Deniss Zolotarjovs, a 39-year-old Latvian national who served as the ransom negotiator for the Karakurt extortion gang, was sentenced to 102 months — eight and a half years — in federal prison on May 4, 2026. The sentence follows his guilty plea on charges of racketeering, money laundering, and extortion, and closes one chapter of a prosecution that began with his arrest in the country of Georgia in 2023.
The DOJ described Zolotarjovs as the gang’s “pressure escalator” — the person responsible for moving victims who weren’t paying toward compliance. That pressure took concrete form: threats to publish stolen data, direct contact with victim organizations’ customers and business partners, and negotiations designed to extract maximum payment before any deadline expired.
What Karakurt Actually Was
Karakurt operated differently from most ransomware gangs. There was no encryption. The gang’s leverage was pure extortion: exfiltrate sensitive data, then threaten publication unless a ransom was paid. For victims, this meant no ransomware decryptor to negotiate around, no disaster recovery playbook to fall back on — just a countdown clock and a criminal on the other end of the line with copies of your files.
Karakurt was led by former operators of Conti and Akira — two of the most damaging ransomware enterprises of the last decade. Conti’s leadership was sanctioned by the U.S. Treasury for alleged ties to Russian intelligence. That pedigree gave Karakurt both the technical infrastructure and the operational discipline to run a sustained extortion campaign across multiple sectors.
The gang targeted more than 54 companies. At least $15 million in ransoms were paid. The actual total is almost certainly higher — ransom payments to groups like Karakurt are systematically underreported, both because victims don’t want the reputational exposure and because many payments happen under NDAs that preclude disclosure.
Three Years, Three Countries
Zolotarjovs’s path to a federal courtroom wound through three countries over three years.
He was arrested in Georgia — the country, not the state — in 2023, acting on a U.S. warrant. Getting him from Tbilisi to a U.S. courtroom required extradition proceedings that concluded in August 2024, when he landed in American custody. He subsequently pleaded guilty, and sentencing came in May 2026.
The multi-year timeline is a reminder of how long international cybercrime prosecutions actually take — from initial identification, to arrest in a third country, to extradition, to plea, to sentence. Zolotarjovs was arrested roughly two years before he was sentenced. Victims of Karakurt’s campaigns waited that entire time for any resolution.
The Pressure Escalator Role
The DOJ’s characterization of Zolotarjovs as a “pressure escalator” is worth examining on its own terms. In the ransomware-as-a-service ecosystem, labor is specialized. There are developers who write and maintain the malware, operators who run intrusions, affiliates who deploy ransomware against specific targets, and negotiators who handle victim contact.
Zolotarjovs occupied the last category — but in a gang with no encryption payload, the negotiation function was even more central. He wasn’t explaining how to use a decryptor. He was managing extortion timelines, making threats, and extracting payments from organizations that had no technical path to recovering their data regardless of whether they paid.
The sentence reflects both the severity of his conduct and the cooperation that typically accompanies a guilty plea. 102 months is meaningful — the maximum exposure for his charges was substantially higher — but it also doesn’t account for time served in Georgian custody before extradition, which will likely be credited.
The Broader Karakurt Story
Karakurt’s emergence in 2021 tracked closely with Conti’s internal collapse. When Conti’s internal communications were leaked in early 2022 — a Ukrainian researcher published tens of thousands of internal messages after Russia invaded — the group publicly claimed it was shutting down while its leadership quietly redistributed across new ventures. Karakurt was one of those ventures.
The data-only extortion model Karakurt used has since been adopted more broadly across the ransomware ecosystem. Groups have increasingly recognized that encryption is operationally expensive and creates liability: if a hospital or critical infrastructure operator loses access to systems, the political and law enforcement response escalates dramatically. Pure exfiltration with extortion threats achieves comparable leverage with less heat.
The sentencing of Zolotarjovs doesn’t touch Karakurt’s leadership — former Conti and Akira operators who remain at large, almost certainly in Russia — but it removes one of the gang’s most active operational members from circulation for the better part of a decade.
