In the era of law enforcement crackdowns, cybercriminals continue to find ways to adapt, persist and confuse.

This is the case with WIZARD SPIDER—a Russian-based cybercrime group known for operating TrickBot and Conti—whose former members likely continue to run a private crypting service that has been in operation since before the Conti leaks in 2022. These crypters are critical tools that enable threat actors to obfuscate malware and evade detection. This talk unravels the crypters’ role within WIZARD SPIDER’s infrastructure revealing hidden webs connecting seemingly disparate cybercrime groups—including existing adversaries such as LUNAR SPIDER and WANDERING SPIDER, and relatively newer adversaries such as VICE SPIDER.

Through case studies and technical breakdowns, we will highlight how tracking crypters offer a new lens for identifying and mapping cybercriminal activity, especially in an era where shared infrastructure and tooling blur the lines between threat actors.