DigitalMint Ransomware Negotiator Sentenced for Insider Fraud

Ex‑DigitalMint ransomware negotiator jailed for extorting clients and aiding BlackCat

The sentencing of a former DigitalMint ransomware negotiator for insider fraud has sent shockwaves through the cyber incident response community. The negotiator, Angelo John Martino III, was sentenced to 70 months in a US federal prison after he was found guilty of deceiving DigitalMint’s clients and conspiring with BlackCat ransomware affiliates. This unprecedented case highlights the significant risks associated with insider threats and third-party involvement during ransomware incidents.

Details of the DigitalMint Ransomware Insider Fraud Case

Between April and September 2023, five US organisations fell victim to a complex extortion scheme orchestrated from within their own trusted incident response partner. DigitalMint, a specialist in ransomware negotiations, had employed Martino, a seasoned cybersecurity professional with a background spanning roles at Booz Allen Hamilton, Tracepoint and TRM Labs, since 2022. Unbeknownst to the company, Martino was already engaged in criminal activity when hired.

Martino’s position granted him access to highly sensitive information, including the negotiating positions of victim organisations and details of their cyber insurance policy limits. Instead of representing the best interests of his clients, Martino exploited this information by secretly collaborating with BlackCat ransomware affiliates. He shared confidential details to help these attackers extract the maximum possible ransom, essentially manipulating negotiations from both sides for personal gain.

  • Non-profit organisation: Paid nearly $26.8 million in ransom
  • Financial services firm: Paid nearly $25.7 million
  • Hospitality company: Paid almost $16.5 million
  • Two other unnamed victims also paid substantial sums

Collectively, the five organisations paid a staggering $75.3 million in ransom, all while believing their negotiator was working in their best interests. Martino’s actions demonstrate the devastating financial and reputational impact that a single insider can have during a ransomware crisis.

How the Attackers Operated and Timeline of Events

Martino’s criminal activity was far from a solo operation. According to US Department of Justice records, he conspired with two additional insiders: Kevin Tyler Martin, another former DigitalMint ransomware negotiator, and Ryan Clifford Goldberg, a former incident response manager at Sygnia. Together, they participated in both insider-enabled extortion and direct ransomware deployment.

Modus Operandi

  • Martino abused his negotiator role to provide BlackCat (ALPHV) affiliates with inside information regarding targeted organisations.
  • He and his co-conspirators influenced negotiation outcomes, ensuring higher ransom payments were secured from victims.
  • In some incidents, the group themselves deployed BlackCat ransomware against additional organisations, seeking further extortion opportunities.
  • Ransom proceeds were shared among the conspirators, including a $1.3 million payment from a medical company in May 2023.

In total, the group attempted to extort funds from at least five additional US companies between April and November 2023. While only one of these new targets paid a ransom, the scheme demonstrates how technical expertise and access can be weaponised by trusted insiders.

Timeline of Key Events

  • 2022: Martino hired by DigitalMint, already involved in criminal activity
  • April–September 2023: Five DigitalMint clients pay a combined $75.3 million in ransom
  • May 2023: Medical company pays $1.3 million ransom to the group
  • April–November 2023: Additional direct BlackCat ransomware attacks carried out by the group
  • December 2023: Martin and Goldberg plead guilty to related charges
  • March 2024: Martino surrenders to authorities
  • April 2024: Martin and Goldberg each sentenced to four years in prison; Martino pleads guilty
  • June 2024: Martino sentenced to 70 months in prison

DigitalMint responded by immediately terminating Martino and suspending his system access as soon as they were notified of the investigation. The company stated that Martino had “deliberately concealed” his conduct, despite DigitalMint’s use of industry-standard background checks and compliance procedures.

Industry Implications and Organisational Response

This case underscores the growing risks that insiders and third-party service providers pose during ransomware and cyber extortion incidents. The fact that trusted negotiators and incident responders could so effectively subvert their roles for personal profit is deeply concerning for any organisation that relies on external expertise during a cyber crisis.

  • It highlights the need for robust due diligence and ongoing monitoring of third-party negotiators and incident response teams.
  • Organisations should ensure clear separation of duties and implement controls to detect and prevent insider collusion.
  • Review and update contracts, background checks and monitoring policies for all external partners involved in cyber incident response.

The direct financial losses, reputational damage and regulatory scrutiny resulting from such insider-enabled attacks can be severe and long-lasting.

What Organisations Should Do Next

In the wake of this case, organisations should:

  • Review relationships with third-party negotiators and incident response providers for potential insider risk exposure.
  • Assess and strengthen controls around the sharing of sensitive information, especially during ransom negotiations or extortion incidents.
  • Evaluate and, if necessary, update background screening and monitoring procedures for all personnel with access to sensitive data.

While the overwhelming majority of negotiators and incident responders act with integrity, this case is a sobering reminder of the potential consequences when trust is abused.

Originally reported by cyberscoop.com.

Share this bulletin

About the Author

Headshot of Jonny Pelter, leading cyber security expert in the UK and CISO

Jonny Pelter

Partner

  • CIPM
  • CIPP/E
  • CISSP
  • CISM
  • CRISC
  • ISO27001
  • Prince2
  • MSc
  • BSc

Jonny Pelter

Jonny is a Founding Partner at CyPro and executive group level CISO who has worked closely with the British intelligence agencies NCSC and GCHQ.

An ex-professional rugby player and originating from KPMG and Deloitte, Jonny has a wealth of experience across numerous sectors including technology, critical national infrastructure, financial services, oil & gas, insurance, betting, pharmaceuticals and utilities.

Jonny is a leading cyber security expert in the UK, having featured on national media for his professional commentary such as BBC News, iPlayer, Telegraph and Times Radio.

View Profile
Back to Bulletins
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call