US charges alleged member of Russian Karakurt ransomware group
A member of a Russian cybercrime group has been charged in a U.S. court this week with money laundering, financial fraud and extortion, according to a statement by the U.S. Department of Justice (DOJ).
Deniss Zolotarjovs, a 33-year-old Latvian national who lived in Moscow, was arrested by law enforcement in the republic of Georgia in December 2023 and was extradited to the U.S. earlier this month.
According to court documents, Zolotarjovs is linked to the ransomware group Karakurt, which steals victim data and threatens to release it unless a ransom is paid in cryptocurrency.
The group maintains a leak site and auction portal that lists victim companies and offers stolen data for download. The group’s ransom demands have ranged from $25,000 to $13 million in Bitcoin.
Previous reports indicate that Karakurt was linked to the now-defunct ransomware gang Conti. Researchers suggest that Karakurt was a side operation of the group behind Conti, allowing them to monetize data stolen during attacks when organizations were able to block the ransomware encryption process.
Zolotarjovs allegedly operated under the alias "Sforza_cesarini" and was an active member of Karakurt. He is accused of communicating with other members, laundering cryptocurrency, and extorting the group’s victims. According to the DOJ, he is the first alleged member of the group to be arrested and extradited to the U.S.
Court documents link Zolotarjovs to attacks on at least six unnamed U.S. companies.
In one 2021 attack, Karakurt stole “a large volume of private client data,” including medical records, Social Security numbers matched with names, addresses, dates of birth, home addresses, and lab results. Karakurt demanded a ransom payment of approximately $650,000, but the company negotiated it down to $250,000.
Zolotarjovs was likely responsible for conducting negotiations on Karakurt’s “cold case extortions” as well as performing open-source research to identify phone numbers, emails or other accounts through which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group. "Cold case extortions" refer to extortion cases that remain unsolved for an extended period.
“Some of the chats indicated that Sforza’s efforts to revive cold cases were successful in extracting ransom payments,” court documents said.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.