Ransomware Negotiator Sentenced to Nearly Nine Years
Federal authorities have secured a landmark sentence against Deniss Zolotarjovs, a Latvian national extradited to the U.S. for his role as a negotiator for the Karakurt extortion syndicate. The court handed down an eight-year and ten-month prison term, marking the first federal conviction of a Karakurt member.
Zolotarjovs, known online as Sforza_cesarini, specialized in re-contacting victims who had stopped communicating with the extortion group. He used stolen personal data and sensitive health information—including children’s medical records—to pressure victims into paying ransoms.
“This sentencing sends a clear message that cyber extortion will not be tolerated,” said a senior FBI official. “The Justice Department will continue to dismantle these criminal networks and bring their members to justice.”
The Karakurt operation has extorted an estimated $56 million from dozens of organizations worldwide.
DPRK IT Worker Facilitators Sentenced
In a separate case, two American nationals, Matthew Knoot and Erick Prince, received 18-month prison sentences for operating laptop farms that enabled North Korean IT workers to infiltrate nearly 70 U.S. companies. The workers used stolen identities and remote desktop software to pose as legitimate domestic employees.
“These facilitators helped North Korea bypass economic sanctions and steal sensitive data,” said an FBI spokesperson. “We urge companies to verify identities and monitor remote access tools.”
Background
The Karakurt syndicate has been active since 2021, focusing on data theft and extortion rather than encryption. The conviction of Zolotarjovs is a milestone in U.S. efforts to hold cybercriminals accountable across borders.
North Korean IT worker infiltration has been a growing concern, with thousands of workers targeting U.S. firms to fund the regime. The FBI continues to warn about this persistent threat.
What This Means
These convictions demonstrate increased international cooperation and legal pressure on cybercriminal networks. However, the emergence of new threats like PCPJack shows the landscape remains volatile.
SentinelLABS researchers exposed PCPJack, a credential theft worm that hunts and evicts rival threat group TeamPCP. The worm harvests cloud access keys, Kubernetes tokens, Docker secrets, and cryptocurrency wallets without deploying cryptominers.
“PCPJack is a sophisticated, targeted tool that actively eliminates competition while stealing credentials,” said a SentinelLABS analyst. “This marks a new level of aggression in cloud-based threats.”
The infection begins with a shell script that downloads specialized Python modules from an attacker-controlled Amazon S3 bucket. Organizations should review cloud access policies and monitor for unusual S3 activity.
For more details on the convictions, see Background.