A 33-year-old Latvian national living in Moscow, Russia, has been charged in the U.S. for allegedly stealing data, extorting victims, and laundering ransom payments since August 2021.
Deniss Zolotarjovs (aka Sforza_cesarini) has been charged with conspiring to commit money laundering, wire fraud and Hobbs Act extortion. He was arrested in Georgia in December 2023 and has since been extradited to the U.S. as of this month.
“Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world,” the U.S. Department of Justice (DoJ) said in a press release this week.
“Among other things, the Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download.”
Zolotarjovs is believed to have been an active member of the e-crime group, engaging with other members of the gang and laundering the ransom payments received from victims.
While the name of the cybercrime syndicate was not mentioned by the DoJ, a November 28, 2023, complaint filed in the U.S. District Court links the defendant to a data extortion crew tracked as Karakurt, which emerged as a splinter group in the wake of the crackdown on Conti in 2022.
“Further analysis of Sforza’s communications [on Rocket.Chat] indicated Sforza appeared to be responsible for conducting negotiations on Karakurt victim cold case extortions, as well as open-source research to identify phone numbers, emails, or other accounts at which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group,” the Federal Bureau of Investigation (FBI) said.
“Sforza also discussed efforts to recruit paid journalists to publish news articles about victims in order to convince the victims to take Karakurt’s extortion demands seriously.”
The FBI noted in its complaint that it was able to link the online alias “Sforza_cesarini” to Deniss Zolotarjovs by tracing Bitcoin transfers made in September 2021 from a cryptocurrency wallet that was registered to an Apple iCloud account.
The law enforcement agency further said some of the illicit proceeds were laundered through several addresses before arriving at a deposit address associated with Garantex, specifically a Bitcoin24.pro account bearing the same email address, prompting it to issue a search warrant to Apple in September 2023 for obtaining the records associated with the email address.
From the information shared by the tech giant, the FBI said the Rocket.Chat instant messaging account ID “Sforza_cesarini” was “accessed by the same IP addresses at or about the same times, on multiple occasions, as those used to access dennis.zolotarjov@icloud[.]com.”
Zolotarjovs is the first alleged group member of Karakurt to be arrested and extradited to the U.S., a feat that could pave the way for the identification and prosecution of additional members in the future.
“Karakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate,” the U.S. government said in a bulletin last year. “The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients.”
