DOJ investigating ex-DigitalMint employee over alleged BlackCat ransom kickbacks

By James Thaler

July 2 - (The Insurer) - The U.S. Department of Justice is investigating a former employee of cyber incident response company DigitalMint for allegedly receiving kickbacks when handling ransom negotiations involving the cyber threat group BlackCat, three sources familiar with the situation said.

The investigation into Angelo Martino, a former managing director in cyber incident response at Chicago-based DigitalMint, is being led by the DOJ's office in the Southern District of Florida, the sources told The Insurer.

The ransom payments allegedly negotiated by Martino were unusual because they were frequently paid out to more crypto coin wallets than is common industry practice and that the ransom payments were found to be larger than industry norms, the sources said.

The investigation centers on at least five cyber incidents in 2023, in which Martino is alleged to have set up what several sources described as a “side channel” to negotiate higher ransom payments. Martino is alleged to have received a portion of the proceeds, the sources told The Insurer.

The Insurer was unable to find contact information for Martino. The Insurer also could not locate a lawyer for Martino.

Digital forensics and incident response (DFIR) firms such as DigitalMint are appointed by insurance companies and play a key role when an insured company or other party makes a claim on their cyber insurance policy following an incident such as a ransomware attack.

DigitalMint and its competitors offer a range of services, including restoring the insured party's IT systems and data in the aftermath of a breach and negotiating with and transmitting payments to threat actors on behalf of insurers and their insureds in response to ransomware attacks.

DigitalMint said in an emailed statement to The Insurer that it had "learned that one of its former employees is the target of an ongoing criminal investigation. The investigation evidently involves alleged unauthorized conduct by the employee while employed here".

DigitalMint did not name Martino and declined to identify which insurance companies were involved in the alleged negotiations over ransomware payments.

"DigitalMint is not a target of this investigation and has been cooperating fully with law enforcement. The employee was immediately terminated," it said, adding that it could not provide further information "in light of the ongoing investigation".

The U.S. Attorney’s Office said in an emailed statement it had no comment. The Insurer could not determine how far the investigation has progressed, and it is possible no charges will be filed.

Sources said that DigitalMint began informing its insurance industry clients of the probe on June 27, after being cleared by law enforcement officials to do so.

The DOJ announced in December 2023 that it had carried out a disruption campaign against BlackCat. Sources told The Insurer that the FBI's investigation into the ransomware gang uncovered the alleged collusion between BlackCat and Martino.

The sources also said that DigitalMint has told counterparties that it separated its threat actor communication operations from its payment operations, in line with industry standards, with the aim of preventing any collusion between threat actor negotiators and payments teams.

DigitalMint ended Martino's employment after it received a subpoena three months ago from DOJ investigators, the sources said. Sources said that after initially being contacted by law enforcement officials months ago, DigitalMint was asked by law enforcement to remain quiet regarding the details of the ongoing investigation until it reached its latter stages.

“We acted swiftly to protect our clients and have been cooperating with law enforcement,” said Jonathan Solomon, CEO of DigitalMint.

“As soon as we were able, we began communicating the facts to affected stakeholders,” said DigitalMint President Marc Grens.

DigitalMint describes itself as a leading provider of incident response and digital asset services, specializing in the secure handling of ransomware incidents and facilitation of secure payments. It also says that it is a cryptocurrency provider, enabling financial service centers to sell cryptocurrency for cash through physical kiosks and point-of-sale solutions.

A report from cyber insurtech Coalition published in May showed that ransom demands fell 22% in 2024 to an average of $1.1 million. The average demand in the latter half of 2024 fell below $1 million for the first time in more than two years.

In April, At-Bay said that only 31% of its policyholders chose to pay ransoms in 2024, while the volume of ransomware attacks rose nearly 20% last year.