When Conti shut its brand down in mid-2022, the obituaries wrote themselves and were all wrong. The corporation from Part 4 did not disband; it decentralized. To follow where the people went, you need one organizing idea: Conti had internal teams, and the successor brands map onto those teams. The framework, advanced in real time by AdvIntel's Vitali Kremez and Yelisey Boguslavskiy and corroborated by later court filings, divides Conti into Team 1, the "Old Guard" of the Ryuk lineage and senior pentesters, and Team 2, the main affiliate subdivision that ran most campaigns. A smaller Team 3 disappeared in the dissolution. Credible reporting
Team 1 seeded Black Basta, Karakurt, BlackByte, and the Zeon social-engineering crew. Team 2 became the Quantum to Royal to BlackSuit to Chaos chain. This is analyst-assigned structure, credible rather than confirmed at the roster level, but it is consistent across vendors and it is the cleanest lens available. And one court document, which this dispatch ends on, hardens much of it into public record. Credible reporting
Black Basta, and the man who walked out of a courthouse
Black Basta launched in April 2022, weeks before Conti formally shut down, and operated from day one with a maturity inconsistent with a genuinely new crew. Its leader, behind the handle Tramp (also GG, AA), is Oleg Nefedov, ex-Conti leadership. The attribution is unusually robust, resting on three independent pillars: a BKA warrant and Interpol Red Notice (January 2026); an internal identification inside the leaked chats, where an ex-Conti member operating as "bio/pumba" named GG as Tramp; and an arrest record in Armenia. Confirmed reporting
The Armenia episode is the strongest single corroboration, and it is also the purest expression of this series' theme. Armenian authorities arrested an Oleg Nefedov on a US warrant in June 2024. A scheduling failure let him walk out of the courthouse within the 72-hour custody window, and he later described escaping with "high-level" help through a "green corridor." His silence in the leaked chats, from June 21 to July 3, 2024, aligns precisely with the documented arrest period. An independent court record matching a behavioral gap in a leaked archive is as close to proof as open-source attribution gets. Confirmed reporting
Then Black Basta did what this bloodline keeps doing: it destroyed itself from inside. In February 2025 a leaker called ExploitWhispers published roughly 200,000 internal messages, in apparent retaliation for Black Basta attacking Russian banks. The leak did to Black Basta what ContiLeaks did to Conti. It exposed the roster (administrators YY and Lapa, and the Qakbot liaison Cortes, identified by the US as Rustam Gallyamov, the indicted Qakbot creator), the internal strife (Tramp's abuse of subordinates, disputes over targeting), and a payment from Tramp to an operator of the Cactus group, documenting the operator-migration pipeline in real time as the brand collapsed. It also corroborated a long-standing SentinelOne assessment that Black Basta shared a developer with the FIN7 cluster, the same cluster behind the DarkSide line in Part 6. Confirmed reporting
Black Basta was not taken down; it imploded. Internal abuse, disputes over attacking Russian targets, and the resulting insider leak ended it, after which its people scattered to Cactus, Akira, and others. The same insider-trust fragility that ended Conti ended its largest successor. Analyst inference
The Team 2 chain: four names, one crew
The main affiliate subdivision rebranded in sequence, and the sequence is documented link by link. Microsoft tracked the Team 2 cluster as DEV-0230 and documented its shift to Quantum in April 2022. Quantum became Royal in September 2022, described as the direct heir of Conti and staffed by sixty-plus pentesters drawn from both the Old Guard and Team 2. Royal rebranded to BlackSuit in June 2023, a continuity the FBI and CISA formally confirmed in an August 2024 advisory. BlackSuit demanded over $500 million in ransoms before Operation Checkmate seized its infrastructure in July 2025, and Cisco Talos assesses with moderate confidence that Chaos (2025) is its rebrand. Confirmed reporting
The most analytically important event in that chain is the March 2024 BlackSuit schism, documented by RedSense. On one side: the group's administrative and political leader, from the Team 2 lineage, the man whose pro-Russia declaration in 2022 had provoked the Conti Leaks, now holding exclusive control over the ransomware locker. On the other: the developer who actually wrote that locker, from the Team 1 Ryuk lineage, most likely the original Ryuk author. The developer faction, tracked as "BlackSpade," ran the June 2024 CDK Global attack that paralyzed thousands of North American car dealerships. Conti's internal fault line did not heal. It reproduced itself inside the largest successor, splitting it along the same seam. Credible reporting
Karakurt, Akira, and the filing that welds it together
Karakurt is not a post-2022 successor; it predates the collapse as Conti's extortion-only side-arm, used to monetize intrusions where encryption failed. Tetra Defense, Arctic Wolf, and Chainalysis established its operational and blockchain links to Conti with high confidence. What converts credible analysis into court record is the prosecution of Deniss Zolotarjovs ("cold," "Sforza"), a Latvian negotiator arrested in Georgia in December 2023, extradited in August 2024, and sentenced in May 2026. Confirmed reporting
Akira, which emerged in March 2023, is linked to Conti through three independent lines: code reuse from the leaked Conti V2 builder, repeated blockchain flows from Akira ransoms to known Conti-affiliated wallets, and the Zolotarjovs filing naming it inside the same organization. Akira and Karakurt are best understood as sibling brands of one ex-Conti organization rather than rebrands of each other: reportedly the same operators, running an encrypting model and an extortion-only model side by side. The minor successors round out the family: BlackByte (Old Guard), Zeon (the callback-phishing specialists who folded into Royal), Silent Ransom (the first callback crew to break away, March 2022), and 3AM, a backup payload tied by Intrinsec to the Royal/BlackSuit crews. Credible reporting
Role: negotiator; arrested Georgia, Dec 2023; extradited Aug 2024; sentenced May 2026
Finding: Conti, Karakurt, Royal, Akira, TommyLeaks, SchoolBoys operated as brands of one organization under former Conti leaders
Additional allegation: the organization accessed Russian government databases
| Successor | Conti team | Named figure | Confidence |
|---|---|---|---|
| Black Basta | Team 1 | Oleg Nefedov ("Tramp") | Confirmed |
| Quantum → Royal → BlackSuit → Chaos | Team 2 (DEV-0230) | Unnamed admin (schism documented) | Credible |
| Karakurt | Side-arm (pre-collapse) | Deniss Zolotarjovs (negotiator) | Confirmed |
| Akira | Code + organizational link | Unnamed | Credible |
| BlackByte / Zeon / Silent Ransom / 3AM | Team 1 / Team 2 offshoots | Unnamed | Credible |
Step back from the brand names and the diaspora teaches one lesson. Every disruption in this chapter that actually removed a person from the board, Zolotarjovs in custody, Nefedov nearly so, happened outside Russia. Inside, the workforce recombined under new names within weeks, every time. Part 6 turns to the parallel track, the RaaS pioneers who industrialized the business model these crews ran on. Analyst inference
Sourcing & confidence
This dispatch is adapted from the project's reference study "People, Lineage, Money, and the State" (v3), and draws on AdvIntel reporting on the Team 1 / Team 2 split, the ExploitWhispers leak corpus (February 2025), the BKA warrant and Interpol Red Notice for Nefedov (January 2026), Microsoft, RedSense, Cisco Talos and SentinelOne vendor reporting, the FBI/CISA BlackSuit advisory (August 2024), and DOJ filings in the Zolotarjovs prosecution. Confidence labels follow standard analytic practice.
Confirmed · multiple independent sources, including official designation or indictment language.
Credible · single strong source or consistent industry reporting, not yet officially confirmed.
Analyst inference · the project's own assessment, drawn from the evidence above.
- CISA / FBI, #StopRansomware: BlackSuit (Royal) advisory (updated Aug 2024).
- US DOJ, Zolotarjovs sentenced (Karakurt / TommyLeaks / SchoolBoys) (May 2026).
- US DOJ, Gallyamov Qakbot indictment (May 2025).
- Europol / EU Most Wanted, Black Basta listings (Jan 2026).