First U.S. Karakurt Sentencing: 8.5 Years for the Negotiator Who Mailed Kids' Records
The DOJ sentenced Latvian national Deniss Zolotarjovs to 102 months in prison on May 4, 2026 — the first U.S. prosecution of a Karakurt member ever. Court documents tie the Conti-affiliated negotiator to extortion of more than 54 organizations, $56 million in losses across 13 victims alone, and a deliberate decision to send stolen pediatric medical records to "hundreds of patients" when one healthcare company refused to pay. The FBI says the investigation is still active.
U.S. District Judge Michael Barrett of the Southern District of Ohio sentenced Zolotarjovs (online alias "Sforza_cesarini"), 35, to 8.5 years in federal prison in Cincinnati on May 4, 2026. Zolotarjovs was the lead ransom negotiator for a Russian ransomware organization that DOJ filings describe as led by former leaders of the Conti ransomware group, operating across at least six brand identities — Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Between June 2021 and August 2023, the organization extorted more than 54 companies, with 13 documented victims alone reporting more than $56 million in losses. He pleaded guilty in July 2025 to conspiracy to commit wire fraud and money laundering after being arrested in Georgia in December 2023 and extradited to the United States in August 2024.
The single most important fact: this is the first U.S. prosecution of a Karakurt member, and the DOJ explicitly named Akira as one of the brands the same Conti-led organization was operating during Zolotarjovs's tenure. That second detail is the one that should make threat-intel teams pause — Akira has been tracked for years as a distinct ransomware operation. The DOJ filing places it inside a single organizational umbrella with Conti, Karakurt, Royal, TommyLeaks, and SchoolBoys.
| Zolotarjovs / Karakurt Case Profile | |
|---|---|
| Detail | Information |
| Defendant | Deniss Zolotarjovs (Денисс Золотарёвс), 35, Latvian national, resident of Moscow; online alias "Sforza_cesarini" |
| Sentence | 102 months (8.5 years) — DOJ requested 126 months; defense requested 48 months |
| Charges | Conspiracy to commit wire fraud and conspiracy to commit money laundering; pleaded guilty July 2025 |
| Venue | U.S. District Court for the Southern District of Ohio (Cincinnati); Judge Michael Barrett |
| Arrest and extradition | Arrested in country of Georgia in December 2023; transferred to U.S. custody August 2024 after contesting extradition |
| Criminal organization | Russian ransomware organization led by former Conti leaders; brands include Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira; based in St. Petersburg, Russia |
| Period of activity | June 2021 to August 2023 |
| Confirmed victims | More than 54 companies extorted; 13 victims alone resulted in $56,551,689.19 in losses + $2.8M in ransom payments; additional 41 victims paid $13M in ransoms; DOJ estimates total losses likely in the hundreds of millions |
| Role | Lead ransom negotiator; analyzed stolen data; trained other Karakurt members in extortion tactics; demanded payments of $25,000 to $13M; received 10% of negotiated ransoms in cryptocurrency, laundered through multiple wallets to Russian rubles |
| Specific impact | A southern Ohio company paid $1.3M; a government entity's 911 system was forced offline; pediatric healthcare company "Victim Company-6" had patient data sent to hundreds of patients |
| Status | First and so far only identified Karakurt member prosecuted in U.S. court; FBI investigation active; will likely be deported to Russia after sentence served |
The Pediatric Healthcare Attack
The DOJ's sentencing memorandum reserved its sharpest language for what Zolotarjovs did when a pediatric healthcare IT provider — identified in court documents only as "Victim Company-6" — refused to pay. According to the DOJ press release, Zolotarjovs "deliberately leveraged children's health information for extortion." When the company would not pay, he urged his co-conspirators to be "DESTROYERS" and to leak or sell the children's medical records to "sow fear among future victims." When one of his co-conspirators suggested sending each pediatric patient their own individual data file, Zolotarjovs rejected that level of effort. He instead sent a "general pack" of sensitive data to "hundreds of patients," telling his colleagues that taking the time to send each victim only their own data would be "routine work" he had no time for.
