gave the case particular significance: it captured the last moment when Conti’s leak infrastructure was still in active use, before the operators disbanded and re-emerged under new banners.
Using this victim entry as a starting point allowed the investigation to move outward from a fixed and verifiable reference. The posting provided access to the leak portal still operational at the time, which in turn revealed additional domains, clearnet mirrors, and recovery services linked to Conti. From there, the trail expanded into associated malware samples and even email addresses embedded in ransom notes, creating a network of indicators that could be mapped against one another.
Anchoring the investigation on Conti’s final victim ensured that the analysis did not rely on historical artifacts alone. Instead, it traced the group’s infrastructure at the point of its collapse, offering a clearer view of the assets that remained in circulation after the brand was retired.
Infrastructure Mapping
Conti’s infrastructure evolved over time, with several shifts in hosting and presentation that mirrored the group’s growth and eventual collapse. By following the progression of leak portals, mirrors, and recovery services, it is possible to see how the collective managed both resilience and visibility.
Early Portals (2020)
- In August 2020, Conti published its first victim data on a leak site hosted at:
- http://htc*************************************yd.onion
- A total of six victims were listed on this domain before it was abandoned.
- Between September and December 2020, a second site was used briefly:
- http://fy****************if.onion
- 24 victims were posted here before the group moved on to more stable infrastructure.
Primary Leak Site (2020–2022)
- From late 2020 onward, Conti consolidated its operations under its main portal:
- http://contin**********************************ad.onion
- This domain became the backbone of Conti’s public-facing activity, eventually hosting information on 838 victims.
- During its peak, this site also spawned several clearnet mirrors, including:
- conti****s.b***t
- conti****s.*z
- conti****s.c****k
- These mirrors were likely intended to ensure victim data remained accessible even if the onion service went offline.
Backup and Alternate Domains
- Throughout 2021 and 2022, several additional onion domains were identified as connected to Conti. Many of these did not host significant content but appear to have been prepared as backups or alternates:
- 4n*************************************************ad.onion
- tt*************************************************ad.onion
- ni*************************************************qd.onion
- Later domains included more structured naming, such as:
- m2*************************************************id.onion
- conti*********************************************wad.onion
- contir********************************************oad.onion
Recovery Infrastructure
- Beyond leak portals, Conti also maintained recovery sites, used to manage communication with victims and ransom payments.
- One such domain identified was:
- http://jqb************************************3yd.onion
- This was mirrored on the clearnet at:
- https://contir*******y.*s
- These portals instructed victims to upload the README.txt left behind on infected systems, establishing a channel for negotiation.
Malware Hashes
Beyond victim listings and recovery sites, several Conti-linked domains hosted large collections of malware samples. These artifacts provide technical fingerprints that connect separate portals and help track possible re-use in future operations. Grouping them under the domains where they were discovered shows how Conti distributed its tooling across its infrastructure.
m2************************************************aid.onion
This domain yielded 25 malware hashes. Several were associated with ProtonMail addresses: lim*******0@protonmail.com, hei**********1@protonmail.com, and pol**********2@protonmail.com. These links provided one of the clearest connections between Conti’s infrastructure and its victim communication channels.
Malware Hashes (25):
- ebe*******************************************************24
- f92*******************************************************3a
- 095*******************************************************62
- 0a7*******************************************************bf
- d3c*******************************************************4c
- 707*******************************************************30
- fe3*******************************************************2a
- 633*******************************************************37
- 198*******************************************************f3
- 67a*******************************************************56
- d1e*******************************************************35
- c67*******************************************************c2
- e64*******************************************************b6
- d23*******************************************************40
- ebf*******************************************************e0
- b52*******************************************************d9
- 5cf*******************************************************51
- e7c*******************************************************85
- dbc*******************************************************38
- 774*******************************************************2c
- 340*******************************************************9c
- 64f*******************************************************c5
- 73b*******************************************************a3
- 1f7*******************************************************b3
- 01a*******************************************************c4
contir*******************************************3wad.onion
This domain provided 31 malware hashes. While not all were tied to specific communication channels, their discovery confirmed that Conti used these secondary sites not only for victim exposure but also for distributing and indexing malware.
Malware Hashes (31):
- 1fa************************************************************79
- 177************************************************************a9
- 949************************************************************be
- 740************************************************************76
- 24a************************************************************59
- 5fa************************************************************0c
- bc8************************************************************54
- f43************************************************************36
- 5ac************************************************************a9
- 5e5************************************************************77
- d6f************************************************************a5
- dd1************************************************************d7
- 615************************************************************e4
- e29************************************************************05
- 1de************************************************************fc
- 258************************************************************e9
- 98a************************************************************03
- 2d3************************************************************c5
- fca************************************************************47
- bce************************************************************d2
- 413************************************************************a7
- 387************************************************************1a
- c77************************************************************9c
- e6e************************************************************0d
- 126************************************************************91
- 957************************************************************a7
- ba1************************************************************da
- aaf************************************************************5d
- 745************************************************************76
contirec*****************************************5oad.onion
This was the most artifact-rich domain, yielding 187 malware hashes. Among them, one hash (f43**********************36) was also seen on contire*****x...onion, establishing a direct link between the two sites. The domain also led to the discovery of Conti’s recovery infrastructure (jqb******g...onion) and its clearnet mirror (conti******y.*s).
