US Sentences REvil Affiliate and Jails Karakurt Operative in Ransomware Crackdown
The United States sentenced Yaroslav Vasinskyi (Rabotnik), a Ukrainian affiliate of the Sodinokibi/REvil ransomware operation, to 13 years and 7 months in prison for his role in more than 2,500 attacks that collectively sought over $700 million in ransom payments. Prosecutors said the scheme encrypted victim networks, threatened to leak stolen data, and used cryptocurrency exchangers and mixing services to launder proceeds; the court also ordered more than $16 million in restitution. U.S. authorities said related forfeiture actions recovered assets including 39.89138522 Bitcoin and $6.1 million, and credited cooperation with Polish authorities for Vasinskyi’s extradition and prosecution.
In a separate but related enforcement action, Deniss Zolotarjovs, a Latvian national tied to the Karakurt extortion operation and linked by investigators to the broader Conti ecosystem, was sentenced to 102 months in prison after U.S. prosecutors accused him of helping pressure victims with stolen data, reviving unresolved extortion cases, and laundering cryptocurrency. Authorities said the Russian-linked group targeted more than 54 companies worldwide, including victims whose stolen records included sensitive medical information, and generated losses exceeding $56 million across 13 victims with roughly $13 million more paid by 41 additional companies. The cases underscore sustained cross-border law enforcement action against ransomware and data-extortion actors operating through Russia-linked criminal networks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Zolotarjovs sentenced for role in ransomware extortion group
U.S. authorities announced that Deniss Zolotarjovs was sentenced to 102 months in prison for helping a Russian-linked ransomware organization extort dozens of companies worldwide. Prosecutors said he analyzed stolen data and used sensitive information to pressure victims into paying.
Karakurt-linked extortion hits multiple companies
From June 2021 through August 2023, a Russian-linked ransomware and extortion organization tied to brands including Karakurt targeted more than 54 companies worldwide. Investigators said the group used stolen data, including sensitive records, to intensify pressure on victims and caused tens of millions of dollars in losses.
U.S. announces charges against alleged Karakurt member
The Justice Department announced charges against Deniss Zolotarjovs for money laundering, financial fraud, and extortion tied to the Karakurt ransomware extortion group. Court filings alleged he helped extort victims, launder cryptocurrency, and pursue renewed extortion against prior targets.
Yaroslav Vasinskyi sentenced in U.S. REvil case
The U.S. Justice Department announced that Ukrainian national Yaroslav Vasinskyi was sentenced to 13 years and seven months in prison for his role in the REvil ransomware scheme. The court also ordered more than $16 million in restitution.
REvil affiliate conducts widespread ransomware attacks
Between 2021 and his arrest, Yaroslav Vasinskyi participated in more than 2,500 ransomware attacks using the Sodinokibi/REvil variant. U.S. authorities said the conspiracy demanded over $700 million from victims and used data-leak threats and cryptocurrency laundering services to support the scheme.
DOJ secures forfeiture of REvil ransom proceeds
In 2023, the Justice Department obtained final forfeiture of assets tied to the REvil conspiracy, including 39.89138522 Bitcoin and $6.1 million linked to other members. The action was part of broader efforts to recover ransomware proceeds.
Zolotarjovs pleads guilty in U.S. case
Deniss Zolotarjovs pleaded guilty to conspiracy charges involving money laundering and wire fraud for his role in the ransomware-linked extortion organization. The plea followed his extradition to the United States.
Deniss Zolotarjovs extradited to the United States
Zolotarjovs was extradited from Georgia to the United States to face charges related to the Karakurt-linked extortion operation. One reference places the extradition in August 2024.
