Karakurt ransomware negotiator sentenced for extorting pediatric health data

A Latvian national who specialized in reviving stalled ransomware negotiations became the first Karakurt member sentenced in the US, after using stolen children's medical records as leverage against a pediatric healthcare provider.

What happened

Deniss Zolotarjovs, a 35-year-old Latvian national operating from Moscow, has been sentenced to 102 months in US federal prison after pleading guilty to conspiracy to commit wire fraud and money laundering tied to his part in the Karakurt ransomware extortion group. According to BleepingComputer, Zolotarjovs served as a "cold case" negotiator for the group, specializing in re-engaging victims who had stopped responding to ransom demands without paying. The FBI linked him to at least six extortion cases against American organizations between August 2021 and November 2023. Karakurt, led by former Conti ransomware group members, compromised systems across more than 54 organizations during his involvement, generating over $56 million in losses. Victims included businesses, government entities, and a pediatric healthcare provider. Zolotarjovs is the first Karakurt member to be sentenced in the United States.

Going deeper

Zolotarjovs did not conduct technical intrusions. His role was to analyze stolen data, research victims, set ransom demands, and apply psychological pressure to coerce payment. He earned approximately 10% of ransom payments through cryptocurrency laundering. In one case involving a pediatric healthcare provider, Zolotarjovs reviewed stolen children's medical records and recommended leaking them publicly to increase pressure on the victim. When the victim still refused to pay, he urged co-conspirators to become "DESTROYERS" and leak or sell the pediatric records to sow fear among future targets. In a separate attack, Karakurt disrupted a US 911 emergency dispatch system. Investigators identified Zolotarjovs by tracing Bitcoin transfers from a cryptocurrency wallet registered to an Apple iCloud account, which led to a search warrant revealing his online alias "Sforza_cesarini" and his communications within the group via Rocket.Chat.

What was said

Assistant Attorney General A. Tysen Duva stated in the DOJ press release: "With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars. Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children's health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate."

In the know

The Zolotarjovs' sentencing arrived the same week that two former employees of incident response firms Sygnia and DigitalMint were each sentenced to four years for targeting US companies in BlackCat ransomware attacks. According to BleepingComputer, both sentences occurred on the same day, reflecting a broader DOJ push to prosecute not just ransomware operators but the human infrastructure surrounding them, including negotiators, money launderers, and insiders. The DOJ also noted that Karakurt's leadership maintained connections to Russian law enforcement, using those ties to access government databases, intimidate detractors, and exempt members from military conscription through bribery.

The big picture

The Zolotarjovs' case draws a direct line between the ransomware extortion economy and patient safety in healthcare. A negotiator whose specific job was to increase pressure on stalled victims chose to weaponize stolen children's medical records, not because he needed the data to extort the organization, but because exposing it would cause maximum reputational and emotional damage. For healthcare organizations, the case reinforces that ransomware groups treat stolen PHI as a lever to be applied; however, that produces the fastest payment, independent of any legal or ethical constraint. The FBI's 2025 Internet Crime Report confirmed healthcare as the most targeted critical infrastructure sector, with 460 ransomware attacks recorded in the year, and former FBI testimony before Congress in April 2026 cited at least 47 documented patient deaths attributable to hospital ransomware attacks between 2016 and 2021.

FAQs

What is a cold case extortion negotiator?

A cold case extortion negotiator re-engages victims who have stopped communicating with a ransomware group without paying. The role involves researching the victim, identifying pressure points in the stolen data, and applying targeted coercion to revive a stalled negotiation.

Why was pediatric health data specifically chosen as leverage?

Children's medical records contain sensitive diagnoses, treatment histories, and identifying information. Threatening to expose that data publicly creates reputational, legal, and emotional pressure on a healthcare provider beyond the financial cost of the ransom itself, which is precisely why Zolotarjovs recommended its use when standard demands failed.

How did law enforcement identify Zolotarjovs?

Investigators traced Bitcoin transfers from a cryptocurrency wallet registered to an Apple iCloud account, obtained a search warrant, and connected the account to Zolotarjov's online alias. Rocket.Chat communications were seized under a warrant, and then confirmed his part in specific extortion cases.

What does this sentence signal to others operating in similar roles within ransomware groups?

The 8.5-year sentence targets a non-technical support role rather than a hacker or system operator, demonstrating that US prosecutors are willing to pursue every function within a ransomware organization's structure. Combined with the same-day sentencing of two incident response insiders, it signals active enforcement across the full ecosystem.

Why does Karakurt's connection to former Conti members matter?

Conti was one of the most prolific ransomware operations ever documented before its public collapse in 2022. Former members did not exit the criminal ecosystem; they reorganized under new brands, including Karakurt, Royal, Akira, and others. Prosecuting Karakurt members, therefore, targets infrastructure and personnel with roots in a much larger criminal network.