Inside the Leak: Exploring the Structure of the Conti Ransomware Group
·
Abstract
The organizational structures of cybercriminal groups have attracted significant attention in criminological research. However, empirical evidence on the topic remains scarce and inconclusive. To address this knowledge gap, the present study investigates the internal dynamics of the Conti group, one of the most prominent ransomware groups in recent years, using social network analysis and qualitative content analysis. Leveraging a unique dataset of 168,740 leaked chat messages, our analysis unveils a hierarchical structure within the criminal group that mirrors those found in legitimate businesses, characterized by discernible leadership roles and a clear division of tasks. These results improve our understanding of how cybercrime groups are organized and how the online dimension affects their activities, contributing to both criminological research and policy discussions.
Note to the reader: This version of the paper dates back to the beginning of 2024.
Introduction
The proliferation of information technologies has revolutionized modern society, while simultaneously providing new opportunities for criminal activities (Leukfeldt et al. 2019). Although the definition of cybercrime lacks consensus, it generally encompasses a wide range of offenses, including those that exploit digital technologies (cyber-enabled crimes like fraud) and those that exclusively rely on them (cyber-dependent crimes like hacking) (Weulen Kranenbarg, Ruiter, and Van Gelder 2021). In recent years, cybercrime has become a priority for international organizations and national governments (Nguyen and Luong 2021; Caneppele and da Silva 2022), particularly considering the significant increase observed worldwide during the COVID-19 pandemic (Zeng and Buil-Gil 2023).
Criminological research on cybercrime has significantly expanded over the past few decades (see for a review Holt 2023). Moving beyond the historical focus on victims, scholars are increasingly shifting their attention to the perpetrators, especially in understanding the organizational structure of the criminal groups involved (see for a review Whelan, Bright, and Martin 2023). However, empirical knowledge on the internal dynamics of these groups remains limited and inconclusive (Lavorgna 2019b; Nguyen and Luong 2021; Zeng and Buil-Gil 2023). Some scholars argued that cybercrime groups function as decentralized networks with flat and loose structures (Hutchings 2014; Leukfeldt, Lavorgna, and Kleemans 2017; Musotto and Wall 2019; Wall 2015). Conversely, other studies suggest that cybercrime groups exhibit structures and practices akin to those of traditional organized crime networks, known for their cohesive centralized strategies (Lusthaus, van Oss, and Amann 2022; Munksgaard et al. 2022; Dupont et al. 2017).
The present study contributes to the ongoing debate regarding the organization of cybercrime by examining the internal structure and dynamics of the Conti group, one of the most prominent ransomware groups globally in 2021. This analysis leverages a unique ground-truth database comprising 168,740 chat messages exchanged among Conti members, which were leaked to the public in February 2022. By employing social network analysis (SNA) on this dataset, we elucidate the organizational structure of the Conti group, while qualitative content analysis helps identify the specific roles and responsibilities of its members.
The study is structured as follows. The next section provides a review of previous empirical studies that have advanced the understanding of cybercrime networks. Section 3 outlines the data and methodology employed in this research, also addressing the main limitations encountered. Section 4 presents the key findings resulting from both SNA and qualitative content analysis. Finally, Section 5 concludes the study by discussing the results together with policy implications and providing directions for future research.
Literature review
Criminologists have long been interested in analyzing the overall structure and inner workings of criminal organizations, a debate historically marked by contrasting perspectives. Over time, research has been developed around, and against, the conceptualization of criminal organizations as bureaucracies characterized by a formal and strict hierarchy controlling illicit markets, a notion emerged during the 1950s-1960s (US Senate 1963; Cressey 1969). This theorization faced strong criticism and rejection by scholars, who provided a variety of arguments, ranging from social relations (Albini 1971; Ianni and Reuss-Ianni 1972; Kleemans and Van de Bunt 1999) to economic aspects (Smith 1975; Block and Chambliss 1981; Reuter 1983). They asserted that large, hierarchical, and stable criminal organizations are exceptional cases, as the inherent constraints of illegality force most criminal organizations to remain small, transient, and poorly organized.
In contemporary criminological discourse, a comparable debate is re-emerging regarding the operational and organizational dynamics of cybercrime groups and their parallels with traditional criminal organizations (see for a review Lusthaus et al. 2023). Several scholars suggested that these groups exhibit a stable and hierarchical structure, with well-defined authority levels and a clear division of labour (Leukfeldt et al. 2019; Lusthaus, van Oss, and Amann 2022; Lusthaus et al. 2023; Nguyen and Luong 2021). They effectively recruit individuals to deliver specialized services for the group, ensuring sustained longevity over time (Nguyen and Luong 2021; Lusthaus et al. 2023). Not secondary, these groups are often locally embedded since some offenders may know each other in person (Lusthaus 2018; Nguyen and Luong 2021).
Extending from this perspective, a growing body of research has adopted the firm-based approach (Reuter 1983) to analyze cybercrime. This perspective argues that cybercriminal groups operate more similarly to legitimate businesses, driven by the maximization of profit and exhibiting an enterprise-like structure made of employees (Lusthaus, van Oss, and Amann 2023; Paquet-Clouston and García 2023; Musotto and Wall 2022; Lusthaus 2018). Although showing a certain degree of internal division of labour, these groups avoid centralized structures, preferring to remain small and adhering to principles commonly observed in legal markets.
Other studies have also found that cybercrime groups tend to exhibit small, loose, and dynamic structures, often lacking clear leadership and formal organizational features (Décary-Hétu and Dupont 2012; Choo and Smith 2008; Musotto and Wall 2019; Wall 2015). The digital realm facilitates collaboration among individuals who may not know each other personally: cybercriminals use online meeting places (e.g., forums) to meet potential co-offenders (Leukfeldt and Kleemans 2021). Cooperation is often limited in time, resulting in small and ephemeral networks characterized by transient relationships and the absence of a distinct leadership structure, which cannot be classified as “organized criminal groups” (Leukfeldt, Lavorgna, and Kleemans 2017; Lavorgna 2019a; Lavorgna and Sergi 2016; Nurse and Bada 2019).
Existing research on the topic emphasized a continuum in the organizational complexity of cybercrime groups, ranging from small-scale, transient groups driven by shared interests to more sophisticated, hierarchical groups with clear leadership and task specialization (Zeng and Buil-Gil 2023). Along this spectrum, an increasing number of studies have started conceptualizing and analyzing cybercriminal groups from a network perspective (Zeng and Buil-Gil 2023). Holt et al. (2012) analyzed the social networks of a group of Russian hackers to understand the nature of social relationships and their impact on information sharing and action. The results demonstrated that only a limited number of highly skilled hackers are centrally located within friendship networks. Décary-Hétu and Dupont (2012) analyzed more than 4,000 conversations of a network of hackers involved in botnets obtained from a Canadian police force investigation. The authors applied SNA to investigate the structure of the cybercriminal group and to assess multiple fragmentation strategies to disrupt the network. Musotto and Wall (2022) employed SNA to assess a Distributed Denial of Service (DDoS) stresser service online. The study investigated the relationships between DDoS users, operations, and revenues, yet overlooked the structure and relations of the people behind DDoS, focusing mainly on the clients. Nguyen and Thanh Luong (2021) analyzed 20 transnational computer fraud cases involving bank card fraud and phone scams investigated by the Vietnamese police between 2010 and 2018. Overall, the authors found that organizational structures of transnational computer fraud in Vietnam differ from those broadly assumed by scholars and that cybercrime networks can be classified into four categories: ‘swarm networks’ (networks operating freely without any leadership), ‘distributed networks’ (distributed networks with unclear leadership), ‘single-directed networks’ (networks led by one leader), and ‘group-directed networks’ (networks led by a core group of leaders).
Despite a growing number of studies, the adoption of a network approach remains hampered by the limited availability of data required for reconstructing connections among individuals within the group. However, the network framework, while not constituting a fully developed theory (Morselli 2009b), has proven pivotal in transcending the dichotomy of highly structured-versus-loosely structured groups that characterized the conceptualization of organized crime during the 20th century (Calderoni 2018). Seeking rather than assuming the structure, the network approach overcomes the need for initial definitions such as hierarchy, organization, or market, enabling the description of various forms of cooperation instead of imposing a single model (Kleemans 2014; Calderoni 2018; Morselli 2009b). The conceptualization of cybercrime networks allows for a shift in focus towards actors and relations, addressing both complex or less planned cybercrimes (Zeng and Buil-Gil 2023).
Overall, empirical evidence on cybercriminal networks remains scarce and inconclusive, especially in relation to ransomware groups (Whelan, Bright, and Martin 2023). Addressing this knowledge gap is essential from a criminological research and policy perspective. First, as traditional crime and cybercrime increasingly intersect (Leukfeldt and Roks 2021; Leukfeldt et al. 2019), identifying potential shifts in organizational structures of these groups becomes imperative. Second, improving our understanding of the internal dynamics within these groups is essential for devising targeted interventions to disrupt them.
Current Study
The current study aims at contributing to the ongoing debate by analyzing the case of the criminal group accountable for the Conti ransomware strain. Ransomware consists of a cyberattack in which threat actors take control of a target’s asset (e.g., personal computer) and demand a ransom in exchange for restoring the asset’s availability and confidentiality (Matthijsse, Van ‘T Hoff-de Goede, and Leukfeldt 2023).
The Conti group proved to be a suitable case study for three main reasons. First, recent attempts to shed light on how cybercriminal networks are organized and operate have largely relied on law enforcement data (see for example Lusthaus et al. 2023; Nguyen and Luong 2021; Musotto and Wall 2022; Loggen and Leukfeldt 2022). Despite the unique investigative powers of law enforcement agencies, it is widely acknowledged that such data may suffer of several biases when used for research purposes, particularly in the context of SNA (Campana and Varese 2022; Bright, Brewer, and Morselli 2021). Conversely, the present study uses a unique ground-truth database of internal communications from a ransomware group that became public due to a data leak. Relying on this data source allows to gain unique and unfiltered insights into the structure of the Conti ransomware group without depending on any selection or direction from authorities based on their priorities and resources. Moreover, it enables researchers to analize messages where offenders openly discuss their criminal activities for research purposes (Soudijn, Vermeulen, and Van Der Leest 2022).
Second, despite a growing interest in ransomware in the criminological literature over the last decade, most existing studies have predominantly focused on the technical aspects of ransomware attacks and their operational execution (Matthijsse, Van ‘T Hoff-de Goede, and Leukfeldt 2023; Custers, Oerlemans, and Pool 2020; Connolly and Wall 2019). Still, to the best of our knowledge, no previous study has analyzed the organizational structure of a ransomware group and compared it with both legal and illegal organizations. Indeed, recent research has primarily focused on other cybercrimes, such as DDoS attacks (Musotto and Wall 2022), bank card fraud (Nguyen and Luong 2021), and malware development (Macdonald and Frank 2017).
Lastly, some academic studies have already used the data leak to investigate the group's money laundering strategies, discussion topics, and business model, among other aspects (Nazzari 2023; Gray et al. 2023; Ruellan, Paquet-Clouston, and Garcia 2024; Kostadinov, Liu, and Rayme 2022). However, as far as we are aware, no prior research has used this data to conduct a systematic examination of the group’s internal structure, which remains largely unknown.
We aim at addressing this knowledge gap by investigating the following research question: Whatis the internal structure of the Conti ransomware group? Drawing on evidence presented and discussed in the literature review section, we develop two contrasting hypotheses:
1. The Conti ransomware group exhibits an internal structure comparable to other large-scale criminal organizations.
2. The Conti group exhibits an internal structure more akin to legal enterprises.
The data and methodology employed to explore this research question will be detailed in the following section.
Methodology
Data
The data source for the current study consists of the leaked chat conversations of Conti, which were published on the Twitter account @ContiLeaks on February 27, 2022. These chat logs specifically contain messages from Conti’s servers of two open-source platforms, namely Jabber and Rocket.chat, that were sent and received between June 2020 and February 2022. Both platforms were used by the Conti group to coordinate their operations and organize their ransomware attacks. However, we opted to exclude Rocket.chat messages due to its forum-like structure. Contrary to Jabber, each message in Rocket.chat had multiple recipients, namely all Conti members in a specific chat, making difficult the detection of the group’s overall structure.
The raw data were collected from the GitHub page of Northwave, a cybersecurity company that used the paid Google API to translate the messages, as the original files were in Russian.1 The Jabber dataset consisted of 168,740 chat messages, which included various message features such as timestamp, sender and receiver accounts, message content in the original language, and an English translation of said text.
This database was cleaned and the initial set of 449 accounts engaged in sending or receiving messages underwent manual examination, involving scrutiny of both message contents and account names. The preliminary analysis revealed that group members were required to have a backup Jabber account in the event that the primary one was compromised for any reason. Hence, to prevent double counting of the same members, multiple accounts were combined whenever indications suggested they belonged to the same individual. This process resulted in a refined and consolidated list of 423 unique accounts.
Subsequently, we applied a simple yet effective text processing technique to get a more meaningful unit of analysis and minimize repetitive and uninformative entries (e.g., ‘Hi’, ‘Hi, how are you?’, ‘Good, you?’). In doing so, a rule-based approach was implemented to aggregate together messages that were exchanged between two actors, irrespective of their roles as sender and receiver, occurring within the same day. This decision enabled us to focus on the existence of a link, rather than the source generating the message. The messages were concatenated chronologically and a final text field was produced to generate conversations, which represented our unit of analysis. The final dataset comprised 18,673 conversations, averaging 9 messages per conversation. Among these, only 553 conversations (approximately 3% of the total) were encrypted, meaning the actual text was not available, which concentrated towards the end of the analyzed period (Figure 1).
The temporal distribution of conversations (Figure 1) depicted a first 5-month period (from June until October 2020), with a concentration of 46% of the total conversations. This initial wave was followed by a sharp decline in communication (from November to December 2020) and then a recovery of activities until the leak in February 2022 (51% of the total conversations). Except for the decline in early 2022, attributable to the leak, this pattern does not seem to be influenced by external events.
Figure 1. Distribution of conversation over time
The dataset of conversations included 423 unique individuals who engaged in at least one message exchange. However, many of these people had sporadic interactions with other group members or participated in only a few conversations over the two-year period covered by the leak. Over 40% of them were involved in two conversations and nearly 30% participated in just one. Among them, some people never replied to the messages they received.
