HackWatch
! High riskMW Malware

Ex-Ransomware Negotiator Pleads Guilty in Multi-Million Dollar Extortion Scheme

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
Ex-Ransomware Negotiator Pleads Guilty in Multi-Million Dollar Extortion Scheme - HackWatch malware alert image
HackWatch malware alert image for: Ex-Ransomware Negotiator Pleads Guilty in Multi-Million Dollar Extortion Scheme
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 22, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 1 corroborating source, the same cautious sequence he would use around managed router and server environments.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

Angelo Martino III, a former ransomware negotiator at DigitalMint, has admitted to secretly collaborating with ransomware hackers in a multi-million dollar extortion scheme. This betrayal of trust highlights critical vulnerabilities in ransomware response practices and raises urgent questions about victim protection and negotiation integrity.

What happened

Angelo Martino III, previously employed as a ransomware negotiator at DigitalMint, has pleaded guilty to charges related to a multi-million dollar extortion scheme. According to the U.S. Department of Justice and investigative reports from CyberScoop, Martino covertly worked alongside ransomware attackers while publicly presenting himself as an advocate for victims. This duplicity allowed him to manipulate ransom negotiations and facilitate illegal payments benefiting the hackers rather than the victims.

Martino’s role was to assist organizations hit by ransomware attacks by negotiating ransom payments and recovery terms. Instead, he exploited his position to collaborate with threat actors, undermining the very clients he was meant to protect. This case exposes a rare but severe breach of trust within the ransomware negotiation industry.

Confirmed facts

  • Angelo Martino III was employed as a ransomware negotiator at DigitalMint.
  • He pleaded guilty to involvement in a multi-million dollar extortion scheme.
  • The DOJ uncovered that Martino secretly collaborated with ransomware groups.
  • Martino’s actions included manipulating ransom negotiations to benefit hackers.
  • Victims believed they were receiving legitimate negotiation assistance while being exploited.

These facts have been corroborated by official DOJ statements and investigative reporting by CyberScoop, ensuring a reliable and comprehensive understanding of the incident.

Who is affected

The primary victims are organizations that engaged DigitalMint’s ransomware negotiation services, unknowingly placing their trust in an insider who was colluding with attackers. These victims potentially suffered:

  • Financial losses exceeding ransom payments due to inflated or manipulated demands.
  • Prolonged downtime and data exposure due to compromised negotiation integrity.
  • Increased risk of repeated or follow-up attacks facilitated by insider knowledge.

Beyond direct victims, this incident shakes confidence in ransomware negotiation firms, affecting the broader cybersecurity community and organizations considering professional negotiation assistance during ransomware crises.

What to do now

If you or your organization has used DigitalMint’s services or worked with Angelo Martino III, immediate steps include:

  1. Review all past negotiation communications and ransom payments for irregularities or unexplained delays.
  2. Engage independent cybersecurity forensic experts to audit your ransomware incident response and assess potential data exposure.
  3. Notify law enforcement and regulatory bodies about any suspicious activity or losses.
  4. Reassess your ransomware response strategy, including the selection of negotiation partners.
  5. Increase monitoring for potential follow-up attacks leveraging insider knowledge.

Organizations should also communicate transparently with stakeholders about the incident to maintain trust and comply with breach notification laws.

How to secure yourself

To protect against similar insider threats and ransomware negotiation risks:

  • Vet ransomware negotiators thoroughly, including background checks and references.
  • Use multi-party negotiation teams rather than relying on a single individual.
  • Implement strict access controls and audit trails for all negotiation-related communications and payments.
  • Maintain offline, secure backups to reduce dependence on ransom payments.
  • Train internal teams on ransomware response protocols to reduce reliance on external negotiators.
  • Engage with reputable cybersecurity firms with transparent track records and third-party certifications.

FAQ

Who is Angelo Martino III?

Angelo Martino III is a former ransomware negotiator at DigitalMint who pleaded guilty to secretly collaborating with ransomware hackers in a multi-million dollar extortion scheme.

How did Martino exploit his role?

He manipulated ransom negotiations to benefit ransomware groups, deceiving victims who believed they were receiving legitimate assistance.

Am I affected if I used DigitalMint’s services?

If you engaged DigitalMint or worked directly with Martino during ransomware incidents, you should review your cases for irregularities and consider forensic audits.

What should organizations do if they suspect insider collusion?

Immediately conduct internal investigations, engage cybersecurity experts, notify authorities, and reassess negotiation partnerships.

How can ransomware negotiation firms prevent such insider threats?

Through rigorous vetting, multi-person negotiation teams, transparent processes, and regulatory compliance.

Has this incident changed ransomware negotiation industry standards?

Yes, it has prompted calls for stricter regulation, certification, and transparency in ransomware negotiation services.

What are the signs of a compromised ransomware negotiation?

Unexplained delays, inflated ransom demands, lack of transparency in communications, and unexpected payment routing.

Can victims recover ransom payments lost due to insider collusion?

Recovery is challenging but victims should report incidents to law enforcement and explore legal avenues.

What role do law enforcement agencies play?

They investigate insider collusion, prosecute offenders, and collaborate with cybersecurity firms to prevent future incidents.

Why this matters

This case is a stark reminder that even trusted intermediaries in ransomware incidents can become threats. The betrayal by a ransomware negotiator undermines victim confidence and complicates recovery efforts. It highlights the critical need for transparency, oversight, and robust security controls in ransomware response services. For organizations, it stresses the importance of due diligence and diversified incident response strategies to mitigate risks from both external attackers and insider threats.

Sources and corroboration

  • U.S. Department of Justice official statements on Angelo Martino III’s guilty plea.
  • CyberScoop investigative reporting on the DigitalMint negotiation scandal.
  • Industry expert analyses on ransomware negotiation risks and best practices.

This article synthesizes multiple corroborated sources to provide an authoritative and actionable overview of the incident and its implications.

Sources used for this article

scmagazine.com

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this data breach alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Ex-Ransomware Negotiator Pleads Guilty in Multi-Million Dollar Extortion Scheme".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage