Latvian ransomware negotiator gets 102 months in prison for Karakurt extortion attacks
6 min. read 
Published on
A Latvian national linked to a major Russia-based ransomware operation has been sentenced to 102 months in U.S. federal prison. Deniss Zolotarjovs, 35, worked as a ransom negotiator for a cybercrime group tied to Karakurt, Conti, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira.
The Justice Department said Zolotarjovs helped the group steal from and extort more than 54 companies. His job was not to break into networks directly. Prosecutors said he analyzed stolen files, researched victims, and helped push companies into paying.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case stands out because of the role he played inside the extortion chain. Instead of writing malware or running the initial intrusion, he helped turn stolen data into pressure, fear, and ransom payments.
What prosecutors said happened
Zolotarjovs was sentenced on May 4, 2026, in federal court in Cincinnati. The U.S. Attorney’s Office for the Southern District of Ohio described him as the first Karakurt member extradited to the United States to face criminal charges.
He was arrested in Georgia in December 2023 and transferred to U.S. custody in August 2024. In July 2025, he pleaded guilty to conspiracy to commit money laundering and wire fraud.
According to the Justice Department, his active role in the ransomware conspiracy ran from around June 2021 to August 2023. During that period, the group used several names in ransom notes and extortion messages, including Karakurt and brands connected to former Conti leaders.
At a glance
| Detail | Information |
|---|---|
| Defendant | Deniss Zolotarjovs |
| Age | 35 |
| Nationality | Latvian |
| Sentence | 102 months in federal prison |
| Main role | Ransomware negotiator and extortion strategist |
| Group names cited | Karakurt, Conti, Royal, TommyLeaks, SchoolBoys Ransomware, Akira |
| Charges pleaded to | Conspiracy to commit money laundering and wire fraud |
| Known victim impact | More than 54 companies targeted, with losses likely in the hundreds of millions |
How his role worked
Ransomware groups often split their work across specialists. Some members gain access, some steal data, some deploy malware, and others handle negotiations. Zolotarjovs belonged to the pressure side of that operation.
Prosecutors said he reviewed stolen information and looked for sensitive details that could force victims back to the negotiation table. That included personal records, client data, health information, and other material that companies could not easily ignore.
The Justice Department said attacks on just 13 victim companies caused more than $56 million in losses, including about $2.8 million in ransom payments. It also said another 41 victim companies made roughly $13 million in ransom payments during the same period, though detailed loss statements were not available for all of them.
The children’s health data case
One of the most disturbing parts of the case involved a pediatric healthcare company. Prosecutors said Zolotarjovs deliberately used children’s health information to increase pressure after the victim refused to pay quickly.
He urged other members of the group to leak or sell pediatric health records. Prosecutors said he later sent a general pack of sensitive data to hundreds of patients instead of limiting the exposure to individual files.
This detail shows why ransomware cases now reach beyond financial loss. Victims can face years of privacy, fraud, medical, and emotional consequences after attackers publish or distribute stolen records.
Financial impact and victim damage
| Category | Reported impact |
|---|---|
| Companies targeted | More than 54 companies, according to the Justice Department |
| Known losses from 13 companies | More than $56 million |
| Ransom payments in those 13 cases | About $2.8 million |
| Additional ransom payments from 41 companies | Roughly $13 million |
| Estimated total losses | Likely in the hundreds of millions of dollars |
| Other reported impact | Stolen personal data, healthcare data exposure, and one 911 system forced offline |
Why this sentence matters
The sentencing sends a message to ransomware operators who believe they can stay safe by working from countries where U.S. extradition is difficult. Zolotarjovs was arrested in Georgia, extradited to the United States, and sentenced in Ohio.
The case also shows that prosecutors can target more than malware developers. Negotiators, money movers, data analysts, recruiters, and infrastructure operators all help ransomware groups function.
That matters because modern ransomware is a business model, not just a piece of malicious software. Removing one trusted negotiator can still disrupt a group’s ability to turn stolen data into money.
What made the operation difficult to stop
The group operated across multiple ransomware names, which made tracking harder for victims and researchers. When one brand became exposed, members could shift to another name while using similar people, tools, and tactics.
Reports also described an organized structure connected to former Conti leaders. The group used several public-facing names, but prosecutors tied Zolotarjovs to a wider network that handled data theft, extortion, cryptocurrency movement, and victim pressure.
His payments also followed the typical laundering pattern seen in ransomware cases. Prosecutors said he received a cut of negotiated ransom payments in cryptocurrency, then the funds moved through multiple wallets before conversion into Russian rubles.
What organizations can learn from the case
- Ransomware defense must include data protection, not only malware blocking.
- Stolen files can become the main extortion tool even when systems get restored.
- Healthcare, local government, and critical services remain high-value targets.
- Organizations should monitor for data exfiltration before encryption events appear.
- Incident response plans should include legal, communications, and victim notification steps.
- Backups help recovery, but they do not stop data leak pressure.
- Employee access reviews can reduce how much data attackers steal after an intrusion.
The bigger ransomware picture
Ransomware groups have spent years moving from simple file encryption to data theft and public shaming. This case fits that shift. Zolotarjovs’ value came from understanding which stolen files could create the most fear.
The use of children’s health records, personal identifiers, and emergency system disruption shows how ransomware attacks can harm people who never made cybersecurity decisions for the victim organization.
For law enforcement, the conviction gives prosecutors a public example of international reach. For defenders, it reinforces a more practical lesson: once attackers steal sensitive data, recovery becomes harder than restoring servers.
FAQ
Authorities cited several names used by the organization, including Karakurt, Conti, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira.
He pleaded guilty in July 2025 to conspiracy to commit money laundering and wire fraud.
He was sentenced to 102 months in U.S. federal prison, which equals eight and a half years.
Deniss Zolotarjovs is a 35-year-old Latvian national who prosecutors said worked as a negotiator for a major ransomware group tied to Karakurt and former Conti leaders.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages