'I'm dying laughing' - what leaked messages tell us about global hacking gang

News imageBBC A graphic showing a series of colourful Russian dolls and Russian style churches on a red background with a computer chip board motif. Words say BBC Cyber Hack Conti Files, with the s of files replaced by a dollar sign.BBC

Conti, one of the world's largest ransomware groups, spent years hacking people. But in 2022 the tables turned when the criminal gang imploded and thousands of their internal messages were leaked online. What do they reveal?

As the news breaks that Russia has invaded Ukraine, fingers suddenly fly into action across keyboards.

"Did you see?"

"What a nightmare on the front line."

"Is it a war?"

These are messages from within Conti, a hacking gang with mainly Russian members but affiliates all over the world.

"Friends, brothers, are there any Ukrainians besides me?" one asks in the gang's chats.

They extorted millions of dollars through scrambling organisations' data and demanding payment to release it, making an estimated $180m in 2021 alone, but some of the members had no idea who their colleagues really were.

From Redcar and Cleveland Borough Council in north-east England to luxury jeweller Graff, Conti's hacks had affected more than 1,000 organisations.

But a rift over the Russian invasion was to have serious repercussions for the criminals.

News imageEPA A Ukrainian soldier turns his face away from the blast as a giant cannon he is operating fires. He is surrounded by trees.EPA
The invasion of Ukraine sparked a rift in Conti

A day after Ukraine was struck, a message was posted on Conti's dark web site in support of Russia.

It was taken down hours later and replaced with: "We do not ally with any government, and we condemn the ongoing war."

But the damage was done.

Two days after Conti's pledge of allegiance to Russia and its furious attempt to backpedal, more than 300,000 of the gang's secret communications were leaked by one of their members.

It was a jaw-dropping day for Joe Wrieden, a cyber threat intelligence leader for UK security firm Cyjax.

A faceless account appeared on his Twitter feed, saying "we know everything about you Conti - you can't even trust your girlfriend".

"Finally," Joe says, "we get almost that full understanding of what's been going on for years in one of the most notable groups in the ransomware space."

News imageJoe Wrieden smiles at the camera. He has shoulder length thick curly brown hair and a gingery beard.
Cyber security expert Joe Wrieden said the message leak was eye-opening

The messages revealed the discussions – and crucially disagreements - taking place between gang members while they carried out some of their most audacious attacks.

For example, its targeting of the Irish Health Service Executive (HSE) in May 2021 during the middle of the Covid-19 pandemic.

Oncologist Seamus O'Reilly was doing his usual morning ward round at Cork University Hospital when all the screens went blank.

"I had no communications abilities," he recalls. "I had no access to historical patient data.

"To be brutally honest, the only time I broke down during the pandemic was after the cyber attack."

The hackers had impacted nearly all hospitals and healthcare facilities in Ireland, and they reportedly wanted $20m (£14m) to restore services.

Mum-of-two Donna-Marie Cullen was getting ready to undergo highly targeted cancer treatment when she heard about the hack on the morning news.

She can still feel the anxiety she felt then.

News imageDonna-Marie Cullen smiles at the camera. She has long blonde hair and a small nose ring.
Donna-Marie Cullen feared her cancer treatment would be disrupted by Conti

"Could these people behind this cyber attack take my life away?" she says.

The issue of attacking healthcare comes up a lot in the Conti leaks.

One member named Target was particularly keen on this tactic.

"Let them pay millions," they wrote the year before the HSE attack. "Let them die."

Target wanted to attack hundreds of hospitals across the USA.

"There is going to be panic," Target wrote, later saying "damn, I'm dying laughing".

But Target was just one member of the Conti gang.

Explaining hacking targets to a new recruit, one member said they could not attack the "medical sector" or "maternity hospitals".

There is no mention of the HSE attack specifically, but hitting hospitals during a global health emergency was a matter of debate.

At one point, a member of the team asked Conti's founder, Stern, if he had approved an encryption of a hospital.

"If you didn't approve it, I will hand the decryptor to that clinic," the member wrote. "We agreed not to touch the medical sector, remember?"

And that is exactly what happened in Ireland.

News imageJacky Fox smiles at the camera. She has shoulder length thick brown hair parted in the middle.
Jacky Fox led the team trying to resolve the hack of Ireland's HSE

Jacky Fox, senior managing director for Accenture Information Security, had pulled together a top team to tackle the attack in their rapidly convened "war room".

They worked 16-hour days and lived off takeaway pizza.

A week later, Jacky's colleague ran in holding a piece of paper and shouting they had been given the "key" by the hackers – a series of letters and numbers that would help to unscramble the data.

"I was so excited," Jacky says. "I think I actually got tearful."

But it took months for the systems to fully recover.

Thankfully Donna-Marie was able get her treatment and the cancer has gone.

'Globally famous people'

As well as debates on targeting health institutions, the messages also give a glimpse of how the hackers saw the rich and powerful.

In October 2021, international jeweller Graff was hacked and held to ransom, with Conti leaking personal data about the diamond merchant's illustrious clients on the dark web.

The leaks reportedly included information on Donald Trump, David Beckham, Philip Green, Oprah Winfrey, Frank Lampard and royals from the Gulf nations.

"This was potentially a really big story," says Kevin O'Sullivan, editor of tech media platform FutureScot.

He had been covering another of Conti's hacks when he stumbled across the leaked data.

"It was mind-blowing actually, because this was customer data and it listed A-list celebrities and globally famous people."

News imageGetty Images A white-gloved hand holds a large diamond.Getty Images
Conti targeted international jeweller Graff

In their internal chats, the gang were gossiping about what they had obtained on the celebrities, from purchase history and credit card details down to addresses and "colour of underwear".

The "whole network is buzzing" one wrote, while another said the victims were "very high-class people".

But Conti had made a mistake – they had not reviewed the leaked data properly before posting it and had unwittingly leaked data on powerful people - details of Graff purchases apparently by high profile members of the Saudi royal family.

"They'll find you and that's it," they continued. "You're gone."

Damage limitation was on their minds, with one saying their group could be ruined and the leak had to be "very quickly stopped".

"You just have to understand the line," one said, adding: "The ruling families are a friend."

In a highly unusual move, the gang released an apology, saying: "Any information pertaining to members of Saudi Arabia, UAE, and Qatar families will be deleted without any exposure and review."

'Last encryptors left'

The apology came after journalist Kevin wrote a story in the Daily Mail alongside fellow reporters Georgia Edkins and Michael Powell.

In their message, Conti even praised the Mail for the "great coverage".

"It was extraordinary" Kevin says. "I didn't expect them to compliment me for my work."

Graff handed over a ransom of around $7.5m, but did not respond to the BBC's requests for comment.

Conti's internal chats show one of the hackers, who claims to have been part of the Graff job, boasting about getting about 1% of the payout, $75,000, with which he would build a house.

The Graff attack happened in late October 2021 and things seemed to be going well for Conti.

As the boss Stern put it, "none of the other notorious encryptors are left now".

But Mango, the usually calm office manager, was getting frustrated.

"Honestly," they told Stern, "I try to solve all your crazy extravagant quests but I get the strong feeling you don't care at all.

"I've spent my whole life getting all this organized and rolling it out.

"At this rate, I'll be grey in a year or two."

News imageUS Secret Service Two shots of Vitaly Nikolayevich Kovalev looking at the camera. In both he is clean shaven with short black hair.US Secret Service
Stern has been identified by law enforcement agencies as Russian national Vitaly Nikolayevich Kovalev

By February 2022 when the messages were leaked, Stern had vanished from the chats.

One of the final messages was three days before the Russian invasion of Ukraine by a member named Fire.

"We are in a difficult situation with too much outside scrutiny of the firm, and the boss has apparently decided to lay low," Fire said.

"All balances on wages will be paid. The only question is when."

It was not until three years later, in May 2025, when German police identified Stern as a Russian man in his 30s named Vitaly Nikolaevich Kovalev.

He has been sanctioned by the US and UK authorities and has an Interpol Red Notice against him.

The BBC wanted to find him too.

News imageOther Vitaly Nikolayevich Kovalev wears a vibrant Hawaiian style shirt in front an orange and yellow sunset sky.Other
The BBC found pictures on social media of Vitaly Kovalev on luxurious holidays

All we had was a name and a couple of photographs, but in late 2025 an anonymous post appeared on the messaging app Telegram showing Kovalev playing tennis.

The BBC Cyber Hack podcast linked this single image to a sprawling set of social media accounts run by an influencer with thousands of followers.

Kovalev could now be seen wearing a Louis Vuitton jacket in a nightclub, driving a Bentley SUV and holidaying in an exclusive resort in southern Russia, where a family villa costs £22,000 a week.

Kovalev was approached by the BBC and did not respond.

While the messages showed the hackers were quick to move on to other targets, their victims were left picking up the pieces.

"It was a horrible thing to do," Jacky, who was tasked with resolving the Ireland hack says.

"I don't have any sympathy, empathy, or understanding as to how another human could do that."

Follow BBC Tees on X,Facebook, Nextdoor and Instagram.