The U.S. prosecution has accused a new former employee of DigitalMint for his alleged participation in a scheme in which rescue negotiators secretly collaborated with the Ransomware operation known as BlackCat, also called ALPHV. According to published judicial documents the accused, identified as Angelo Martino, surrendered to the U.S. Marshals and was accused of conspiracy to interfere with the interstate trade by extortion.
The tax records describe a disturbing pattern: while working as a mediator in Ransomware incidents for DigitalMint, Martino would have shared confidential information about active negotiations with BlackCat operators. In addition, the investigations point out that between April 2023 and April 2025 he was directly involved in attacks with other accomplices linked to the same group, persons who had already appeared in a previous indictment where Martino was mentioned as "Co-Conspirator 1."
The prosecution claims that those involved acted as BlackCat affiliates, extorting victims by encryption and threatening to publish the stolen data. Part of the scheme was to pay BlackCat administrators a fraction of the bailouts collected - according to prosecutors about 20% - in exchange for access to the group's infrastructure and its extortion portal.
The victims identified include at least five United States organizations, with sectors as diverse as manufacturers of medical devices, law firms, school districts and financial institutions. One of the documented cases involves a Tampa-based medical device manufacturer who, according to the prosecution, paid $1.27 million to recover access to their systems.
DigitalMint, the company Martino worked for, has publicly declared its conviction of the facts, indicating that those involved were fired as soon as the conduct was known and that the company has collaborated with the authorities since the start of the investigation. In its response, the management team stressed that, although no system is infallible against internal risk, controls and safeguards have been strengthened to reduce the likelihood of similar events.
This case highlights a structural problem in responding to incidents: the trust that organizations place in intermediaries and specialists to negotiate with digital criminals can become a back door if these mediators are corrupted or have double links. These are not just technical errors or perimetral safety failures, but the threat posed by a internal threat with privileged access to sensitive conversations and the victim's strategic information.
BlackCat / ALPHV is not a minor actor: independent agencies and reports have linked this group to dozens of gaps and extensive extortion in recent years. To contextualize, public security organizations and journalists have documented the growing sophistication of these networks and the enormous economic volume involved in the rescue business; an example of the analysis of opaque practices in the data recovery industry can be read in the research of ProPublica of 2019, which explored how some companies paid criminal groups without transparency with their clients.
The episode opens a number of practical and ethical questions for companies that hire incident response services: how to audit the integrity of negotiators? What controls should exist on the management of sensitive information during a negotiation? To what extent should they rely on intermediaries that manage payments and retransmit communications? The responses go through stricter policies of separation of duties, continuous forensic supervision, enhanced access controls and contractual clauses that require transparency with clients and authorities where there is evidence of irregular conduct.
At the preventive and response level, security agencies recommend not only technical measures but also clear procedures for crisis management and the relationship with external suppliers. Institutional resources such as those offered by the CISA and FBI are useful benchmarks for organizations that want to update their plans against ransomware and know best practices recognized by the public sector.
The case against Martino and his alleged collaborators also underlines the importance of companies reporting incidents and cooperating with the authorities. Beyond the criminal responsibility that the individuals involved can face, research helps to understand the criminal economies that feed the Ransomware industry and to develop collective defenses. Cybersecurity institutions and professionals should interpret these types of cases as a call for attention: the fight against the Ransomware is not only won with patches and backups, but also with well-designed governance, transparency and human controls.
For those who want to deepen the documents of the process and the previous journalistic research, the statement cited in the judicial documents and the background research published by ProPublica. These sources help to understand how the rescue economy has intertwined with actors who, in some cases, should be part of the defense of the victims and not facilitators of extortion.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...