Previous studies have explored several boundary specification methods for the analysis of criminal groups, adopting both quantitative and qualitative criteria (Campana 2016; Berlusconi 2013; Calderoni 2012; Morselli 2009b; Natarajan 2006). To avoid arbitrary subject selection based solely on conversations or messages, we generated and analyzed two datasets. The first dataset, referred to as ‘All members’, comprised all 423 individuals identified in the Conti group. The second dataset, ‘Active members’, excluded 162 members who consistently failed to respond to received messages, resulting in a total of 261 active actors. The excluded individuals were typically the recipients of generic messages, which were broadcasted by a few prominent members of the group. Despite the reduction in the sample size, the exclusion primarily affected peripheral individuals with minimal relevant information.
Social network analysis (SNA)
SNA was used to explore the organizational structure and communication patterns within the Conti group. Initially, a valued undirected graph was constructed from the list of conversations, with edges made symmetrical to focus on the presence or absence of conversations rather than their directionality. The first network, based on the ‘All members’ sample, consisted of 423 nodes and 2,338 edges, representing at least one conversation between two members. Subsequently, the second network, derived from the ‘Active members’ sample, comprised 261 nodes and 2,116 edges, accounting for 90.5% of the total edges. In both networks, the weight assigned to each edge, denoted by wij, indicated the number of conversations exchanged between nodes i and j. These weights will be considered in the network analysis, influencing the computation of certain metrics.
The analysis followed a structured approach, considering three main perspectives: overall network, subgroup, and node levels. The first-level analysis aimed to provide an overview of the overall structure and connectedness of the group, comparing the different networks, that is, ‘All members’ and ‘Active members.’ Traditional network metrics, including density, centrality, average path length (APL), and clustering coefficient, were computed to illustrate the structure of the entire group. For a more detailed explanation of these metrics, refer to Borgatti, Everett, and Johnson (2018); Yang, Keller, and Zheng (2017); Wasserman and Faust (1994). All these operations were conducted using the package igraph in R (Csárdi et al. 2023).
Subsequently, the analysis for the “Active members” network focused on the identification of subgroups, namely clusters within the network that exhibit significant internal connectivity (Radicchi et al. 2004). Community analysis has gained considerable attention in criminology and other research domains to study subgroups, offering additional insights into networks that may not be immediately evident from a global or node-level perspective (Paquet-Clouston and Bouchard 2022; Calderoni, Brunetto, and Piccardi 2017). Over the years, several community detection algorithms have been developed (Bothorel, Brisson, and Lyubareva 2021; Fortunato 2010). To determine the most appropriate method, we used the Normalized Mutual Information measure (Bothorel, Brisson, and Lyubareva 2021) to compare various options and further selected the procedure that maximized the modularity score, namely the Louvain method (Blondel et al. 2008).
Finally, for the “Active members” network, attention shifted to the node level to gain further insights into the presence of key actors within the network and align them with the identified tasks. Traditional centrality measures, namely degree and betweenness, were employed to identify strategically positioned actors. A high degree centrality indicates individuals directly managing and possessing knowledge about the group’s activities, whereas high betweenness centrality suggests influential positions facilitating indirect connections among members while remaining less visible (Borgatti, Everett, and Johnson 2018). A Kruskal-Wallis test (Kruskal and Wallis 1952) and a post-hoc Dunn’s test with Benjamini-Hochberg adjustment (Dunn 1964) were conducted to explore significant differences between pairs of task categories.
Qualitative content analysis
The qualitative content analysis served to two main purposes: conducting a task analysis and understanding how members portrayed themselves and the activities undertaken within the Conti group. Additionally, these insights proved to be valuable in interpreting the findings from the SNA.
Tasks assigned to individuals were identified and categorized by assessing the content of Jabber messages, following the methodology used in earlier studies on criminal activities (Berlusconi 2021; Calderoni 2012; Malm and Bichler 2011; Natarajan 2006). This procedure consisted of three main activities: (a) analyzing the content of messages exchanged by each individual to infer their role and daily tasks; (b) searching for mentions of individuals’ nicknames to investigate discussions related to task assignments; and (c) identifying keywords associated with the activities performed within the group (e.g., code team, interviews, manager).
The classification resulted in five main categories of tasks (Table 1). “Managers” were responsible for coordinating activities within the group and giving orders to other members. “Human resources (HR)” conducted job interviews to recruit new members. “Developers” engaged in multiple coding activities, including writing ransomware code, testing it against known security solutions, and designing encryption strategies. “Campaign operators” managed negotiations with victims to ensure the payment of the requested ransom. Lastly, “System administrators” were Conti members who established the attack infrastructure and provided support as needed, such as domain registration, account management, and server maintenance.
Due to limited information available in conversations, tasks could only be assigned to 152 out of the 261 active members (58%). Nonetheless, most members engaging in a high number of conversations were successfully assigned a task. Those classified as not available exhibited a lower average number of direct connections with other members and participated in fewer conversations.
Table 1. Task categorization
Task
N
Activity
Manager
7
Coordination and management of tasks
Human resources (HR)
10
Recruitment
System administrator
11
Setup of attack infrastructure and support
Campaign operator
19
Spamming and negotiation with victims
Developer
105
Coding, testing, and crypting
Not available
109
-
Total
261
Limitations
The present study is subject to some limitations that need to be considered when analyzing and interpreting the findings. First, we decided to focus on one single cybercriminal group, namely the Conti group. The choice of the Conti group as a case study was mainly motivated by the uniqueness and richness of data available. Moreover, it was not possible to include additional cases with the same level of detail. However, this choice inevitably raises the question of to what extent the results can also be generalized to other threat actors. Indeed, it is plausible to assume that other types of cybercriminal groups (e.g., smaller or involved in other illegal markets) may take different organizational forms.
Second, it is important to stress that we were unable to obtain a complete picture of the Conti group due to data constraints. As mentioned, Conti members used at least one other online platform for instant messaging, namely Rocket.chat, which was not included in our dataset. Consequently, there is a possibility of underestimating the roles held by certain members within the group. Additionally, offline interactions and relationships remain unaccounted for, further constraining our understanding of the group's operational dynamics. Prior research has underscored the significance of the offline and local dimension in cybercrime (Lusthaus and Varese 2021; Lusthaus et al. 2023). However, in the Conti case, minimal information was available on this point, except for the group's establishment of offices in Moscow and the potential for some members to engage in face-to-face meetings.
Third, caution must be exercised when extrapolating the results of the network analysis and making comparisons with studies focused on traditional criminal groups that rely on data sources like phone calls and face-to-face meetings. Unlike traditional communication methods, which are susceptible to wiretapping and surveillance, the encrypted messaging platform used by Conti members offers a higher level of confidentiality in their communications. This unique dynamic introduced by platforms like Jabber should be considered when interpreting the findings.
Finally, it should be acknowledged that the current study examines the network as a static snapshot, thus failing to capture the dynamic evolution of the group's structure, the transitioning roles within it, and the flux of members departing from and joining the group over time.
Despite these limitations, the present study provides valuable empirical insights into an under-researched topic by integrating SNA with qualitative methods to examine the internal structure of a cybercrime group. This contribution enhances criminological research and informs policy discussions in this field.