Deniss Zolotarjovs arrested in Georgia
Authorities arrested Latvian national Deniss Zolotarjovs in Georgia in connection with his alleged role in the Karakurt-linked extortion organization. U.S. prosecutors later described him as the first alleged Karakurt member arrested for extradition to the United States.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Ransomware Organization Sentencing: Key Operative Jailed
thecyberexpress.com
Open sourceU.S. charges Karakurt extortion gang’s “cold case” negotiator
bleepingcomputer.com
Open sourceUS charges alleged member of Russian Karakurt ransomware group | The Record from Recorded Future News
therecord.media
Open sourceUkrainian REvil gang member sentenced to 13 years in prison
securityaffairs.com
Open sourceOffice of Public Affairs | Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme | United States Department of Justice
justice.gov
Open sourceMember of ransomware gang sentenced to more than 13 years in prison over 2021 attack | CNN Politics
edition.cnn.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Latvian Karakurt Negotiator Sentenced for Conti-Linked Ransomware Extortion
A U.S. court sentenced Latvian national **Deniss Zolotarjovs** to **102 months in prison** for his role in a Russia-linked ransomware and data-extortion organization run by former **Conti** members and operating under brands including **Karakurt**, **Royal**, **TommyLeaks**, **SchoolBoys Ransomware**, and **Akira**. Prosecutors said Zolotarjovs acted as a primary negotiator and extortion specialist from June 2021 to August 2023, researching victims, analyzing stolen data, setting ransom pressure points, and taking a share of proceeds. He was arrested in Georgia in December 2023, extradited to the United States in August 2024, and later pleaded guilty to conspiracy to commit **wire fraud** and **money laundering**. The Justice Department said the group targeted more than **54 companies**, collected roughly **$15 million to $16 million** in confirmed ransom payments, and caused at least **$56 million** in documented losses across 13 victims, with total damage likely reaching **hundreds of millions of dollars**. Authorities said the operation exposed highly sensitive personal data, including children’s medical records stolen from a pediatric healthcare provider that were later used to threaten victims and even sent to hundreds of patients, while another attack forced a U.S. government entity’s **911 emergency system** offline. Court filings and reporting also said the syndicate relied on front companies, corrupt contacts, and access to Russian government databases, underscoring the professionalized and well-connected structure behind the extortion campaign.
Jun 8, 2026
DOJ Charges REvil Operators Over Kaseya Supply-Chain Ransomware Attack
U.S. authorities charged alleged **Sodinokibi/REvil** operators Yaroslav Vasinskyi of Ukraine and Yevgeniy Polyanin of Russia over ransomware attacks that included the compromise of Kaseya's remote management software, an intrusion that cascaded to managed service providers and their customers worldwide. The Kaseya incident was reported to have affected as many as **1,500 organizations**, with attackers allegedly encrypting systems, leaving ransom notes, and directing victims to Tor-based or public payment sites to obtain decryption keys; victims that did not pay were allegedly threatened with the publication or sale of stolen data. The Justice Department said Vasinskyi was arrested in Poland, later extradited to the United States, and arraigned in Texas on charges including conspiracy to commit computer fraud, damage to protected computers, and money laundering conspiracy. In parallel, U.S. authorities seized **$6.1 million** in alleged ransom proceeds tied to Polyanin, part of a broader multinational enforcement effort involving the FBI, Europol, Eurojust, and law enforcement partners across Europe and other allied countries to disrupt the REvil ransomware operation linked to the Kaseya attack.
May 25, 2026
Conti Developer Pleads Guilty for Role in Global Ransomware Campaign
Ukrainian national **Oleksii Oleksiyovych Lytvynenko** pleaded guilty in U.S. federal court to **conspiracy to commit wire fraud** for his role in the **Conti** ransomware operation, one of the most prolific cybercrime campaigns tracked by U.S. authorities. Prosecutors said Lytvynenko joined Conti by September 2021, helped develop a malware loader used to gain initial access to victim networks, and possessed data stolen from 12 victims, including eight in the United States. He was arrested in Ireland in July 2023, extradited to the United States in October 2025, and now faces up to **20 years in prison**, with sentencing scheduled for September 2026. The Justice Department said Conti targeted more than **1,000 victims** across **47 U.S. states**, Puerto Rico, Washington, D.C., and about **31 countries**, extorting more than **$150 million** in ransom payments. In one part of the case, prosecutors said Lytvynenko and co-conspirators collected about **$634,000 in Bitcoin** from two Tennessee victims and leaked stolen data from another Tennessee organization after a **$3 million** ransom demand was rejected. The plea comes as U.S. authorities continue pursuing other alleged Conti members; earlier indictments also tied the group’s breakup to successor operations including **Black Basta**, **Quantum**, **Royal**, and **BlackSuit**.
Jun 15, 2026