Ransomware Gang Leaders & Infrastructure Exposed

Okay, so here’s some seriously big news in the cybercrime world. An anonymous investigator, who goes by ‘GangExposed,’ just landed a massive, devastating blow against the infamous Conti ransomware group. This wasn’t just any hit, either; it was a landmark investigation that exposed the real identities of key figures, spilled their operational strategies, and even tracked their global movements. Pretty wild, right?

Through meticulous analysis of leaked communications, travel records, financial data, and public records, GangExposed has unmasked core leaders including Vladimir Viktorovich Kvitko (“Professor”), the elusive mastermind “Target,” negotiator Arkady Valentinovich Bondarenko, and system administrator Andrey Yuryevich Zhuykov (“Defender”).

This exclusive report delves into the syndicate’s Dubai-based operations, its attacks on hospitals during the COVID-19 pandemic, and the critical infrastructure sustaining its global cybercrime empire, offering law enforcement a rare opportunity to dismantle one of the world’s most dangerous ransomware networks.

The U.S. Department of State’s Rewards for Justice (RFJ) program has announced a reward of up to $10 million for information leading to the identification or location of individuals involved in malicious cyber activities against U.S. critical infrastructure, in violation of the Computer Fraud and Abuse Act (CFAA).

The initiative specifically targets members of the Conti ransomware group, a Russian government-linked ransomware-as-a-service (RaaS) operation known for attacking vital U.S. and Western infrastructure.

Conti Ransomware Group and Key Actors

The RFJ program is seeking information on malicious cyber actors operating under the aliases “Target,” “Reshaev,” “Professor,” “Tramp,” and “Dandis,” believed to be associated with Conti, also known as Wizard Spider.

First detected in 2019, Conti has conducted over 1,000 ransomware operations, targeting critical infrastructure sectors including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities.

Of the more than 400 organizations worldwide victimized by Conti, over 290 are located in the United States.

Unmasking “Professor”: Vladimir Viktorovich Kvitko

GangExposed has conclusively identified “Professor,” a core Conti leader, as Vladimir Viktorovich Kvitko (born October 23, 1984), a Russian national who relocated from Moscow to Dubai in autumn 2020.

Kvitko’s role in Conti involves orchestrating real-world carding schemes, leveraging weak banking systems in countries like India, Cuba, and Iran.

His identity was confirmed through synchronized travel patterns and chat inactivity: Russian records show Kvitko in the Altai Republic from June 15–17, 2021, matching periods when “Professor” was silent in Conti’s Jabber chats, resuming communication upon his return to Moscow on June 18.

FSB border data further document his frequent trips to the UAE, Cuba, Iran, Austria, and Turkey, aligning with Conti’s operations. Since August 2022, Kvitko has remained in Dubai, managing visa extensions via trips to the Netherlands and Austria.

His dossier, including passports, phone numbers, emails, social media profiles, and property records tied to income from RM RAIL Management Company and Rosselkhozbank, is part of GangExposed’s digital archive Mega link.

The Dubai Hub: Conti’s Autumn 2021 Offensive

In autumn 2021, Conti transformed Dubai into a strategic hub for a massive wave of ransomware attacks targeting Western, Middle Eastern, and Chinese companies.

Led by “Target,” a figure with a $10 million FBI bounty, the group operated from physical offices equipped with dedicated attack infrastructure, coordinated by system administrator Andrey Zhuykov and involving negotiator Arkady Bondarenko.

The operation’s timeline reveals meticulous planning:

• On October 1, 2021, leaked chats reference a “negotiator” described as a “Canadian from a recovery company,” identified as Bondarenko, who flew from Dubai to Moscow that day (flight EK-133), discussing payment issues via the Suex exchange. This coincided with Conti’s attack preparations.
• By October 2, “Target” coordinated the setup of a Dubai office, ordering equipment and collaborating with deputy Sergey Khitrov.
• Between October 10–14, key members, including Marat Nurtdinov, Oleg Fakeev, Kvitko, and Elizaveta Suchkova, arrived in Dubai via flights SU-520 and G9-956.
• From October 17 to November 6, Conti executed peak attacks: 7 on October 17 (e.g., Graff Diamonds, JVCKenwood), 11 on October 23 (e.g., Obeikan Investment Group in the UAE), and 13 on November 6, including ARM China and TRINA SOLAR (UAE).

These attacks exploited the UAE’s lack of extradition agreements and lax cybercrime oversight, targeting not only Western firms but also local and Asian companies, with Bondarenko managing victim negotiations and Zhuykov ensuring the technical infrastructure’s stability.

Target: The $10 Million Predator

“Target,” operating under aliases like “Bloodrush” and “Red,” is Conti’s disciplined and ruthless leader, commanding a near-corporate criminal enterprise with nearly 100 operatives.