Results
In the first subsection, we discuss the outcomes of the network analysis of the Conti group, providing an overview of the entire organization and then narrowing down to focus on the “Active members” group. Subsequently, we present the qualitative analysis subsection centred on the roles and tasks of the group’s members to support and interpret the SNA results.
Overall network level
The network analysis provides insights into the internal dynamics of the Conti group, shedding light on how communication patterns reflect its distinctive organizational structure.
Table 2 illustrates that, on average, connectivity among individuals is relatively low, with only 2 edges per node. Both networks exhibit high sparsity, with merely 6% of the potential connections established between active members (density). Despite the limited direct connections, members maintain relatively easy access to communication pathways with each other, being all part of one single component. This accessibility is facilitated by a short APL, indicating that, on average, two disconnected individuals within the group can potentially establish communication by relaying through two other members. This centralized communication pattern revolves around a few key individuals who act as intermediaries, facilitating member interactions. The high degree of centralization, with a value of 0.74 (0.76 for active members), highlights the concentration of information flow within specific individuals.
The communication dynamics within the networks suggest a heavy reliance on these central members, who exhibit numerous direct connections. However, the weighted clustering coefficients remain relatively low, indicating a lack of dense clusters in both networks, where people linked to the same intermediary often do not establish direct communications with each other.
Table 2. Descriptive statistics
All members network
Active members network
Size
423
261
Edges
2,338
2,116
Average n. of conversations
88
138
Components
2
1
Density (d)
0.03
0.06
APL
2.3
2.1
Degree centralization
0.74
0.76
Clustering coefficient
0.17
0.23
Subgroup level
The community analysis provides further insights into the presence and composition of subgroups within the Conti group. The analysis identifies seven cohesive subgroups, ranging in size from 7 to 73 members. With a modularity2 (Q) of 0.3, individuals within the same community tend to communicate more among themselves compared to those outside their community. Figure 2 illustrates nodes in the active network, with members grouped in circles by community, while colours indicate different tasks. Although many direct connections (55%) occur outside these cohesive subgroups, approximately 45% of direct connections take place within the community. Moreover, the combined assessment of communities and tasks does not reveal a distinct task-based division. This suggests that, despite a formal subdivision into task-oriented groups, Conti members engage in horizontal communication across different operational teams.
Figure 2. Conti network, grouped by community and colored by task
The previous insight is further supported by the density of connections among individuals involved in the same tasks (d in Table 3). Except for managers, who exhibit a high level of interconnectedness with over half of the other managers (d=0.57), other teams demonstrate notably lower levels of connectivity among individuals performing the same activity, ranging from 0.05 to 0.13 (d in Table 3). This finding aligns with previous research on the Conti group, indicating that over 95% of the actors engage in conversations spanning various topics, including business, technical, internal management, malware, and problem-solving subjects (Ruellan, Paquet-Clouston, and Garcia 2024).
Table 3. Number of members, density, and average centrality scores by tasks
Task
N
d
Average Degree
Average Betweenness
Average Strength
Manager
7
0.57
0.42
0.10
1,636
Human resources (HR)
10
0.07
0.09
0.00
161
System administrator
11
0.13
0.1
0.00
208
Campaign operator
19
0.05
0.08
0.00
157
Developer
105
0.09
0.07
0.00
141
Not available
109
0.03
0.00
28
Node level
The node-level analysis, coupled with information about tasks, provides further insights into the individuals and their strategic positioning within the Conti group. The results reveal a strong and significant correlation between degree and betweenness centrality (r=.8***), suggesting that none of the individuals occupy strategic positions within the group, that is, maintaining a limited number of direct contacts while effectively controlling the flow of information as brokers (Morselli 2010). On average, each member of Conti is connected to 11 other individuals. However, the whole-network analysis indicates that these connections are primarily concentrated around specific individuals, all of whom belong to the managers' groups.
Among the top 5 most influential actors, all labelled as managers, N001 ranks first in strength and second in both degree and betweenness centrality (Figure 3). Although not the most central member, N001 engages in most conversations, being involved in 4,383 conversations, over twice as much as N002, who is ranked second with 1,956 conversations, and N003, who engaged in 1,856 exchanges. As later highlighted in the qualitative analysis, this key actor is considered the leader due to his significant involvement in group activities.
Conversely, manager N002 holds the most central position within the network, maintaining contact with 83% of the members and being within the shortest communication path for 33% of them. Other managers, such as N003, N004, and N005, operate in the secondary layer of the group’s internal hierarchy, closely collaborating with N001.
Figure 3. Top 5 network nodes per degree, betweenness and strength (normalized)
As depicted in Table 3, the combined analysis of tasks and centrality metrics underscores the pivotal role of managers within the Conti network. Managers are, on average, connected to 42% of individuals within the group and are positioned on the shortest path of 10% of them, demonstrating significantly higher centrality scores compared to other members (Average Degree and Average Betweenness in Table 3).
Moreover, the results of the Kruskall-Wallis tests reveal significant differences among the six task categories concerning degree centrality (Chi-squared= 81.5, p= 3.974e-16, df=5), betweenness centrality (Chi-squared=61.0, p=7.737e-12, df=5), and strength (Chi-squared=103.0, p<2.2e-16, df=5). Subsequent pairwise comparisons using Dunn’s test with Benjamini-Hochberg adjustment indicate that managers exhibit significantly higher scores in degree centrality and strength compared to developers (p<.001) and individuals with non-available task information (p<.001). Betweenness centrality is statistically higher for managers compared to all other groups (p<.001). This finding is particularly noteworthy and aligns with previous literature emphasizing the overlap between leadership roles and brokerage positions in criminal networks (Calderoni and Superchi 2019; Grassi et al. 2019; Calderoni 2014; Morselli 2009a).
Roles and tasks
The qualitative content analysis of communications within the Conti group uncovered additional distinct and relevant patterns regarding roles and tasks, providing deeper insights into the network’s structure and dynamics. First, it was observed that while some members consistently maintained communication throughout the entire two-year period, others were active only during specific intervals. Notably, only 21% of individuals could be classified as core members due to their stability and recurrent participation over the entire period. In contrast, approximately 50% of the members appeared in conversations for a limited time span, suggesting a temporary and potentially minor role within the group. This variability supports the initial profile of an internal structure characterized by a core group of members collaborating with more peripheral individuals, a composition that may evolve over time.
The Conti group exhibits a vertical internal structure, marked by a clear division of roles. The leader, N001, is a Russian individual who belongs to the core group and is referred to as the “big boss” by the other members. Although not directly involved in technical tasks, N001 plays a crucial role in coordinating activities and providing the group with a long-term vision. He assigns tasks to other members while keeping control over the broader workflow. Frequently engaging with new members, he routinely inquires about their backgrounds and assignments. As noted from the network analysis, his collaboration is particularly close with fellow core members, notably with managers N002, N003, and N004. These individuals oversee and supervise operational teams, such as encoders, hackers, penetration testers, and system administrators. While possessing technical expertise and performing specialized tasks, their primary responsibility lies in task planning and internal team coordination, assigning roles to individuals working within the group.
Managers act as a central reference point for members of operational teams, which consist of highly skilled individuals with specific IT expertise who, despite operating at a lower tier of the hierarchy, play an integral role in the development of ransomware attacks by writing the code of the malware and testing it against known security systems. Operational groups exhibit a significant level of turnover, with members frequently entering and leaving the group. This workforce is recruited through a formalized process managed by the HR team, which actively seeks new members on dark web forums and lawful recruitment websites. As evidenced by the presence of an HR team, the roles within the Conti group closely resemble those found in legitimate corporate environment. Members of Conti typically adhere to a conventional five-day office schedule, receiving compensation in Bitcoin bi-monthly. Payment amounts vary depending on the individual’s expertise, seniority within the group, and the nature of their assigned tasks.
These insights emerge from several conversations involving HR personnel and potential recruits. Messages that detail examples of job announcements provide additional perspectives into recruitment practices. For instance, a message from N004 to N003 outlines the required skills and working conditions:
N004 to N003: “Required skills - the ability to identify and describe a problem in the software - Discipline, responsibility. Responsibilities - testing internal products. Conditions - working day 9:00-18:00 Moscow time, flexible schedule is possible by agreement - remote work. The work is not dusty, any student who is able to install Windows, virtual machine and vpn can handle it. You need to test the exe assembly and describe the bugs, if any. Paying $1000-1200 per month.”
Consistent with previous research findings (Paquet-Clouston and García 2023; Lusthaus, van Oss, and Amann 2022; Leukfeldt et al. 2019), new developers joining the Conti group often remain unaware, particularly in the early stages, of their involvement in a criminal organization engaged in ransomware attacks. It is not uncommon for them to realize their affiliation with a cybercriminal group over time, at which point they might decide to continue working with the group, often negotiating for a higher salary. This strategy appears to be deliberately executed by the Conti group management, as explained by the leader N001 to another member of the group (N132):
N132: “Is it difficult to find a coder in Russia for this case? How would the guys understand what they are coding?” – N001: “Not difficult. They don’t get it at first, what is the project as a whole. […] Then, as they understand, I raise the payment, and we work further.”
Indeed, HR and managers involved in the recruitment process often portray the Conti group as a legitimate company engaged in legal activities (e.g., penetration testing) for a wide array of clients:
N130: “I just wanted an elementary understanding of how the company functions, the principle of interaction” – N038: “Our team is engaged in pen testing and outsource development for large clients, more than 8 years on the market, we are constantly expanding, there is a lot of work and it is constant.”
N117: “Can you tell us about the company first?” – N038: “Yes; we don't have a company name; we are a team engaged in pen testing for large clients; there are about 50 different positions in the team.”
Furthermore, new hires often find themselves unaware of their colleagues, as evident from a message exchange between N022 and N054, where a candidate discusses the prerequisites to become part of the team:
N022: “[…] On the other hand, I will not know who I work with, and is this part of our agreements? That is, what I either agree to or not. Do I understand correctly?”
In addition to its high-tech operational teams, mainly comprising developers, the Conti group encompasses at least two other broad teams: campaign operations and HR. The campaign operators are involved in multiple tasks that demand a combination of IT and non-IT skills. These tasks include conducting open-source intelligence (OSINT) research on potential victims (e.g., type of entity, number of servers, revenues, and potential ransom), spamming the malware, and negotiating ransom payments with victims.
On the other hand, the HR team consists of a minimum of ten people responsible for recruiting new members, especially those with IT expertise. While most of the hiring process occurs online, involving both dark web forums and legitimate websites for headhunting, some conversations indicate recruitment through offline channels as well, as stated in a conversation between a manager and a member of the HR team:
N009: “Then we will ask you to catch up with people offline, but that's according to the situation.”
However, there is limited information available to gain a deeper understanding of how offline relations and dynamics, such as social opportunity structures, may impact the organization and activity of the Conti group. Messages include some references to the establishment of a group’s office in Moscow and some members’ engagement in face-to-face meetings.
Discussion and conclusions
Overall, the Conti group exhibits a hierarchical structure with clear leadership and division of tasks. However, this organizational form differs from the hierarchical structures characterizing mafia groups and other stereotypical organized crime groups (Musotto and Wall 2022). Instead, it closely resembles legitimate businesses, comprising individuals who engage in sustained and prolonged collaboration to generate profit, as confirmed by previous empirical evidence (Ruellan, Paquet-Clouston, and Garcia 2024; Lusthaus, van Oss, and Amann 2022; Musotto and Wall 2022; Matthijsse, Van ‘T Hoff-de Goede, and Leukfeldt 2023). Notably, the Conti group not only mirrors corporate traits by adopting jargon typical of IT businesses but also presents itself as a legitimate enterprise when recruiting potential new members. This façade effectively conceals the illicit nature of the group, leaving many low-level members unaware of their affiliation with a cybercriminal organization.
The extensive participation and prolonged duration of activity might suggest that the Conti group stands as an exception in the realm of criminal organizations, which often tend to be small-scale and transient (Paoli 2002; Reuter 1983). Notably, it may stand as an exception even when compared to other cybercriminal organizations (see for example Lusthaus, van Oss, and Amann 2022; Lusthaus 2018). However, it is worth noting that Conti only exhibits a core group of members maintaining consistent collaboration over the analyzed two-year period, alongside more peripheral individuals engaging in less stable communications. This type of structure, in line with prior research on cybercrime groups (Paquet-Clouston and García 2023; Lusthaus, van Oss, and Amann 2022; Leukfeldt, Kleemans, and Stol 2017), prompts inquiries into defining the boundaries of this cybercrime group and establishing inclusion criteria for identifying its formal members. These peripheral individuals do not constitute the core group of criminals who design and orchestrate the criminal scheme but rather serve solely to execute it (Paquet-Clouston and García 2023).
From a network perspective, communication patterns in the Conti group are clustered around the few high-level managers who actively engage in the planning and coordination of criminal activities, maintaining continuous interactions with several peripheral members. This type of cooperation allows highly efficient communication flows and direct control of operations by those in high-ranking positions. However, it is worth noting that this makes high-status individuals more visible and susceptible to detection (Morselli 2010). Moreover, in conjunction with the limited presence of clusters within the network, it increases the vulnerability of the entire group to targeted law enforcement interventions.
This result warrants further discussion, as it partially contrasts with prior findings on traditional criminal networks, which suggested that leaders typically avoid forming direct connections and instead favour broker positions within the network (Morselli 2009a; 2009b). Several factors may contribute to this difference. Many members in the Conti group lack awareness of the broader organizational structure, knowing only members in their immediate operational teams. This compartmentalization aims to reduce information circulation “by allocating knowledge, and the activities related to it, to various units, individuals, and/or organizations, making it difficult for one subject, whether internal or external, to form an idea of the picture as a whole” (Catino 2019, 268). Additionally, operating in a digital environment reduces leaders’ ability to exert physical control over the members, thereby increasing their need to expose themselves to ensure task compliance. This phenomenon is evident within the Conti group, where the leader personally reaches out to more peripheral members periodically to request updates on task progress.
Furthermore, leaders may be more willing to expose themselves because they can operate behind the veils of anonymity offered by new technologies. Within these groups, individuals are frequently known only by their online pseudonyms. The ability to communicate without revealing one’s identity or location enables efficient operations without significantly increasing detection risks. Criminal groups tend to centralize their activities when they are confident of being able to operate with a sense of impunity (Morselli, Gabor, and Kiedrowski 2010), and virtual spaces seem to precisely provide this setting. In the online environment, cybercrime groups may not face a clear trade-off between the need to be secure and the need to operate efficiently (Morselli, Giguère, and Petit 2007), as anonymity and encryption technologies provide high degrees of security even when directly engaging in criminal activity.
