DOJ probes ex-ransomware negotiator over alleged kickback scheme

A former DigitalMint employee is under criminal investigation for allegedly collaborating with ransomware gangs and profiting from customer payments.

What happened

The U.S. Department of Justice is investigating a former employee of DigitalMint, a Chicago-based ransomware negotiation firm, over allegations that the individual worked with cybercriminal groups to collect personal kickbacks from extortion payments. According to Bloomberg, the suspect may have negotiated ransomware deals in a way that allowed them to receive a portion of the ransom paid by affected companies.

DigitalMint, which has handled more than 2,000 ransomware cases since 2017, confirmed it terminated the employee upon discovering the alleged misconduct. The company stated it is cooperating with law enforcement and stated that it is not itself a target of the investigation.

Going deeper

DigitalMint facilitates cryptocurrency ransom payments on behalf of organizations affected by ransomware. In typical scenarios, victims negotiate with attackers to either receive a decryption key or prevent stolen data from being released. The case under investigation raises concerns that a negotiator may have inflated ransom demands or steered clients toward unnecessary payments in exchange for personal gain.

The Department of Justice has not commented publicly, and it remains unclear whether the former employee has been arrested. Some law firms and insurers have advised clients to pause engagement with DigitalMint while the investigation continues.

Allegations like this echo past industry concerns. A 2019 ProPublica investigation revealed that some U.S.-based recovery firms secretly paid attackers without disclosing it to clients, sometimes pocketing the difference. Some ransomware gangs even created custom interfaces or discount codes for intermediaries who brought them repeat business.

What was said

DigitalMint’s CEO, Jonathan Solomon, said the company acted quickly to protect clients and has been transparent with stakeholders. President Marc Grens added that trust is “earned every day,” stating their efforts to inform affected parties. When contacted, the FBI and DOJ declined to comment.

Bill Siegel, CEO of rival firm Coveware, warned that firms using variable pricing or percentage-based fees create a “moral hazard” where negotiators may prioritize larger transactions over ethical guidance. He stated that objective advice is compromised when intermediaries are rewarded based on ransom size.

The big picture

The investigation points to ethical concerns within the ransomware negotiation industry, especially when negotiators operate on commission-based or variable-fee models. These structures may create incentives that do not fully align with the victim’s best interests. As ransomware cases continue to rise in both frequency and cost, experts are calling for clearer industry standards, improved transparency, and stronger oversight to support more accountable negotiation practices.

FAQs

What is a ransomware negotiator, and why are they used?

Ransomware negotiators act as intermediaries between victims and attackers. They help assess threats, communicate with threat actors, and sometimes facilitate ransom payments, particularly when time and data sensitivity are dire.

Are companies allowed to pay ransoms legally in the U.S.?

Yes, but only under specific conditions. Payments must not violate U.S. sanctions laws, meaning organizations cannot legally pay groups sanctioned by the Department of the Treasury's Office of Foreign Assets Control (OFAC).

How can companies vet ransomware negotiation firms?

Organizations should ask firms about their pricing structure, past conduct, and whether they disclose when a ransom is paid. Firms that use flat fees and stress transparency are generally safer choices.

What should companies do if they suspect misconduct during a ransomware response?

They should immediately consult legal counsel, document all communications, and consider reporting concerns to law enforcement or regulators. Independent cybersecurity audits may also help assess whether actions taken were appropriate.

Could this investigation lead to new industry regulations?

It’s possible. As ransomware becomes more institutionalized, investigations like this one could prompt lawmakers to introduce clearer ethical and operational standards for incident response vendors.