Latvian Karakurt Negotiator Sentenced for Conti-Linked Ransomware Extortion
A U.S. court sentenced Latvian national Deniss Zolotarjovs to 102 months in prison for his role in a Russia-linked ransomware and data-extortion organization run by former Conti members and operating under brands including Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Prosecutors said Zolotarjovs acted as a primary negotiator and extortion specialist from June 2021 to August 2023, researching victims, analyzing stolen data, setting ransom pressure points, and taking a share of proceeds. He was arrested in Georgia in December 2023, extradited to the United States in August 2024, and later pleaded guilty to conspiracy to commit wire fraud and money laundering.
The Justice Department said the group targeted more than 54 companies, collected roughly $15 million to $16 million in confirmed ransom payments, and caused at least $56 million in documented losses across 13 victims, with total damage likely reaching hundreds of millions of dollars. Authorities said the operation exposed highly sensitive personal data, including children’s medical records stolen from a pediatric healthcare provider that were later used to threaten victims and even sent to hundreds of patients, while another attack forced a U.S. government entity’s 911 emergency system offline. Court filings and reporting also said the syndicate relied on front companies, corrupt contacts, and access to Russian government databases, underscoring the professionalized and well-connected structure behind the extortion campaign.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Zolotarjovs pleads guilty to money laundering and wire fraud conspiracy
In July 2025, Zolotarjovs pleaded guilty in the United States to conspiracy to commit money laundering and wire fraud. The plea covered his role as an extortion negotiator and pressure specialist for the ransomware organization.
Zolotarjovs extradited to the United States
After his arrest in Georgia, Zolotarjovs was extradited to the United States in August 2024 to face charges tied to ransomware and extortion activity. Multiple reports cite this transfer as part of the U.S. prosecution.
Deniss Zolotarjovs arrested in Georgia
U.S. authorities arrested Deniss Zolotarjovs in Georgia in December 2023 for his role in the Conti-linked ransomware and extortion operation. The arrest followed an investigation involving the FBI and Georgian authorities.
DOJ announces 102-month prison sentence for Zolotarjovs
The U.S. Department of Justice announced that Deniss Zolotarjovs was sentenced to 102 months in prison for participating in a prolific Russia-linked ransomware and extortion scheme. Prosecutors said his conduct helped extort more than 54 companies and contributed to tens of millions of dollars in losses.
Ransomware group begins extortion campaign under Conti-linked brands
According to U.S. prosecutors, the Russia-linked ransomware and extortion organization tied to former Conti leaders began operating around June 2021. The group later used brands including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira against more than 54 companies.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Member of Prolific Russian Ransomware Group Sentenced to 102 Months in Prison
cybersecuritynews.com
Open sourceDOJ says ransomware gang tapped into Russian government databases | TechCrunch
techcrunch.com
Open sourceU.S. court sentences Karakurt ransomware negotiator to 8.5 years
securityaffairs.com
Open sourceLatvian national sentenced for ransomware attacks run by former Conti leaders | CyberScoop
cyberscoop.com
Open sourceConti, Akira ransomware affiliate given 8-year sentence | The Record from Recorded Future News
therecord.media
Open sourceKarakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison
bleepingcomputer.com
Open sourceOffice of Public Affairs | Member of Prolific Russian Ransomware Group Sentenced to Prison | United States Department of Justice
justice.gov
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced **Yaroslav Vasinskyi** (`Rabotnik`), a Ukrainian affiliate of the **Sodinokibi/REvil** ransomware operation, to **13 years and 7 months** in prison for his role in more than **2,500 attacks** that collectively sought over **$700 million** in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than **$16 million** in restitution. U.S. authorities said related forfeiture actions recovered assets including **39.89138522 Bitcoin** and **$6.1 million**, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution. In a separate but related enforcement action, **Deniss Zolotarjovs**, a Latvian national tied to the **Karakurt** extortion operation and linked by investigators to the broader **Conti** ecosystem, was sentenced to **102 months** in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than **54 companies worldwide**, including victims whose stolen records included sensitive medical information, and generated losses exceeding **$56 million** across 13 victims with roughly **$13 million** more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
May 25, 2026
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026
Initial access broker Aleksei Volkov sentenced for enabling Yanluowang ransomware attacks
A U.S. federal court sentenced Russian national **Aleksei Volkov**, 26, to **81 months in prison** for acting as an initial access broker who helped major cybercrime groups, including the **Yanluowang** ransomware operation, compromise U.S. companies and other organizations. Prosecutors said Volkov gained unauthorized access to victim networks and sold that access to ransomware operators, who then deployed malware, encrypted systems, stole data, and extorted victims through cryptocurrency ransom demands. The U.S. Department of Justice said the campaign caused more than **$9 million in actual losses** and more than **$24 million in intended losses**. Volkov was indicted in Indiana and Pennsylvania, arrested in Rome, extradited from Italy to the United States, and later pleaded guilty after the cases were consolidated. As part of the plea, he admitted hacking victim networks, stealing data, helping co-conspirators deploy ransomware, and sharing in ransom proceeds; he was also ordered to pay at least **$9,167,198.19** in restitution and forfeit equipment used in the crimes.
Mar 27, 2026