In general terms, several factors may explain the adoption of such an organizational structure. The complexity of the network might be closely linked to the aims and resources of the group. Indeed, different illegal markets may entail different organizational structures (Calderoni 2018): criminal networks involved in high-impact cybercrime (e.g. DDoS attacks, ransomware) may exhibit greater hierarchy, as these crimes “are also yielding large economic returns and therefore create a logic for a more sustainable (mafia) type model of crime group” (Musotto and Wall 2022, 174). Moreover, the landscape of cybercrime structures has changed significantly in recent years due to the emergence of the “cybercrime-as-a-service” business model. The provision of cybercrime services to interested third parties (i.e., affiliates) requires leadership and infrastructures with different roles to provide such services effectively on a regular basis.
Results from this study carry significant policy and research implications. Scholars have long been focused on identifying key individuals within criminal networks to disrupt them more effectively (see for a review Ficara et al. 2022). Acknowledging the business-like nature of large cybercrime groups, intervention strategies should prioritize targeting high-level managers who play central roles in planning and coordinating the activities. In contrast to scenarios involving loosely connected criminal networks, traditional methods of targeting leaders may still prove effective in disrupting cybercrime networks due to their unique characteristics. Indeed, the need for leaders to expose themselves to effectively manage activities, coupled with the presence of members at the periphery of the group and characterized by low levels of engagement, can facilitate the disruption of the network. Targeting leaders may eliminate those motivated offenders who conceived the entire criminal scheme, leaving the low-level workforce without proper guidance. For this purpose, the analysis of centrality measures must be integrated with task analyses to assess whether a criminal network is dependent on certain groups of members (Soudijn, Vermeulen, and Van Der Leest 2022).
Concurrently, intervention strategies can also target the low-level workforce using alternative channels. It is well-known that cybercrime has turned into a large and profit-driven industry characterized by work specialization, forcing most individuals to face precarious working conditions and low incomes (Lusthaus 2018; Nazzari 2023; Paquet-Clouston and García 2023). In line with previous research (see for example Paquet-Clouston and García 2023), we propose the development of awareness campaigns aimed at highlighting the drawbacks of cybercrime specialization. By reframing the narrative on cybercrime, governments can effectively dissuade potential recruits from engaging in cybercrime-as-a-service business models and seek alternative legal opportunities.
Future research should focus on further strengthening our understanding of the organizational structures and dynamics involved in cybercrime. For this purpose, scholars should strive to use multiple data sources. To date, most of the previous studies have used law enforcement data. While this data source can be beneficial in investigating cybercrime (Lusthaus et al. 2023), it comes with well-known limitations (see for a review Cockbain, Bowers, and Vernon 2020). Conversely, interviewing cybercriminals may offer unbiased and unfiltered insights into the inner workings of criminal groups.
References
Albini, Joseph L. 1971. The American Mafia: Genesis of a Legend. New York: Appleton-Century-Crofts.
Berlusconi, Giulia. 2013. “Do All the Pieces Matter? Assessing the Reliability of Law Enforcement Data Sources for the Network Analysis of Wire Taps.” Global Crime 14 (February):61–81. https://doi.org/10.1080/17440572.2012.746940.
———. 2021. “Come at the King, You Best Not Miss: Criminal Network Adaptation after Law Enforcement Targeting of Key Players.” Global Crime, December, 1–21. https://doi.org/10.1080/17440572.2021.2012460.
Block, Alan A., and William J. Chambliss. 1981. Organizing Crime. New York: Elsevier.
Bright, David, Russell Brewer, and Carlo Morselli. 2021. “Using Social Network Analysis to Study Crime: Navigating the Challenges of Criminal Justice Records.” Social Networks 66 (July):50–64. https://doi.org/10.1016/j.socnet.2021.01.006.
Calderoni, Francesco. 2012. “The Structure of Drug Trafficking Mafias: The ‘Ndrangheta and Cocaine.” Crime, Law and Social Change 58 (3): 321–49. https://doi.org/10.1007/s10611-012-9387-9.
———. 2014. “Identifying Mafia Bosses from Meeting Attendance.” In Networks and Network Analysis for Defence and Security, edited by Anthony J. Masys, 27–48. Cham: Springer International Publishing.
———. 2018. Le reti delle mafie. Le relazioni sociali e la complessità delle organizzazioni criminali. Milano: Vita e Pensiero.
Calderoni, Francesco, and Elisa Superchi. 2019. “The Nature of Organized Crime Leadership: Criminal Leaders in Meeting and Wiretap Networks.” Crime, Law and Social Change 72 (4): 419–44. https://doi.org/10.1007/s10611-019-09829-6.
Campana, Paolo, and Federico Varese. 2022. “Studying Organized Crime Networks: Data Sources, Boundaries and the Limits of Structural Measures.” Social Networks 69 (May):149–59. https://doi.org/10.1016/j.socnet.2020.03.002.
Caneppele, Stefano, and Amandine da Silva. 2022. “Cybercrime.” In Research Handbook of Comparative Criminal Justice, edited by David Nelken and Claire Hamilton. Edward Elgar Publishing. https://doi.org/10.4337/9781839106385.
Catino, Maurizio. 2019. Mafia Organizations: The Visible Hand of Criminal Enterprise. Cambridge: Cambridge University Press. https://doi.org/10.1017/9781108567183.
Choo, Kim-Kwang Raymond, and Russell G. Smith. 2008. “Criminal Exploitation of Online Systems by Organised Crime Groups.” Asian Journal of Criminology 3 (1): 37–59. https://doi.org/10.1007/s11417-007-9035-y.
Cockbain, Ella, Kate Bowers, and Liam Vernon. 2020. “Using Law Enforcement Data in Trafficking Research.” In The Palgrave International Handbook of Human Trafficking, edited by John Winterdyk and Jackie Jones, 1709–32. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-63058-8_100.
Connolly, Lena Y., and David S. Wall. 2019. “The Rise of Crypto-Ransomware in a Changing Cybercrime Landscape: Taxonomising Countermeasures.” Computers & Security 87 (November):101568. https://doi.org/10.1016/j.cose.2019.101568.
Cressey, Donald Ray. 1969. Theft of the Nation: The Structure and Operations of Organized Crime in America. New York: Harper & Row.
Custers, Bart, Jan-Jaap Oerlemans, and Ronald Pool. 2020. “Laundering the Profits of Ransomware: Money Laundering Methods for Vouchers and Cryptocurrencies.” European Journal of Crime, Criminal Law and Criminal Justice 28 (2): 121–52. https://doi.org/10.1163/15718174-02802002.
Décary-Hétu, David, and Benoit Dupont. 2012. “The Social Network of Hackers.” Global Crime 13 (3): 160–75. https://doi.org/10.1080/17440572.2012.702523.
Dupont, Benoît, Anne-Marie Côté, Jean-Ian Boutin, and José Fernandez. 2017. “Darkode: Recruitment Patterns and Transactional Features of ‘the Most Dangerous Cybercrime Forum in the World.’” American Behavioral Scientist 61 (11): 1219–43. https://doi.org/10.1177/0002764217734263.
Ficara, Annamaria, Francesco Curreri, Giacomo Fiumara, Pasquale De Meo, and Antonio Liotta. 2022. “Covert Network Construction, Disruption, and Resilience: A Survey.” Mathematics 10 (16): 2929. https://doi.org/10.3390/math10162929.
Grassi, R., F. Calderoni, M. Bianchi, and A. Torriero. 2019. “Betweenness to Assess Leaders in Criminal Networks: New Evidence Using the Dual Projection Approach.” Social Networks 56 (January):23–32. https://doi.org/10.1016/j.socnet.2018.08.001.
Gray, Ian W., Jack Cable, Benjamin Brown, Vlad Cuiujuclu, and Damon McCoy. 2023. “Money Over Morals: A Business Analysis of Conti Ransomware.” arXiv. https://doi.org/10.48550/arXiv.2304.11681.
Holt, Thomas J. 2023. “Understanding the State of Criminological Scholarship on Cybercrimes.” Computers in Human Behavior 139 (February):107493. https://doi.org/10.1016/j.chb.2022.107493.
Holt, Thomas J., Deborah Strumsky, Olga Smirnova, and Max Kilger. 2012. “Examining the Social Networks of Malware Writers and Hackers.” International Journal of Cyber Criminology 6:891–903.
Hutchings, Alice. 2014. “Crime from the Keyboard: Organised Cybercrime, Co-Offending, Initiation and Knowledge Transmission.” Crime, Law and Social Change 62 (1): 1–20. https://doi.org/10.1007/s10611-014-9520-z.
Ianni, Francis A. J., and Elizabeth Reuss-Ianni. 1972. A Family Business: Kinship and Social Control in Organized Crime. New York: Russell Sage Foundation.
Kleemans, Edward R. 2014. “Theoretical Perspectives on Organized Crime.” In The Oxford Handbook of Organized Crime, edited by Letizia Paoli, 0. Oxford University Press. https://doi.org/10.1093/oxfordhb/9780199730445.013.005.
Kleemans, Edward R., and Henk Van de Bunt. 1999. “Social Embeddedness of Organized Crime.” Transnational Organized Crime 5 (1): 19–36.
Kostadinov, Boyan, Joseph Liu, and Julio Rayme. 2022. “Using Data Science Tools for Investigating Chat Logs from the Conti Ransomware Group.” In 2022 IEEE 13th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), 0095–0101. https://doi.org/10.1109/UEMCON54665.2022.9965691.
Kruskal, William H., and W. Allen Wallis. 1952. “Use of Ranks in One-Criterion Variance Analysis.” Journal of the American Statistical Association 47 (260): 583–621. https://doi.org/10.1080/01621459.1952.10483441.
Lavorgna, Anita. 2019a. “Cyber-Organised Crime. A Case of Moral Panic?” Trends in Organized Crime 22 (4): 357–74. https://doi.org/10.1007/s12117-018-9342-y.
———. 2019b. “Organized Crime and Cybercrime.” In The Palgrave Handbook of International Cybercrime and Cyberdeviance, 1–18. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-90307-1_14-1.
Lavorgna, Anita, and Anna Sergi. 2016. “Serious, Therefore Organised? A Critique Of The Emerging ‘Cyber-Organised Crime’ Rhetoric In The United Kingdom,” October. https://doi.org/10.5281/ZENODO.163400.
Leukfeldt, E. Rutger, and Edward R. Kleemans. 2021. “Breaking the Walls of Silence: Analyzing Criminal Investigations to Improve Our Understanding of Cybercrime.” In Researching Cybercrimes, edited by Anita Lavorgna and Thomas J. Holt, 127–44. Cham: Springer International Publishing. https://doi.org/10.1007/978-3-030-74837-1_7.
Leukfeldt, E. Rutger, Edward R. Kleemans, Edwin W. Kruisbergen, and Robert A. Roks. 2019. “Criminal Networks in a Digitised World: On the Nexus of Borderless Opportunities and Local Embeddedness.” Trends in Organized Crime 22 (3): 324–45. https://doi.org/10.1007/s12117-019-09366-7.
Leukfeldt, E. Rutger, Edward R. Kleemans, and Wouter P. Stol. 2017. “A Typology of Cybercriminal Networks: From Low-Tech All-Rounders to High-Tech Specialists.” Crime, Law and Social Change 67 (1): 21–37. https://doi.org/10.1007/s10611-016-9662-2.
Leukfeldt, E. Rutger, Anita Lavorgna, and Edward R. Kleemans. 2017. “Organised Cybercrime or Cybercrime That Is Organised? An Assessment of the Conceptualisation of Financial Cybercrime as Organised Crime.” European Journal on Criminal Policy and Research 23 (3): 287–300. https://doi.org/10.1007/s10610-016-9332-z.
Leukfeldt, E. Rutger, and R.A. (Robert) Roks. 2021. “Cybercrimes on the Streets of the Netherlands? An Exploration of the Intersection of Cybercrimes and Street Crimes.” Deviant Behavior 42 (11): 1458–69. https://doi.org/10.1080/01639625.2020.1755587.
Leukfeldt, Eric Rutger, Edward R. Kleemans, Edwin W. Kruisbergen, and Robert A. Roks. 2019. “Criminal Networks in a Digitised World: On the Nexus of Borderless Opportunities and Local Embeddedness.” Trends in Organized Crime 22 (3): 324–45. https://doi.org/10.1007/s12117-019-09366-7.
Loggen, Joeri, and Rutger Leukfeldt. 2022. “Unraveling the Crime Scripts of Phishing Networks: An Analysis of 45 Court Cases in the Netherlands.” Trends in Organized Crime 25 (2): 205–25. https://doi.org/10.1007/s12117-022-09448-z.
Lusthaus, Jonathan. 2018. Industry of Anonymity: Inside the Business of Cybercrime. Cambridge, Massachusetts: Harvard University Press.
Lusthaus, Jonathan, Edward Kleemans, E. Rutger Leukfeldt, Michael Levi, and Thomas Holt. 2023. “Cybercriminal Networks in the UK and Beyond: Network Structure, Criminal Cooperation and External Interactions.” Trends in Organized Crime, February. https://doi.org/10.1007/s12117-022-09476-9.
Lusthaus, Jonathan, Jaap van Oss, and Philipp Amann. 2022. “The Gozi Group: A Criminal Firm in Cyberspace?” European Journal of Criminology, February, 147737082210776. https://doi.org/10.1177/14773708221077615.
———. 2023. “The Gozi Group: A Criminal Firm in Cyberspace?” European Journal of Criminology 20 (5): 1701–18. https://doi.org/10.1177/14773708221077615.
Lusthaus, Jonathan, and Federico Varese. 2021. “Offline and Local: The Hidden Face of Cybercrime.” Policing: A Journal of Policy and Practice 15 (1): 4–14. https://doi.org/10.1093/police/pax042.
Macdonald, Mitch, and Richard Frank. 2017. “The Network Structure of Malware Development, Deployment and Distribution.” Global Crime 18 (1): 49–69. https://doi.org/10.1080/17440572.2016.1227707.
