A Latvian national based in Moscow has been sentenced to 102 months in a United States federal prison for helping a Russian-linked ransomware network steal data and extort more than 54 organisations across several countries.
Deniss Zolotarjovs, 35, acted as a negotiator and pressure specialist for a cybercrime organisation led by former senior figures from the Conti ransomware ecosystem. His work sat at the centre of a model that combined corporate intrusions, data theft, psychological coercion and cryptocurrency laundering to extract payments from victims between June 2021 and August 2023.
The sentence, equal to eight and a half years, follows his guilty plea in July 2025 to conspiracy to commit money laundering and wire fraud. Zolotarjovs was arrested in Georgia in December 2023 and transferred to US custody in August 2024 after contesting extradition. His sentencing marks one of the more visible prison terms imposed on a ransomware negotiator rather than a malware developer or network intruder.
The organisation he served used several names in ransom notes and victim communications, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware and Akira. That pattern reflects the increasingly fluid structure of the ransomware economy, where groups rebrand, splinter and reuse personnel after law-enforcement pressure or internal leaks. Conti’s public collapse in 2022 did not end its wider network; many of its operators and affiliates moved into successor brands or parallel extortion crews.
Zolotarjovs’s role was not limited to passing messages between hackers and targets. Investigators found that he analysed stolen data, researched victim companies and escalated pressure when organisations resisted payment. He specialised in identifying sensitive material that could be used to increase fear, reputational risk and operational disruption.
One of the most serious episodes involved a paediatric healthcare company. Zolotarjovs used children’s health information as leverage after the organisation refused to pay. He urged associates to leak or sell copies of the records to frighten future victims. When another member suggested sending each child’s data individually, he instead supported sending a broad package of sensitive records to hundreds of patients, saying that individual handling would take too much time.
The attacks attributed to the network produced severe financial damage. Losses from 13 identified victim companies exceeded $56 million, including about $2.8 million in ransom payments. A further 41 victim organisations paid about $13 million in ransoms, though detailed loss statements were not available for each. The wider damage, including recovery costs, business interruption, legal exposure, customer notification and reputational harm, is believed to run into hundreds of millions of dollars.
The human impact extended beyond balance sheets. Stolen data included Social Security numbers, addresses, dates of birth and healthcare records. One attack forced a government entity’s 911 emergency system offline, creating direct public safety risks. Such incidents show how ransomware groups have moved beyond conventional corporate extortion into attacks that can affect hospitals, public agencies, schools and vulnerable individuals.
Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal” and said the case showed that international hackers and extortionists could be pursued regardless of where they lived or operated. US Attorney Dominick S. Gerace II said ransomware groups used fear and psychological pressure to extract money while creating long-term security problems for victims.
The network’s operating structure resembled a business enterprise. Members were Russian or based in Russia, and for a period operated from an office building on Lakhtinskaya Street in St Petersburg. Work was divided across teams, while companies registered in Russia, Europe and the United States were used to obscure operations. The group also relied on cryptocurrency movement and anonymising tools to conceal the origin and destination of ransom proceeds.
Former law-enforcement officers were among those linked to the organisation. Their connections allegedly helped members access government databases, intimidate detractors and assess potential recruits. The group’s leadership also avoided taxes and paid bribes to shield draft-age members from compulsory military service in Russia, underlining the overlap between cybercrime, corruption and weak enforcement in permissive jurisdictions.
Deniss Zolotarjovs, 35, acted as a negotiator and pressure specialist for a cybercrime organisation led by former senior figures from the Conti ransomware ecosystem. His work sat at the centre of a model that combined corporate intrusions, data theft, psychological coercion and cryptocurrency laundering to extract payments from victims between June 2021 and August 2023.
The sentence, equal to eight and a half years, follows his guilty plea in July 2025 to conspiracy to commit money laundering and wire fraud. Zolotarjovs was arrested in Georgia in December 2023 and transferred to US custody in August 2024 after contesting extradition. His sentencing marks one of the more visible prison terms imposed on a ransomware negotiator rather than a malware developer or network intruder.
The organisation he served used several names in ransom notes and victim communications, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware and Akira. That pattern reflects the increasingly fluid structure of the ransomware economy, where groups rebrand, splinter and reuse personnel after law-enforcement pressure or internal leaks. Conti’s public collapse in 2022 did not end its wider network; many of its operators and affiliates moved into successor brands or parallel extortion crews.
Zolotarjovs’s role was not limited to passing messages between hackers and targets. Investigators found that he analysed stolen data, researched victim companies and escalated pressure when organisations resisted payment. He specialised in identifying sensitive material that could be used to increase fear, reputational risk and operational disruption.
One of the most serious episodes involved a paediatric healthcare company. Zolotarjovs used children’s health information as leverage after the organisation refused to pay. He urged associates to leak or sell copies of the records to frighten future victims. When another member suggested sending each child’s data individually, he instead supported sending a broad package of sensitive records to hundreds of patients, saying that individual handling would take too much time.
The attacks attributed to the network produced severe financial damage. Losses from 13 identified victim companies exceeded $56 million, including about $2.8 million in ransom payments. A further 41 victim organisations paid about $13 million in ransoms, though detailed loss statements were not available for each. The wider damage, including recovery costs, business interruption, legal exposure, customer notification and reputational harm, is believed to run into hundreds of millions of dollars.
The human impact extended beyond balance sheets. Stolen data included Social Security numbers, addresses, dates of birth and healthcare records. One attack forced a government entity’s 911 emergency system offline, creating direct public safety risks. Such incidents show how ransomware groups have moved beyond conventional corporate extortion into attacks that can affect hospitals, public agencies, schools and vulnerable individuals.
Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal” and said the case showed that international hackers and extortionists could be pursued regardless of where they lived or operated. US Attorney Dominick S. Gerace II said ransomware groups used fear and psychological pressure to extract money while creating long-term security problems for victims.
The network’s operating structure resembled a business enterprise. Members were Russian or based in Russia, and for a period operated from an office building on Lakhtinskaya Street in St Petersburg. Work was divided across teams, while companies registered in Russia, Europe and the United States were used to obscure operations. The group also relied on cryptocurrency movement and anonymising tools to conceal the origin and destination of ransom proceeds.
Former law-enforcement officers were among those linked to the organisation. Their connections allegedly helped members access government databases, intimidate detractors and assess potential recruits. The group’s leadership also avoided taxes and paid bribes to shield draft-age members from compulsory military service in Russia, underlining the overlap between cybercrime, corruption and weak enforcement in permissive jurisdictions.
Topics
Technology