DOJ Investigation Exposes Alleged Corruption in Ransomware Negotiation Industry

Federal prosecutors are investigating a former ransomware negotiator accused of secretly colluding with cybercriminals to profit from victim payments, highlighting troubling conflicts of interest in the booming cyber extortion economy.

The U.S. Department of Justice has launched a criminal investigation into a former employee of DigitalMint, a prominent Chicago-based ransomware negotiation firm, over allegations that the individual secretly coordinated with hackers to receive kickbacks from ransom payments. The suspect allegedly worked with ransomware gangs to negotiate payments, then received a cut of the ransom that was charged to the customer, according to reports first published by Bloomberg.

BlackCat/ALPHV: A New Age Ransomware Threat

BlackCat, also known as ALPHV or Noberus, emerged in November 2021 as a ransomware-as-a-service (RaaS) operation. The group responsible for exploiting BlackCat ransomware is considered a significant threat in the cybercriminal world. This article examines the history, tactics, and impact of the BlackCat/ALPHV ransomware group. BlackCat / ALPHV: A New

Breached CompanyBreached Company

A Trusted Intermediary Gone Rogue

DigitalMint is a Chicago-based incident response and digital asset services company that specializes in ransomware negotiation and facilitating cryptocurrency payments to receive a decryptor or prevent stolen data from being publicly released. The company has positioned itself as a critical intermediary in the ransomware economy, claiming to have conducted over 2,000 ransomware negotiations since 2017 for clients ranging from small businesses to Fortune 500 companies.

The investigation focuses on whether the former employee violated federal laws including conspiracy, wire fraud, and money laundering. Sources familiar with the situation indicate the investigation involves alleged kickbacks when handling ransom negotiations involving the cyber threat group BlackCat, also known as ALPHV—one of the world's most notorious ransomware operations.

DigitalMint confirmed that one of its former employees is under criminal investigation and informed that it terminated the employee after learning of the alleged conduct. Company CEO Jonathan Solomon stated that "We acted swiftly to protect our clients and have been cooperating with law enforcement."

A Pattern of Industry Misconduct

This investigation represents the latest chapter in ongoing concerns about corruption within the ransomware negotiation industry. The case echoes findings from a 2019 report by ProPublica that revealed some U.S. data recovery firms were found to secretly pay ransomware gangs while charging clients for data restoration services, without disclosing that payments were made to the attackers.

The ProPublica investigation exposed companies like MonsterCloud and Proven Data, which purported to use proprietary technology to decrypt ransomware but actually negotiated directly with hackers. These firms often charged victims more than the original ransom demand while concealing the fact that they were simply paying the attackers.

Some ransomware operations, such as GandCrab and REvil, created special discount codes and chat interfaces specifically designed for these types of firms to receive a discount on the ransom demand, demonstrating how cybercriminals actively courted corrupt intermediaries.

The New Reality: When Ransomware Fights Back

A Modern Protection Playbook Based on Scattered Spider’s Game-Changing Tactics Scattered Spider didn’t just infiltrate organizations—they rewrote the ransomware playbook entirely. They fought back against incident response teams, countered security moves in real-time, and actively sabotaged operations during eviction attempts. This isn’t theoretical. This is happening now. The days

Breached CompanyBreached Company

Structural Incentives for Abuse

Industry experts argue that the fee structures employed by many ransomware negotiation firms create inherent conflicts of interest. Bill Siegel, CEO of ransomware negotiation firm Coveware, told that business models that do not utilize a fixed-fee structure lend themselves to this type of potential abuse.

James Taliento, chief executive of the cyber intelligence services company AFTRDRK, explained: "A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple."

This creates a perverse incentive where negotiators may have financial motivations to inflate ransom demands rather than minimize them, directly contradicting their supposed duty to their clients.

The BlackCat Connection

The involvement of BlackCat ransomware in this case adds another layer of significance. BlackCat (also known as ALPHV) emerged as the second most prolific ransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by victims around the world.