Malm, Aili, and Gisela Bichler. 2011. “Networks of Collaborating Criminals: Assessing the Structural Vulnerability of Drug Markets.” Journal of Research in Crime and Delinquency 48 (2): 271–97. https://doi.org/10.1177/0022427810391535.
Matthijsse, Sifra R., M. Susanne Van ‘T Hoff-de Goede, and E. Rutger Leukfeldt. 2023. “Your Files Have Been Encrypted: A Crime Script Analysis of Ransomware Attacks.” Trends in Organized Crime, April. https://doi.org/10.1007/s12117-023-09496-z.
Mester, Attila, Andrei Pop, Bogdan-Eduard-Mădălin Mursa, Horea Greblă, Laura Dioşan, and Camelia Chira. 2021. “Network Analysis Based on Important Node Selection and Community Detection.” Mathematics 9 (18): 2294. https://doi.org/10.3390/math9182294.
Morselli, Carlo. 2009a. “Hells Angels in Springtime.” Trends in Organized Crime 12 (June):145–58. https://doi.org/10.1007/s12117-009-9065-1.
———. 2009b. Inside Criminal Networks. New York: Springer.
———. 2010. “Assessing Vulnerable and Strategic Positions in a Criminal Network.” Journal of Contemporary Criminal Justice 26 (4): 382–92. https://doi.org/10.1177/1043986210377105.
Morselli, Carlo, Thomas Gabor, and John Kiedrowski. 2010. “The Factors That Shape Organized Crime.” 007. Canada: Research and National Coordination Organized Crime Division Law Enforcement and Policy Branch Public Safety Canada. https://publications.gc.ca/collections/collection_2012/sp-ps/PS4-89-2010-eng.pdf.
Morselli, Carlo, Cynthia Giguère, and Katia Petit. 2007. “The Efficiency/Security Trade-off in Criminal Networks.” Social Networks 29 (1): 143–53. https://doi.org/10.1016/j.socnet.2006.05.001.
Munksgaard, Rasmus, David Décary-Hétu, Vincent Mousseau, and Aili Malm. 2022. “Diversification of Tobacco Traffickers on Cryptomarkets.” Trends in Organized Crime 25 (2): 151–72. https://doi.org/10.1007/s12117-019-09375-6.
Musotto, Roberto, and David Wall. 2019. “The Online Crime-Terror Nexus: Using Booter Services (Stressers) to Weaponize Data?” In Organized Crime and Terrorist Networks: Literature Exploration and Open Access Bibliography, edited by Vincenzo Ruggiero, 42–59. Routledge. http://rgdoi.net/10.13140/RG.2.2.34510.66885.
Musotto, Roberto, and David S. Wall. 2022. “More Amazon than Mafia: Analysing a DDoS Stresser Service as Organised Cybercrime.” Trends in Organized Crime 25 (2): 173–91. https://doi.org/10.1007/s12117-020-09397-5.
Natarajan, Mangai. 2006. “Understanding the Structure of a Large Heroin Distribution Network: A Quantitative Analysis of Qualitative Data.” Journal of Quantitative Criminology 22 (2): 171–92. https://doi.org/10.1007/s10940-006-9007-x.
Nazzari, Mirko. 2023. “From Payday to Payoff: Exploring the Money Laundering Strategies of Cybercriminals.” Trends in Organized Crime, September. https://doi.org/10.1007/s12117-023-09505-1.
Nguyen, Trong, and Hai Thanh Luong. 2021. “The Structure of Cybercrime Networks: Transnational Computer Fraud in Vietnam.” Journal of Crime and Justice 44 (4): 419–40. https://doi.org/10.1080/0735648X.2020.1818605.
Nurse, Jason R. C., and Maria Bada. 2019. “The Group Element of Cybercrime: Types, Dynamics, and Criminal Operations.” In The Oxford Handbook of Cyberpsychology, by Jason R. C. Nurse and Maria Bada, edited by Alison Attrill-Smith, Chris Fullwood, Melanie Keep, and Daria J. Kuss, 690–715. Oxford University Press. https://doi.org/10.1093/oxfordhb/9780198812746.013.36.
Paoli, Letizia. 2002. “The Paradoxes of Organized Crime.” Crime Law and Social Change 37 (January):51–97. https://doi.org/10.1023/A:1013355122531.
Paquet-Clouston, Masarah, and Sebastián García. 2023. “On the Dynamics behind Profit-Driven Cybercrime: From Contextual Factors to Perceived Group Structures, and the Workforce at the Periphery.” Global Crime 0 (0): 1–23. https://doi.org/10.1080/17440572.2023.2211521.
Reuter, Peter. 1983. Disorganized Crime: The Economics of the Visible Hand. Cambridge(MA): MIT Press.
Ruellan, Estelle, Masarah Paquet-Clouston, and Sebastián Garcia. 2024. “Conti Inc.: Understanding the Internal Discussions of a Large Ransomware-as-a-Service Operator with Machine Learning.” Crime Science 13 (1): 16. https://doi.org/10.1186/s40163-024-00212-y.
Smith, Dwight C. 1975. The Mafia Mystique. 1st edition. New York: Basic Books Inc.
Soudijn, Melvin R.J., Irma J. Vermeulen, and Wouter P.E. Van Der Leest. 2022. “When Encryption Fails: A Glimpse behind the Curtain of Synthetic Drug Trafficking Networks.” Global Crime 23 (2): 216–39. https://doi.org/10.1080/17440572.2022.2086125.
US Senate. 1963. “Hearings of Joseph Valachi before the Permanent Subcommittee on Investigations of the Committee on Government Operations.” Washington, DC: US Senate. https://www.ojp.gov/ncjrs/virtual-library/abstracts/organized-crime-and-illicit-traffic-narcotics-hearing-us-senate.
Wall, David S. 2015. “Dis-Organised Crime: Towards a Distributed Model of the Organization of Cybercrime.” SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2677113.
Weulen Kranenbarg, Marleen, Stijn Ruiter, and Jean-Louis Van Gelder. 2021. “Do Cyber-Birds Flock Together? Comparing Deviance among Social Network Members of Cyber-Dependent Offenders and Traditional Offenders.” European Journal of Criminology 18 (3): 386–406. https://doi.org/10.1177/1477370819849677.
Whelan, Chad, David Bright, and James Martin. 2023. “Reconceptualising Organised (Cyber)Crime: The Case of Ransomware.” Journal of Criminology, September, 26338076231199793. https://doi.org/10.1177/26338076231199793.
Zeng, Yongyu, and David Buil-Gil. 2023. “Organizational and Organized Cybercrime.” CrimRxiv. https://www.crimrxiv.com/pub/onzk3jbg.
Hello, as a newbie to cryptocurrency trading, I lost a lot of money trying to navigate the market on my own, then in my search for a genuine and trusted trader/broker, i came across Trader Bernie Doran who guided and helped me retrieve my lost cryptocurrencies and I made so much profit up to the tune of $60,000. I made my first investment with $2,000 and got a ROI profit of $25,000 in less than 2 week. You can contact this expert trader Mr Bernie Doran via Gmail : BERNIEDORANSIGNALS@ GMAIL. COM or WhatsApp + 1 424 285 0682 and be ready to share your experience, tell him I referred you