Could the DigitalMint ransomware attacks have been prevented?

Implementing stringent access controls, regular audits, and employee behavior monitoring could have mitigated the risk of insider threats leading to such attacks.

DigitalMint Insider Ransomware Scheme Unveiled

A 2023 breach where a DigitalMint negotiator conducted ransomware attacks, extorting over $75 million, underscores the critical need for robust internal security measures.

Published: March 12, 2026

Share this on:

Executive Summary

In 2023, Angelo John Martino III, a ransomware negotiator at DigitalMint, exploited his position to orchestrate at least 10 ransomware attacks, extorting over $75 million. Martino, along with co-conspirators, infiltrated networks, encrypted data, and demanded ransoms, even negotiating with victims he had attacked. This breach highlights the severe risks posed by insider threats in cybersecurity firms. The incident underscores the critical need for robust internal controls and vigilant monitoring to prevent such breaches, especially as ransomware tactics evolve and insider threats become more sophisticated.

Why This Matters Now

This case exemplifies the escalating threat of insider attacks within cybersecurity organizations, emphasizing the urgency for enhanced internal security measures and continuous monitoring to safeguard against such breaches.

Attack Path Analysis

The attackers gained initial access through compromised credentials, escalated privileges by exploiting Active Directory accounts, moved laterally using administrative tools, established command and control via Cobalt Strike, exfiltrated sensitive data using tools like ExMatter, and finally encrypted data to extort ransom payments.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The attackers gained initial access by leveraging previously compromised user credentials to infiltrate the victim's network.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Initial Access

T1566

Phishing

Execution

T1059

Command and Scripting Interpreter

Persistence

T1543

Create or Modify System Process

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Defense Evasion

T1027

Obfuscated Files or Information

Credential Access

T1555

Credentials from Password Stores

Impact

T1486

Data Encrypted for Impact

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that security policies and operational procedures for identifying and responding to security vulnerabilities are documented, in use, and known to all affected parties.

Control ID: 6.4.3

The incident highlights a failure in identifying and responding to security vulnerabilities, as the insider threat was not detected in a timely manner.

NYDFS 23 NYCRR 500 – Implement risk-based policies, procedures, and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users.

Control ID: 500.14(b)

The breach underscores inadequate monitoring and detection mechanisms for authorized users, allowing unauthorized access and misuse of sensitive information.

DORA – ICT risk management framework

Control ID: Article 5

The incident reveals deficiencies in the ICT risk management framework, particularly in managing risks associated with insider threats and unauthorized system access.

CISA ZTMM 2.0 – Implement continuous monitoring and analytics to detect and respond to anomalies in user behavior.

Control ID: Identity Pillar: Monitoring and Analytics

The breach indicates a lack of continuous monitoring and analytics, failing to detect anomalous behavior by an insider threat.

NIS2 Directive – Cybersecurity risk-management measures

Control ID: Article 21

The incident demonstrates insufficient cybersecurity risk-management measures, particularly in preventing and detecting insider threats.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Ransomware negotiator insider threat exposed financial firms to $25.7M extortion, compromising encrypted traffic protections and egress security controls.

Health Care / Life Sciences

Medical industry victims faced ALPHV/BlackCat ransomware attacks with compromised negotiations, violating HIPAA compliance and exposing patient data exfiltration risks.

Hospitality

Hospitality sector vulnerability to insider-facilitated ransomware attacks demonstrates critical gaps in zero trust segmentation and threat detection capabilities.

Non-Profit/Volunteering

Nonprofit organizations paid highest ransom ($26.8M) due to compromised cybersecurity negotiations, highlighting inadequate multicloud visibility and anomaly response systems.

Sources

Feds say another DigitalMint negotiator ran ransomware attacks and extorted $75 millionhttps://cyberscoop.com/digitalmint-ransomware-negotiator-arrest-angelo-martino-extortion/
Verified

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Varianthttps://www.justice.gov/usao-sdfl/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant

Verified

Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomwarehttps://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware

Verified

Frequently Asked Questions

The incident revealed deficiencies in internal controls and monitoring mechanisms, allowing an employee to exploit their position for malicious activities without detection.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall impact.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's initial access may have been limited to specific segments, reducing their ability to reach critical systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges could have been constrained, reducing their control over the network.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely have been restricted, limiting the spread of ransomware.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's command and control channels may have been detected and disrupted, reducing their ability to maintain control.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's data exfiltration efforts would likely have been hindered, reducing the amount of data compromised.

Impact (Mitigations)

The attacker's ability to encrypt files may have been limited to specific segments, reducing the overall impact of the ransomware.

Impact at a Glance

Affected Business Functions

Ransomware Negotiation Services
Incident Response
Client Trust Management

Operational Disruption

Estimated downtime: 1 days

Financial Impact

Estimated loss: N/A

Data Exposure

Confidential client information related to ransomware negotiations

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
• Deploy East-West Traffic Security controls to monitor and restrict internal traffic, detecting unauthorized movements.
• Utilize Multicloud Visibility & Control solutions to gain comprehensive insights into network activities and detect anomalies.
• Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent unauthorized data exfiltration.
• Establish robust Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

DigitalMint Insider Ransomware Scheme Unveiled

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Phishing

Command and Scripting Interpreter

Create or Modify System Process

Exploitation for Privilege Escalation

Obfuscated Files or Information

Credentials from Password Stores

Data Encrypted for Impact

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that security policies and operational procedures for identifying and responding to security vulnerabilities are documented, in use, and known to all affected parties.

NYDFS 23 NYCRR 500 – Implement risk-based policies, procedures, and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users.

DORA – ICT risk management framework

CISA ZTMM 2.0 – Implement continuous monitoring and analytics to detect and respond to anomalies in user behavior.

NIS2 Directive – Cybersecurity risk-management measures

Sector Implications

Financial Services

Health Care / Life Sciences

Hospitality

Non-Profit/Volunteering

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads