Cybersecurity professionals who are supposed to negotiate with ransomware attackers are now themselves being charged with facilitating ransomware attacks. The United States Department of Justice has announced charges against two employees of a cybersecurity negotiation firm and a co-conspirator for hacking and deploying ransomware.
The individuals worked for DigitalMint, a company that specialises in negotiating with cybercriminals on behalf of organisations impacted by ransomware. A third suspect, previously an incident response manager at another company, is accused of participating in the scheme. The indictment alleges that the suspects hacked firms, stole confidential corporate data, and used ransomware developed by the group known as ALPHV/BlackCat to extort victims.
According to the charges, employees at DigitalMint abused their trusted role by infiltrating victim networks, obtaining sensitive information, and then launching ransomware against these same targets. Prosecutors describe this as a serious betrayal of the trust organisations place in cybersecurity partners. The DOJ noted that the conduct included “unauthorised hacking, data theft and deployment of ransomware” under the guise of negotiation services.
This case highlights a disturbing trend, as actors positioned as defensive advisers or negotiators are implicated in offensive operations. Organisations that engage third-party firms to negotiate with ransomware adversaries may need to reassess their dependencies and controls. The dual role of defender and attacker complicates trust and oversight frameworks in the cybersecurity supply chain.
Ransomware negotiation is inherently high-stakes. Victims engaging with attackers via intermediaries typically hope to minimise damage, recover encrypted systems, and prevent data leaks. But when the negotiating party is complicit in the attack chain, it creates a conflict of interest and introduces new risks. Traditional assumptions about trusted mediators no longer always apply.
The indictment does not disclose the number of victim organisations or total losses caused by the alleged scheme. It does, however, stress that the ransomware variant used, BlackCat/ALPHV, is a prolific tool in big game hunting campaigns. Analysts have tracked the group extorting multimillion-dollar payments and threatening data exposure if demands are not paid.
For organisations relying on negotiation services in ransomware incidents, several precautionary steps emerge. First, due diligence on negotiating firms must include assessments of independence, access permissions, and incident response histories. Second, contractual and technical controls should limit the negotiator’s access to sensitive environments until their role is clearly defined and bounded. Third, incident response plans should consider scenarios where negotiation services themselves may be compromised.
In a larger context, the evolving role of negotiation firms reflects how ransomware ecosystems are growing increasingly complex. Attackers are not simply encrypting data and demanding payment. They may now rely on trusted partners, insiders, or external actors posing as defenders to gain initial access, move laterally, and launch extortion campaigns. This raises organisational risk beyond the initial intrusion to include the intermediary supply chain of incident response and negotiation.
Defenders must focus on strengthening visibility into all parties involved in a ransomware incident, not only the adversary but also the network of responders and negotiators. This involves verifying the credentials of negotiation firms, tracking their activities in real time, and maintaining incident governance structures that separate negotiation from access and remediation roles.
The DOJ charges underscore the need for regulatory scrutiny and professional standards in the ransomware-negotiation sector. As the role of negotiating intermediaries becomes more formalised, questions around licensing, oversight, and ethics may arise. The case may set a precedent for how governments and industry regulate the broader incident-response market.
Ransomware remains a major threat, but this development shifts part of the threat surface into the realm of trusted services. Organisations should treat negotiation services as part of the incident-response ecosystem that requires the same level of vetting and security as any other vendor with privileged access. Failure to do so could turn a help resource into a threat vector.