Skip to main content
Emerging ThreatsMalware & Ransomware

Karakurt Ransomware Operative Sentenced for Extortion Role

A blurred figure in a suit sits or stands with their back to the camera in a government building interior with a judge's…

"Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline," said Assistant Attorney General A. Tysen Duva. "He also used stolen children's health information to increase his leverage to extort victim payments."

The conviction and the defendant

A Latvian national identified as 35-year-old Deniss Zolotarjovs (Денисс Золотарёвс) — who the government says is based in Moscow and who operated under the online alias "Sforza_cesarini" — was extradited to the United States and has been sentenced to 8.5 years in prison for his role as a negotiator in the Karakurt extortion operation. Zolotarjovs was arrested in Georgia, Eastern Europe, in December 2023, transferred to U.S. custody, and pleaded guilty in July 2025 to charges of conspiracy to commit wire fraud and money laundering that were filed in August 2024.

The charged role: "cold case" negotiations

Court documents and statements by prosecutors describe Zolotarjovs as a specialist in so‑called "cold case extortions" — cases where initial contact with victims had ceased and no ransom had been paid. The FBI tied him to at least six extortion matters affecting American organizations between August 2021 and November 2023. He is accused of conducting deep research on targeted companies and of analyzing stolen personal and health information to increase pressure on victims and coerce them to reconsider paying ransoms.

Karakurt's reach, affiliations, and estimated losses

Prosecutors say Zolotarjovs was part of the Karakurt extortion operation, which the filing describes as being led by former Conti ransomware gang leaders. Karakurt's model, as set out by the government, involved compromising company systems, exfiltrating data, and demanding payment under threat of public leakage or resale to other cybercriminals. The Department of Justice reported that more than 54 companies were attacked in the period tied to Zolotarjovs's activities. Of those, attacks on 13 companies resulted in known losses exceeding $56 million, which included approximately $2.8 million in ransom payments.

The DOJ noted an additional 41 victim companies for which the government does not yet have detailed loss statements; those 41 made roughly $13 million in ransom payments during the same period. Citing widespread underreporting of ransomware incidents, the DOJ said true loss figures are uncertain but, "extrapolating from the known victims and known losses, the government estimates total losses for the period of Zolotarjovs's participation to likely be in the hundreds of millions of dollars."

Connections to other ransomware groups

Prosecutors also linked Zolotarjovs to attacks associated with a range of other named ransomware operations, beyond Karakurt and Conti: Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. The filings portray a negotiator who moved across operations and used information obtained in intrusions — including sensitive health records — to increase leverage in extortion campaigns.

What this means for law enforcement, victim organizations, and threat actors

  • Law enforcement and prosecutors: This is the first Karakurt member to be charged and sentenced in the United States, a milestone the DOJ says could lead to prosecution of more members. The case demonstrates prosecutors' willingness to treat negotiators and facilitators as criminally liable, not only the operators who deploy malware.
  • Affected enterprises and incident responders: The case highlights a negotiating tactic — returning to "cold" extortion attempts with new pressure derived from stolen personal and health information — that organizations should explicitly include when enumerating threat scenarios and post‑breach communications strategies.
  • Threat actors and affiliates: The sentences announced in this and parallel cases underline that law enforcement is targeting not only primary developers but also brokers and negotiators who monetize stolen data; the DOJ named cross‑group connections that suggest negotiators can be a pivot point across multiple extortion operations.

Separately, the DOJ also announced that two former employees of Sygnia and DigitalMint were sentenced to four years in prison each for targeting U.S. companies in BlackCat (ALPHV) ransomware attacks — a related signal that prosecutors are pursuing multiple roles and affiliates in major extortion campaigns.

The Zolotarjovs case puts an identified face on a negotiator role that prosecutors describe as central to extracting value from stolen data. It closes one chapter with an 8.5‑year sentence and, according to the Justice Department, opens another in which further prosecutions of Karakurt personnel are possible.

Source: BleepingComputer