my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

The Ransomware 'Negotiator' Was Running the Attack: DigitalMint's $75M Double Cross

John Z Black Mar 13, 2026 Ransomware #ransomware #incident-response #digitalmint #blackcat #vendor-risk #extortion

The Ransomware ‘Negotiator’ Was Running the Attack

When ransomware hits, organizations are in full crisis mode. Systems down. Clocks ticking. The playbook says: bring in the experts. Call the incident response firm. Get someone who knows how to negotiate.

The DigitalMint case suggests you should’ve vetted those experts before you needed them.

What Happened

Federal prosecutors charged another DigitalMint employee with conducting ransomware attacks while posing as a legitimate crypto negotiations firm. $75 million in extortion across multiple victims. This is the second employee charged in the same operation.

The connection is to BlackCat (ALPHV), one of the most notorious ransomware-as-a-service operations before law enforcement disrupted it.

One insider gone rogue is an edge case. Two in the same operation is a structural problem. Prosecutors aren’t painting a picture of a compliance failure. They’re painting a business model.

Why This Is Worse Than It Sounds

Ransomware negotiation is a high-trust activity. When you hire a negotiation firm, you’re sharing everything attackers would love to know: your cyber insurance coverage, recovery capabilities, maximum ransom tolerance, internal communications about the incident.

A negotiation firm that’s also the attacker can tune demands to exactly what insurance will cover. They can string out negotiations while data exfiltration finishes. They can tell you to pay while telling the attacker how high to push.

That’s not a conflict of interest. That’s a con.

What to Do About It

The lesson isn’t “don’t use IR vendors.” It’s “vet them before you’re in crisis.”

Under time pressure, organizations make vendor decisions they’d never make otherwise. You can’t run background checks when your production environment is encrypted and the countdown says 72 hours. That decision needs to happen months before an incident.

Build a pre-vetted vendor list now. Work with your legal counsel and cyber insurance carrier. Look for verifiable credentials, law enforcement backgrounds, professional firm registration. Ask uncomfortable questions about employee vetting and data handling. Read the engagement agreement closely.

And know your insurance. Carriers almost always have requirements about which IR firms you can engage. Know who your carrier prefers and why.

Vet your vendors now. Before the clock is running.

Read the full story at gNerdSEC