This is a documented escalation pattern, not a one-off. Healthcare CISOs should read the DOJ sentencing memorandum directly and use the specific facts in tabletop exercises. The pattern is: extortion group steals patient data, demands a ransom, and when the victim refuses, escalates by sending patient-data samples directly to patients with the implicit message that the next mailing will be worse. Pre-script your incident-response communications for this scenario specifically — the right response is immediate notification to HHS Office for Civil Rights, documentation of the threat for criminal-referral purposes, and a refusal to make the pressure tactic work by paying.
What "Member of a Conti-Led Organization" Means for Threat Intel
The DOJ's framing of the criminal organization is the most important threat-intelligence detail in the filing. The press release does not call Zolotarjovs a "Karakurt member" — it describes him as a member of a Russian ransomware organization "led by former leaders of the Conti ransomware group" that operated under multiple brand names: Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. SecurityWeek's coverage adds Blockbit to the list of associated aliases.
For defenders relying on threat-intel groupings to weight risk and prioritize controls, this matters. Akira in particular has been tracked across the industry as a distinct ransomware operation — separate from Conti, separate from Karakurt, with its own leak site, affiliate program, and TTP fingerprint. The DOJ filing places Akira inside a single operational organization with five other brands. Two interpretations are available: (1) the same operators run multiple brand identities to confuse attribution and create the appearance of a more diverse threat landscape, or (2) the DOJ's "organization" framing is broader than how threat-intel firms typically draw operational boundaries, and the brand-link is real but loose.
Either way, defenders who track these as six fully distinct groups have probably been double-counting. Defenders who track them as one organization now have DOJ filing language to back the assessment. Treat IOCs and TTPs across the six brands as more correlated than the public threat-intel groupings have suggested.
The Two-Sentencing Pattern in Five Days
The Zolotarjovs sentence is the second federal Conti-ecosystem ransomware sentencing in five days. The week before, on April 30, U.S. District Court for the Southern District of Florida sentenced two former cybersecurity-firm employees to four years in prison each for conducting BlackCat (ALPHV) ransomware attacks while employed in incident-response roles. Ryan Clifford Goldberg, 40, was a former Sygnia incident response manager. Kevin Tyler Martin, 36, was a former DigitalMint ransomware negotiator. They acted as BlackCat affiliates between April and December 2023, paying 20% of ransom proceeds to the BlackCat operators in exchange for access to the ransomware platform. Their co-conspirator, Angelo Martino — also a former DigitalMint negotiator — pleaded guilty in April 2026 and is awaiting sentencing on July 9.
The Goldberg/Martin case is operationally distinct from the Zolotarjovs case — different ransomware family, different defendants, different venues — but it sits inside the same DOJ enforcement push. Two prosecutions in five days, both arising from the post-Conti ecosystem, both producing prison sentences for ransom negotiators. Combined with the April 23 Scam Center Strike Force action that restrained $701 million in cryptocurrency and seized a Telegram channel, the message to the threat landscape is that international ransomware enforcement has acquired meaningful operational tempo.
What the FBI Cincinnati Field Office Is Saying
FBI Cincinnati Special Agent in Charge Jason Cromartie told reporters at the sentencing that the FBI's investigation into Karakurt remains active and could lead to additional charges against other organization members. The bureau tracked more than 70 ransomware attacks in southern Ohio in 2025 alone — a 50% increase year-over-year. The Zolotarjovs case is the first identified Karakurt prosecution in a U.S. court; it is unlikely to be the last.
For organizations that paid ransoms to Karakurt, Conti, Royal, TommyLeaks, SchoolBoys, or Akira during the June 2021 to August 2023 window, this is the right moment to engage legal counsel. The DOJ's sentencing memorandum on Zolotarjovs lays out specific transaction patterns — 10% commission on negotiated payments, multi-wallet laundering, exchange to Russian rubles — that may match transactional records from prior victim companies. Records that organizations once treated as embarrassing but legally finished may now have evidentiary value to the FBI's continuing investigation.
Defender Actions
- Healthcare CISOs and compliance leads: add the pediatric-data-as-leverage scenario to your tabletop exercises this quarter. Use the actual DOJ sentencing memorandum facts. Pre-script the IR communications: immediate HHS OCR notification, documentation of the threat for criminal referral, and a clear policy not to pay when an extortion group threatens to mail patient samples — paying validates the tactic for the next victim.
- For all defenders running threat-intel programs: review your tracking of Conti, Karakurt, Royal, TommyLeaks, SchoolBoys, Akira, and Blockbit. The DOJ has now placed all six (and possibly seven) brands inside a single organizational umbrella. If your IOC pipelines treat these as fully separate, recalibrate. If your detection rules already correlate, the DOJ filing now backs the assessment.
- For organizations that paid ransoms in 2021–2023: review your transaction records with counsel. Patterns matching Zolotarjovs's 10% commission and Russian-ruble cashout pathway may have evidentiary value to the FBI's ongoing Karakurt investigation. Proactive engagement with FBI Cincinnati's task force is a legal-counsel call, not a security-team call — but it should be on the agenda.
- Brief your board on the enforcement-acceleration trend, with the right caveat. Two Conti-ecosystem sentencings in five days plus a $701M April crypto-scam crackdown is a meaningful uptick, but it does not reduce ongoing risk. The underlying threat continues to migrate brand-by-brand. The board takeaway is "international cyber enforcement is finally producing prosecutions" paired with "the underlying operations have not stopped, only rotated."
- For incident-response and ransom-negotiation firms: the Goldberg/Martin/Martino case (separate but contemporaneous with Zolotarjovs) is the insider-threat data point your industry has not wanted to absorb. The professional context — incident responders flipping to ransomware affiliate work — was central to the DOJ's sentencing arguments. Review hiring, ongoing-monitoring, and access-control policies for personnel handling ransomware engagements.
The CyberSignal Analysis
Signal 01 — The DOJ now treats Conti, Karakurt, and Akira as one organization
The threat-intel implication of the DOJ's brand list deserves more attention than the headlines have given it. Akira has been tracked separately since 2023 with its own leak site and operational fingerprint. The DOJ filing is the U.S. government saying, in a court document supporting an 8.5-year sentence, that the same Russian organization runs all six brands. That is not a marketing claim from a vendor or a hypothesis from a threat-intel report. It is a sentencing fact tied to a specific defendant's conduct over 26 months. Defenders modeling these as separate adversaries are now operating against a less accurate threat picture than the U.S. government has formally articulated. The right read is to consolidate IOC, TTP, and tooling intelligence across the six brands and treat cross-brand correlation as the default assumption.
Signal 02 — Pediatric data as extortion leverage is a documented operational pattern, not a horror story
The Zolotarjovs case is the cleanest, most legally documented version yet of an extortion playbook that healthcare security teams have been quietly tracking for two years. The pattern: when ransom is refused, extortion groups send patient-data samples directly to identified patients. The implicit threat is that the next mailing will reach more people, with worse data, including data the patient does not yet know was stolen. This works as a pressure tactic specifically because the patient becomes the secondary victim and creates pressure on the healthcare provider through their existing relationship. Pre-existing IR playbooks that focus on negotiation, decryption, and breach notification are insufficient. The right addition is a specific scenario walkthrough: stolen patient data has been mailed to identified patients, the breach is now publicly disclosed via that mailing, and the healthcare provider is hours from receiving patient calls. What does the comms team say, what does the IR team do, what does counsel advise? Workshop this now.
Signal 03 — Insider risk in incident response is the unaddressed corner of the ransomware ecosystem
The Goldberg/Martin/Martino case sits adjacent to Zolotarjovs but represents a different and arguably more disruptive threat model. Three professionals employed in cybersecurity incident-response and ransomware-negotiation roles used their privileged access and knowledge to operate as ransomware affiliates against U.S. companies — including in cases where the IR firms they worked for were retained to help victims they themselves had attacked. The professional irony is the headline; the structural problem is that ransomware-negotiation firms occupy a position of extreme privilege in their clients' environments and decision-making, with limited external oversight. Most enterprise CISOs do not have a control framework that would have caught Goldberg, Martin, or Martino. The next twelve months should produce ransomware-negotiation industry standards on personnel screening, access logging, and engagement-conflict checks. Until then, treat IR-firm engagements with the same vendor-risk rigor as your most sensitive third-party access — because it is.
