Latvian Cybercriminal Extradited to U.S. for Involvement in Karakurt Hacking Group

A 33-year-old Latvian national residing in Moscow, Russia, has been indicted in the United States on charges of data theft, extortion, and money laundering linked to ransomware activities dating back to August 2021.

Deniss Zolotarjovs (also known by the alias Sforza_cesarini) faces accusations of conspiracy to commit money laundering, wire fraud, and Hobbs Act extortion. He was apprehended in Georgia in December 2023 and was extradited to the U.S. earlier this month.

"Zolotarjovs is a member of a well-known cybercriminal organization that targets computer systems of victims worldwide," stated the U.S. Department of Justice (DoJ) in a press release this week.

This Russian cybercrime group specializes in stealing victim data and issuing threats to publicly release it unless a ransom is paid in cryptocurrency. They operate a leaks and auction website where stolen data is made available for download.

Zolotarjovs is believed to have played an active role in this e-crime group, collaborating with other members and laundering ransom payments collected from their victims.

Although the DoJ did not name the cybercrime syndicate, a complaint filed on November 28, 2023, in the U.S. District Court, connects Zolotarjovs to a data extortion gang known as Karakurt. This group emerged as a splinter faction following the crackdown on Conti in 2022.

The FBI's investigation into Sforza's communications on Rocket.Chat indicated that Sforza was likely involved in negotiating cold case extortions for victims of Karakurt, as well as performing open-source research to find contact details like phone numbers and emails. This information was used to pressure victims into paying ransoms or re-engaging with the ransomware group..

Sforza was also involved in discussions about hiring journalists to publish news articles about victims to increase pressure and seriousness around Karakurt's extortion demands.

The FBI's complaint notes that investigators were able to trace the online alias "Sforza_cesarini" back to Deniss Zolotarjovs by tracking Bitcoin transfers made in September 2021 from a cryptocurrency wallet linked to an Apple iCloud account.

Law enforcement officials further disclosed that some of the illicit funds were laundered through multiple addresses before ending up at a Garantex deposit address, specifically a Bitcoin24.pro account associated with the same email address, which led to a search warrant issued to Apple in September 2023 to obtain records linked to the email account.

The FBI found that the Rocket.Chat account "Sforza_cesarini" was accessed by the same IP addresses at similar times as those used to access dennis.zolotarjov@icloud[.]com.

Zolotarjovs is the first alleged Karakurt member to be arrested and extradited to the U.S., marking a significant step toward potentially identifying and prosecuting additional members of the group in the future.

Karakurt actors have been known to harass victims' employees, business partners, and clients through emails and phone calls, sharing stolen data such as social security numbers, payment accounts, private company emails, and sensitive business information to coerce victims into cooperating with their demands, according to a U.S. government bulletin issued last year.