This study addresses the challenge of observing internal operations within Ransomware-as-a-Service (RaaS) organizations by conducting the first systematic analysis of the leaked Conti internal chat logs. Leveraging NLP-based preprocessing, LDA topic modeling, and interactive visualization, we identify five core thematic domains: Business, Technical, Internal Tasking, Malware, and Customer Service. Results reveal that non-technical discussions predominate; 96% of members participate across multiple themes, while only 4% specialize in a single domain—challenging the prevailing “purely technical” perception of cybercrime. The organization exhibits pronounced functional specialization, cross-role collaboration, and enterprise-like operational structures. This work provides the first empirical characterization of the cross-functional operational paradigm in RaaS groups, establishing a foundational empirical basis and methodological framework for understanding modern, organized cybercrime.

Ransomware-as-a-service (RaaS) is increasing the scale and complexity of ransomware attacks. Understanding the internal operations behind RaaS has been a challenge due to the illegality of such activities. The recent chat leak of the Conti RaaS operator, one of the most infamous ransomware operators on the international scene, offers a key opportunity to better understand the inner workings of such organizations. This paper analyzes the main discussion topics in the Conti chat leak using machine learning techniques such as Natural Language Processing (NLP) and Latent Dirichlet Allocation (LDA), as well as visualization strategies. Five discussion topics are found: (1) Business, (2) Technical, (3) Internal tasking/Management, (4) Malware, and (5) Customer Service/Problem Solving. Moreover, the distribution of topics among Conti members shows that only 4% of individuals have specialized discussions while almost all individuals (96%) are all-rounders, meaning that their discussions revolve around the five topics. The results also indicate that a significant proportion of Conti discussions are non-tech related. This study thus highlights that running such large RaaS operations requires a workforce skilled beyond technical abilities, with individuals involved in various tasks, from management to customer service or problem solving. The discussion topics also show that the organization behind the Conti RaaS operator shares similarities with a large firm. We conclude that, although RaaS represents an example of specialization in the cybercrime industry, only a few members are specialized in one topic, while the rest runs and coordinates the RaaS operation.