A 33-year-old Latvian national, Deniss Zolotarjovs, residing in Moscow, Russia, has been charged in the United States for allegedly engaging in data theft, extortion, and laundering ransom payments since August 2021.
Known by the alias "Sforza_cesarini," Zolotarjovs faces charges of conspiring to commit money laundering, wire fraud, and Hobbs Act extortion. He was apprehended in Georgia in December 2023 and extradited to the U.S. earlier this month.
"Zolotarjovs is a member of a known cybercriminal organization that attacks computer systems of victims around the world," the U.S. Department of Justice (DoJ) announced in a recent press release.
"The Russian cybercrime group steals victim data and threatens to release it unless the victim pays ransom in cryptocurrency. The group maintains a leaks and auction website that lists victim companies and offers stolen data for download."
Zolotarjovs is suspected of being an active participant in this cybercrime organization, collaborating with other gang members and laundering ransom payments collected from victims.
While the DoJ did not disclose the cybercrime group's name, a complaint filed on November 28, 2023, in the U.S. District Court links Zolotarjovs to the Karakurt data extortion group. Karakurt emerged as a splinter faction following the crackdown on the Conti ransomware gang in 2022.
"Further analysis of Sforza's communications [on Rocket.Chat] indicated Sforza appeared to be responsible for conducting negotiations on Karakurt victim cold case extortions, as well as open-source research to identify phone numbers, emails, or other accounts at which victims could be contacted and pressured to either pay a ransom or re-enter a chat with the ransomware group," stated the Federal Bureau of Investigation (FBI).
"Sforza also discussed efforts to recruit paid journalists to publish news articles about victims in order to convince the victims to take Karakurt's extortion demands seriously."
The FBI was able to connect the online alias "Sforza_cesarini" to Deniss Zolotarjovs by tracing Bitcoin transactions made in September 2021 from a cryptocurrency wallet registered to an Apple iCloud account.
The FBI further revealed that some of the illicit proceeds were funneled through multiple addresses before ending up at a deposit address linked to Garantex, specifically a Bitcoin24.pro account associated with the same email address. This discovery led the FBI to issue a search warrant to Apple in September 2023 to obtain records related to the email address.
The information provided by Apple showed that the Rocket.Chat account ID "Sforza_cesarini" was accessed using the same IP addresses at similar times as those used to access the email account dennis.zolotarjov@icloud[.]com.
Zolotarjovs is the first alleged member of the Karakurt group to be apprehended and extradited to the U.S., a significant milestone that may lead to the identification and prosecution of other members.
"Karakurt actors have contacted victims' employees, business partners, and clients with harassing emails and phone calls to pressure the victims to cooperate," the U.S. government noted in a bulletin last year. "The emails have contained examples of stolen data, such as social security numbers, payment accounts, private company emails, and sensitive business data belonging to employees or clients."
Reference: www.thehackernews.com
