A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes.

An investigation from the FBI uncovered that 33-year old Deniss Zolotarjovs was a member of the Karakurt extortion operation that compromised company systems, stole data, and then demanded a ransom from the victims under the threat of leaking the data publicly or selling it to other cybercriminals.

The man is a Latvian national who lived in Moscow, Russia. In December 2023 he was arrested in Georgia, Eastern Europe, and was extradited to the U.S. earlier this month.

“According to court documents, Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world,” the U.S. Department of Justice (DoJ) says in a press release.

“The group maintains a leaks and auction website that lists victim companies and offers stolen data for download.”

Karakurt ‘cold case’ negotiator

Although the DoJ did not name the ransomware operation, court documents show the Zolotarjovs’ connection to Karakurt, where he operated under the alias “Sforza_cesarini.”

Specifically, the FBI has linked Zolotarjovs with at least six cases of extortion impacting American organizations that occurred between August 2021 and November 2023.

In one of those cases, a victimized company paid Karakurt a ransom of more than $1.3 million. Another victim negotiated and paid $250,000 to the threat actor to avoid having its data leaked.

Zolotarjovs’s role was to negotiate so-called “cold case extortions” for the Karakurt operation, when communication after the attack had halted without a ransom being paid.

Zolotarjovs was identified through cryptocurrency tracing, communication analysis, and data obtained from search warrants executed on Rocket.Chat, linking him to the extortion and money laundering activities.

Karakurt is a cyber gang that launched operations in mid-2021, focusing entirely on data exfiltration and extortion without deploying any encryption tools in the attacks.

Between September to November 2021, the group had published 40 victims on its public leaks site, 95% of them being based in North America.

In April 2022, Karakurt was exposed as being a data extortion arm of Conti, a notorious cybercrime syndicate that has since been dismantled.

In June 2022, the U.S. authorities warned victims of Karakurt not to pay a ransom, noting that the hackers would most likely sell the data to others anyway, and not delete it as promised.

The next month, Karakurt launched a search tool on its leak site to make it easier to find specific data in the stolen datasets, effectively empowering the blackmail process and increasing the pressure on the victims.

Zolotarjovs is the first Karakurt member to be arrested and extradited to the U.S., and this success could lead to the identification and prosecution of more members in the future.

Regarding the potential sentence, each of the mentioned crimes incurs a maximum of 20 years in prison, plus a fine of up to $500,000 or twice the value of property involved in the transaction for conspiracy to commit money laundering.