The flaw also allowed the researchers to identify the real IP addresses of the hidden service hosting the recovery website, including 20 IPs communicating with the Conti servers, and two Tor entry nodes used for the recovery service, all of which were reported to the authorities.

Furthermore, Prodaft discovered victim chat sessions that allowed them to identify accounts used when extorting victims’ data, including connecting IP addresses and the employed software. The investigation also revealed the use of the same Bitcoin wallet addresses for multiple victims.