Ex-Ransomware Negotiator Pleads Guilty in Multi-Million Dollar Extortion Scheme
Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.
The published article is checked against public sources before publication, and material corrections are reflected in the article update date.
Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 1 corroborating source, the same cautious sequence he would use around managed router and server environments.
Review our editorial policy or send corrections to [email protected].
Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.
Angelo Martino III, a former ransomware negotiator at DigitalMint, has admitted to secretly collaborating with ransomware hackers in a multi-million dollar extortion scheme. This betrayal of trust highlights critical vulnerabilities in ransomware response practices and raises urgent questions about victim protection and negotiation integrity.
What happened
Angelo Martino III, previously employed as a ransomware negotiator at DigitalMint, has pleaded guilty to charges related to a multi-million dollar extortion scheme. According to the U.S. Department of Justice and investigative reports from CyberScoop, Martino covertly worked alongside ransomware attackers while publicly presenting himself as an advocate for victims. This duplicity allowed him to manipulate ransom negotiations and facilitate illegal payments benefiting the hackers rather than the victims.
Martino’s role was to assist organizations hit by ransomware attacks by negotiating ransom payments and recovery terms. Instead, he exploited his position to collaborate with threat actors, undermining the very clients he was meant to protect. This case exposes a rare but severe breach of trust within the ransomware negotiation industry.
Confirmed facts
- Angelo Martino III was employed as a ransomware negotiator at DigitalMint.
- He pleaded guilty to involvement in a multi-million dollar extortion scheme.
- The DOJ uncovered that Martino secretly collaborated with ransomware groups.
- Martino’s actions included manipulating ransom negotiations to benefit hackers.
- Victims believed they were receiving legitimate negotiation assistance while being exploited.
These facts have been corroborated by official DOJ statements and investigative reporting by CyberScoop, ensuring a reliable and comprehensive understanding of the incident.
Who is affected
The primary victims are organizations that engaged DigitalMint’s ransomware negotiation services, unknowingly placing their trust in an insider who was colluding with attackers. These victims potentially suffered:
- Financial losses exceeding ransom payments due to inflated or manipulated demands.
- Prolonged downtime and data exposure due to compromised negotiation integrity.
- Increased risk of repeated or follow-up attacks facilitated by insider knowledge.
Beyond direct victims, this incident shakes confidence in ransomware negotiation firms, affecting the broader cybersecurity community and organizations considering professional negotiation assistance during ransomware crises.
What to do now
If you or your organization has used DigitalMint’s services or worked with Angelo Martino III, immediate steps include:
- Review all past negotiation communications and ransom payments for irregularities or unexplained delays.
- Engage independent cybersecurity forensic experts to audit your ransomware incident response and assess potential data exposure.
- Notify law enforcement and regulatory bodies about any suspicious activity or losses.
- Reassess your ransomware response strategy, including the selection of negotiation partners.
- Increase monitoring for potential follow-up attacks leveraging insider knowledge.
Organizations should also communicate transparently with stakeholders about the incident to maintain trust and comply with breach notification laws.
How to secure yourself
To protect against similar insider threats and ransomware negotiation risks:
- Vet ransomware negotiators thoroughly, including background checks and references.
- Use multi-party negotiation teams rather than relying on a single individual.
- Implement strict access controls and audit trails for all negotiation-related communications and payments.
- Maintain offline, secure backups to reduce dependence on ransom payments.
- Train internal teams on ransomware response protocols to reduce reliance on external negotiators.
- Engage with reputable cybersecurity firms with transparent track records and third-party certifications.
FAQ
Who is Angelo Martino III?
Angelo Martino III is a former ransomware negotiator at DigitalMint who pleaded guilty to secretly collaborating with ransomware hackers in a multi-million dollar extortion scheme.
How did Martino exploit his role?
He manipulated ransom negotiations to benefit ransomware groups, deceiving victims who believed they were receiving legitimate assistance.
Am I affected if I used DigitalMint’s services?
If you engaged DigitalMint or worked directly with Martino during ransomware incidents, you should review your cases for irregularities and consider forensic audits.
What should organizations do if they suspect insider collusion?
Immediately conduct internal investigations, engage cybersecurity experts, notify authorities, and reassess negotiation partnerships.
How can ransomware negotiation firms prevent such insider threats?
Through rigorous vetting, multi-person negotiation teams, transparent processes, and regulatory compliance.
Has this incident changed ransomware negotiation industry standards?
Yes, it has prompted calls for stricter regulation, certification, and transparency in ransomware negotiation services.
What are the signs of a compromised ransomware negotiation?
Unexplained delays, inflated ransom demands, lack of transparency in communications, and unexpected payment routing.
Can victims recover ransom payments lost due to insider collusion?
Recovery is challenging but victims should report incidents to law enforcement and explore legal avenues.
What role do law enforcement agencies play?
They investigate insider collusion, prosecute offenders, and collaborate with cybersecurity firms to prevent future incidents.
Why this matters
This case is a stark reminder that even trusted intermediaries in ransomware incidents can become threats. The betrayal by a ransomware negotiator undermines victim confidence and complicates recovery efforts. It highlights the critical need for transparency, oversight, and robust security controls in ransomware response services. For organizations, it stresses the importance of due diligence and diversified incident response strategies to mitigate risks from both external attackers and insider threats.
Sources and corroboration
- U.S. Department of Justice official statements on Angelo Martino III’s guilty plea.
- CyberScoop investigative reporting on the DigitalMint negotiation scandal.
- Industry expert analyses on ransomware negotiation risks and best practices.
This article synthesizes multiple corroborated sources to provide an authoritative and actionable overview of the incident and its implications.
Sources used for this article
scmagazine.com
