A former ransomware negotiator at Chicago-based firm DigitalMint is under criminal investigation by the U.S. Department of Justice (DOJ) for allegedly collaborating with ransomware gangs to profit from extortion payments, according to multiple reports.
The individual, who has not been publicly named, is suspected of working alongside cybercriminal groups during ransomware negotiations and taking a cut from ransom payments made by victim companies. The DOJ is now probing whether the negotiator manipulated ransom discussions to inflate payments that were partially routed back to the negotiator.
DigitalMint, a firm specializing in ransomware response and cryptocurrency payment facilitation, confirmed that a former employee is the subject of the DOJ’s investigation. The company said it terminated the individual upon learning of the alleged misconduct and has been actively cooperating with federal authorities.
“We acted swiftly to protect our clients and have been cooperating with law enforcement,” said DigitalMint CEO Jonathan Solomon in a statement to BleepingComputer. Marc Grens, the company’s president, added, “Trust is earned every day. As soon as we were able, we began communicating the facts to affected stakeholders.”
The company emphasized that it is not the target of the investigation. However, when asked for additional details—including whether the suspect has been arrested—DigitalMint declined to comment, citing the ongoing nature of the probe. Both the DOJ and FBI also declined to offer public statements.
Founded in 2017, DigitalMint claims to have facilitated over 2,000 ransomware payment negotiations. The allegations come as a blow to the incident response industry, which is built on trust, discretion, and legal compliance in high-stakes cybercrime situations.
The revelations have prompted some legal and insurance firms to caution clients against engaging DigitalMint while the investigation remains active. Industry experts say the incident highlights a longstanding moral hazard in the ransomware negotiation business model.
This case echoes findings from a 2019 ProPublica investigation, which exposed U.S.-based data recovery firms that secretly paid ransomware gangs while charging clients for recovery—without disclosing that payments were made to threat actors. At the time, such payments were typically smaller in scale, ranging from thousands to hundreds of thousands of dollars. Today, ransom demands have escalated into the multimillion-dollar range.
Historically, ransomware gangs like REvil and GandCrab have created special portals and discount codes to accommodate third-party negotiators, enabling them to broker payments at reduced rates while profiting from the margin.