Despite a $10 million FBI bounty, he has evaded capture for three years, boasting ties to Russia’s FSB and amassing millions in Bitcoin while paying operatives $200 weekly.

His chilling disregard for human suffering was evident during the COVID-19 pandemic, when he targeted 428 U.S. hospitals in October 2020, gloating in chats: “428 hospitals… I’m satisfied” and “make them die or pay up.”

Target’s offline offices, strict employee oversight, and erasure of digital traces via platforms like Jabber and RocketChat highlight his operational sophistication.

GangExposed recovered deleted messages through metadata and quotes, exposing his schemes, including the Dubai hub’s establishment.

Arkady Bondarenko: The Conti Negotiator

Arkady Valentinovich Bondarenko (born August 2, 1970), a dual Russian-Canadian citizen, is identified as Conti’s key negotiator, managing victim communications and ransom payments.

On October 1, 2021, Conti member “Mango” described him as a “Canadian from a recovery company” in chats, aligning with his departure from Dubai to Moscow (flight EK-133).

His travel frequently overlapped with Kvitko’s, notably on January 17, 2020 (Kvitko on SU-522, Bondarenko on EK-134), May 2022, and February 2019, suggesting in-person coordination while avoiding shared flights.

Bondarenko’s financial profile, with over 107 million RUB from VTB Bank and ownership of luxury Moscow properties, premium vehicles (e.g., Infiniti QX80), and shell companies like LLC “Jewelry House Millennium,” indicates money laundering activities.

His dossier details multiple phones (e.g., +7 926 686-00-00), emails (e.g., [email protected]), and bank accounts, confirming his role as a financial intermediary.

Andrey Zhuykov: The Technical Backbone

Andrey Yuryevich Zhuykov (born February 18, 1982), known as “Defender” or “Def,” is Conti’s principal system administrator and DevOps specialist, responsible for the group’s technical infrastructure.

Operating from Russia’s Sverdlovsk Region and Sochi, Zhuykov manages servers, domains, proxies, VPNs, control panels, and backup channels, ensuring the stability and anonymity of Conti’s operations.

His high technical competence and strict management style make him a critical “single point of failure” for the group.

Leaked chats show him coordinating with leadership (e.g., Stern, Buza), suppliers, and coders, handling payments for servers and licenses, and conducting security audits to prevent vulnerabilities.

His dossier includes passports (e.g., 6511090337), phones (e.g., +7 989 165 9356), emails (e.g., [email protected]), and social profiles (e.g., Telegram@nohau).

Zhuykov’s financial struggles, with debts exceeding 2 million RUB and enforcement cases for child support, contrast with his critical role in Conti’s multimillion-dollar operations.

Other Key Figures

Additional Conti leaders exposed include:

Vitaly Kovalev (“Stern”), whose leaked Telegram messages (@tguser1) reveal network connections. Despite plastic surgery to alter his appearance, GangExposed exposed his new face and passports.

Mikhail Mikhailovich Tsaryov (“Mango”), born April 20, 1989, a coordinator in the Conti-TrickBot ecosystem who referenced Bondarenko’s negotiator role link.

Leaked Data: A Goldmine for Investigators

GangExposed’s unprecedented data release includes Conti Jabber and RocketChat leaks, Black Basta Matrix-Chat leaks, and Telegram messages from Kovalev, available in table and CSV formats.

These datasets detail internal communications, including Bondarenko’s negotiations and Zhuykov’s infrastructure management, enabling investigators to map Conti’s structure, track financial flows, and identify remaining figures. Recovered deleted chats reveal attempts to erase evidence of the Dubai hub, hospital attacks, and financial operations.

When GangExposed leaked Conti’s secrets, the group offered $4 million for a Telegram exploit to retaliate, as reported by Habr. This failed attempt underscores their desperation to silence the investigator, who noted, “I poked the hornet’s nest,” promising further revelations about Target’s identity.

The exposure of Conti’s Dubai hub, coupled with dossiers on Kvitko, Bondarenko, Zhuykov, and others, provides actionable intelligence for UAE authorities to investigate local victims like Obeikan Investment Group and TRINA SOLAR, and for Chinese authorities to probe ARM China’s breach.

Western agencies can leverage the $10 million bounty on Target, while Bondarenko’s dual citizenship and Zhuykov’s financial trails offer avenues for international cooperation to seize illicit funds.

GangExposed’s relentless investigation has shattered Conti’s anonymity, unmasking Kvitko as “Professor,” Bondarenko as the negotiator, Zhuykov as the technical backbone, and detailing Target’s hospital attacks and Dubai operations. With comprehensive dossiers and leaked data, this breakthrough offers law enforcement and victims a historic chance to dismantle a global cybercrime syndicate.