Karakurt Ransomware Negotiator Sentenced to 8.5 Years — $56 Million in Damages Across 53 Victims

Summary

Deniss Zolotarjovs, a Latvian national who served as a negotiator for the notorious Karakurt ransomware group (also tracked as TommyLeaks and SchoolBoys Ransomware), has been sentenced to 8.5 years in a U.S. federal prison. Zolotarjovs played a key role in analyzing stolen data and conducting or advising on ransom negotiations for attacks that caused over $56 million in losses across at least 53 entities between June 2021 and March 2023.

The Karakurt group differentiated itself from typical ransomware operations by focusing primarily on data exfiltration and extortion rather than encrypting victim systems. Victims were threatened with public release of stolen data if ransom demands were not met. The sentencing, announced on May 4-5, 2026, represents one of the more significant law enforcement actions against ransomware operators in recent months.

Source

📰 U.S. Department of Justice — Karakurt Negotiator Sentenced

📰 SecurityWeek — Karakurt Ransomware Negotiator Sentenced to Prison

Commentary

It’s always satisfying to see actual consequences for ransomware operators. The 8.5-year sentence sends a clear message that the “negotiator” role — often seen as a layer of insulation from the technical crime — doesn’t provide legal protection. Zolotarjovs wasn’t writing exploit code; he was the person who told victims how much to pay and when. The courts are correctly treating that as direct participation in the criminal enterprise.

Karakurt’s model of pure data extortion (no encryption) is worth noting because it’s become increasingly common. It’s cheaper to operate, harder for victims to detect, and sidesteps the “just restore from backup” defense. The $56 million figure across 53 victims averages over $1 million per attack — not the biggest numbers in ransomware, but consistently profitable. Expect more arrests in this space as international law enforcement cooperation continues to tighten.