Malware hashes (10 of 187):
- f43*******************************************************36
- 575*******************************************************86
- fa4*******************************************************3b
- 842*******************************************************72
- 459*******************************************************ce
- 4fb*******************************************************f9
- 595*******************************************************a8
- 3d0*******************************************************54
- f21*******************************************************d6
- dc9*******************************************************c4
Why the Hashes Matter
These malware samples serve two purposes in the investigation. First, they provide technical overlap: identical hashes appearing across separate domains prove operational continuity within Conti’s infrastructure. Second, the samples expose contact details embedded in ransom notes, the ProtonMail addresses, which can be used as long-term identifiers even if domains are abandoned.
Taken together, the 243 hashes collected across these three domains create a baseline for security teams to use in retro-hunting, attribution, and early-warning detection should Conti’s tools reappear under a different name.
Amplification on Forums and Channels
Conti’s leak portals were the primary source for publishing victim data, but the group’s presence extended into other spaces where its activity was reshared and discussed. Mentions of Conti surfaced across Telegram channels and underground forums, ensuring that its leaks reached audiences well beyond direct victims.
On Telegram, Conti content was often reposted by other ransomware or hacking groups. L******t’s channel circulated generic victim announcements that included Conti leaks, blending them into a steady stream of ransomware activity. In the A****n C**b, Conti’s breach of Costa Rica was highlighted, drawing further attention to one of its most disruptive campaigns. Mentions also appeared in channels such as B****k H*t and M*******n G******s, where Conti’s leaks were folded into broader hacktivist and cybercrime discussions.
Similar amplification was observed on forums. On RAMP, for instance, Conti’s primary onion portal and its clearnet mirrors (conti****s.b**t, conti***s.*z, conti***s.c***k) were listed alongside the infrastructure of other ransomware groups. These references did not prove direct affiliation but confirmed that Conti’s infrastructure was recognized and shared within wider criminal communities.
Together, these sightings show how Conti’s reach was reinforced through secondary ecosystems. Even when not under the group’s direct control, mentions across Telegram and forums helped maintain visibility, ensuring that major leaks and portals continued circulating long after initial publication.
Assessment
The mapping of Conti’s infrastructure highlights several characteristics that remain relevant even after the group’s dissolution. The diversity of domains illustrates a deliberate effort to build resilience. Even when individual portals went offline, mirrors and alternates kept the operation accessible. This pattern suggests that any future successor group linked to Conti is likely to adopt a similar layered infrastructure strategy.
The large collections of malware hashes uncovered across multiple domains provide further continuity. Identical samples appearing on separate portals demonstrate that these were not isolated experiments but part of a coordinated backend. The embedded ProtonMail addresses show how technical artifacts can bridge infrastructure mapping with victim communication, creating long-term identifiers that remain useful for attribution even after domains are abandoned.
Amplification on Telegram and criminal forums added another dimension. While not part of Conti’s official infrastructure, these mentions helped sustain the group’s visibility and spread its leaks into wider ecosystems. This reinforces the importance of monitoring secondary platforms: they not only mirror content but can also provide early indicators of rebranded or successor activity.
Conclusion
The infrastructure left behind by Conti offers more than a snapshot of a dismantled ransomware group, it provides a framework for recognizing familiar patterns if they emerge again. From leak portals and clearnet mirrors to malware hashes and recovery sites, the pieces documented in this report show how Conti built resilience into its operations and how those traces continue to circulate long after the brand was dissolved.
By following these remnants through StealthMole’s monitoring tools, we established links between otherwise separate domains, identified technical overlaps, and observed how Conti’s presence was amplified across forums and channels. These findings underline the importance of viewing ransomware groups not as isolated campaigns but as evolving ecosystems that leave behind reusable infrastructure and artifacts.
As Conti’s members have dispersed into other groups, the indicators mapped here remain valuable reference points. Whether in the form of overlapping hashes, repurposed communication channels, or mirrored portals, they provide defenders with a baseline for detection and attribution. In this way, the legacy of Conti is not only a record of past attacks but a tool for anticipating what may come next.
Editorial Note
While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.
The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.
Contact us: support@stealthmole.com
Labels: Malicious Group
.svg)
.svg)
.svg)