In December 2023, the DOJ successfully disrupted BlackCat's operations, seizing several websites that the group operated and developing a decryption tool that allowed FBI field offices across the country and law enforcement partners around the world to offer over 500 affected victims the capability to restore their systems. The operation saved victims approximately $68 million in ransom demands.

However, the group attempted to carry out an elaborate exit scam after the takedown, with several law enforcement agencies denying involvement in a new notice posted to the gang's leak site. The group ultimately admitted to shuttering operations entirely, though some affiliates remained active.

BlackCat / ALPHV: A New Age Ransomware Menace

Introduction: BlackCat, also known as ALPHV, represents a sophisticated and formidable force in the cybercriminal world. Emerging as a prominent ransomware-as-a-service (RaaS) group, BlackCat has quickly gained notoriety for its advanced techniques and high-profile attacks. Who is BlackCat / ALPHV? BlackCat / ALPHV is a cybercriminal group that leverages ransomware to exploit

Breached CompanyBreached Company

Industry Under Scrutiny

The DigitalMint investigation comes as the ransomware negotiation industry faces increased scrutiny. Some law and insurance firms have reportedly warned clients this week against using DigitalMint while the investigation is ongoing.

The broader ransomware ecosystem has evolved into what experts call "the extortion economy," involving not just the attackers and victims, but a complex web of incident response firms, cyber insurance companies, and specialized negotiators. Cyber insurance policies have fostered an industry of data recovery and incident response firms that insurers hire to investigate attacks and negotiate with and pay hackers.

Recent data suggests that victims are becoming more resistant to paying ransoms. A February report from cyber incident response firm Coveware found that only 25% of companies hit with extortion demands in the last quarter of 2024 paid the ransom, down significantly from 85% in the first quarter of 2019.

Implications for Victims and the Industry

The alleged corruption at DigitalMint raises serious questions about the trustworthiness of intermediaries in the ransomware economy. Victims of cyberattacks, already dealing with operational disruption and data theft, now face the possibility that their supposed advocates may be working against their interests.

Siegel noted that paying a ransom demand is often the wrong decision for any company, which can be challenging to communicate to a company dealing with a ransomware attack. This makes the role of negotiators even more critical—and their potential corruption more damaging.

The investigation also highlights the need for greater transparency and regulation in the ransomware negotiation industry. As ransom demands have escalated from thousands of dollars to multi-million-dollar ransom payments that companies make today, the stakes for both victims and intermediaries have grown exponentially.

Scattered Spider Pivots to Insurance Sector: Aflac Breach Signals New Wave of Attacks

The notorious cybercrime group has shifted focus from retail to insurance companies, with sophisticated social engineering campaigns targeting the sector’s valuable trove of personal data Scattered SpiderScattered Spider, a notorious hacking group also known as UNC3944, Scatter Swine, or Muddled Libra, has gained notoriety in the cybersecurity world for its

Breached CompanyBreached Company

Looking Ahead

The DOJ has not publicly identified the suspect or announced any arrests, and both the Justice Department and FBI have declined to comment on the ongoing investigation. The case represents part of a broader federal effort to combat ransomware through both technical disruptions and criminal prosecutions.

For the ransomware negotiation industry, this investigation serves as a stark reminder that the fight against cybercrime requires not just technical expertise, but also unwavering ethical standards. As companies and organizations continue to grapple with the ransomware threat, they must carefully vet the intermediaries they trust to guide them through what are often the most challenging moments in their operational history.

The DigitalMint case may prove to be a turning point for an industry that has largely operated in the shadows, potentially leading to greater oversight, standardized ethical guidelines, and more transparent fee structures that align negotiator incentives with victim interests rather than ransom amounts.

Disrupting ALPHV/Blackcat: A Major Strike Against Global Cybercrime

Introduction The U.S. Justice Department has announced a significant disruption campaign against the Blackcat ransomware group, also known as ALPHV or Noberus. This group has targeted over 1,000 victims worldwide, including critical U.S. infrastructure, marking a major step in the fight against global cybercrime. Justice Department Disrupts

Breached CompanyBreached Company