{"id":25092,"date":"2025-07-03T16:52:11","date_gmt":"2025-07-03T13:52:11","guid":{"rendered":"https:\/\/forklog.com\/en\/ransom-negotiator-suspected-of-colluding-with-hackers\/"},"modified":"2025-07-03T16:52:11","modified_gmt":"2025-07-03T13:52:11","slug":"ransom-negotiator-suspected-of-colluding-with-hackers","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/ransom-negotiator-suspected-of-colluding-with-hackers\/","title":{"rendered":"Ransom Negotiator Suspected of Colluding with Hackers"},"content":{"rendered":"<p>The U.S. Department of Justice is investigating a former employee of DigitalMint, a company that assists victims of ransomware attacks, according to <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-07-02\/us-probes-ex-ransom-negotiator-accused-of-scheming-with-hackers\">Bloomberg<\/a>.<\/p>\n<p>The individual is suspected of colluding with hackers to receive a share of the cryptocurrency paid by victims.<\/p>\n<p>DigitalMint President Mark Grens confirmed that a former employee is under investigation. The company has dismissed the individual and is cooperating with law enforcement. The management emphasized that the firm itself is not under investigation.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cWe acted swiftly to protect our clients,\u201d stated CEO Jonathan Solomon.<\/em><\/p>\n<\/blockquote>\n<p>According to Bloomberg, some legal and insurance firms have already advised clients to avoid using DigitalMint&#8217;s services due to these allegations.<\/p>\n<p>The <a href=\"https:\/\/digitalmint.io\/about-us\/\">DigitalMint website<\/a> highlights its experience in resolving over 2,000 incidents since 2017. The company is registered with the <span data-descr=\"U.S. Financial Crimes Enforcement Network\" class=\"old_tooltip\">FinCEN<\/span> as a money transmitter and holds licenses in several states.<\/p>\n<h2 class=\"wp-block-heading\">Conflict of Interest<\/h2>\n<p>Bill Siegel, head of rival firm Coveware, explained to <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/doj-investigates-ex-ransomware-negotiator-over-extortion-kickbacks\/\">BleepingComputer<\/a> that such abuses are possible due to a flawed business model.<\/p>\n<p>He noted that a conflict of interest arises when an intermediary receives a percentage of the ransom amount. This incentivizes them to secure a larger payment rather than act in the client&#8217;s best interest. Siegel believes that only a fixed-fee service model is appropriate in this field.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cA negotiator has no incentive to lower the price or disclose all facts to the victim if the company they work for profits from the size of the ransom paid,\u201d stated AFTRDRK CEO James Taliento.<\/em><\/p>\n<\/blockquote>\n<p>The issue is not new. Back in 2019, a <a href=\"https:\/\/features.propublica.org\/ransomware\/ransomware-attack-data-recovery-firms-paying-hackers\/\">ProPublica<\/a> investigation revealed that some firms secretly paid attackers while billing clients for \u201cdata recovery.\u201d Hacker groups like REvil and GandCrab even created special discount codes for such \u201cpartners.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Companies Pay Less Frequently<\/h2>\n<p>The number of companies yielding to attackers is decreasing. According to <a href=\"https:\/\/www.coveware.com\/blog\/2025\/1\/31\/q4-report\">Coveware<\/a>, only 25% of attacked organizations paid a ransom in the last quarter of 2024. In contrast, this figure was 85% in the first quarter of 2019.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/Snimok-ekrana-2025-07-03-161104.webp\" alt=\"Snimok-ekrana-2025-07-03-161104\" class=\"wp-image-261386\"\/><figcaption class=\"wp-element-caption\">25% of companies affected by ransomware in Q4 2024 paid a ransom. Data: Coveware.<\/figcaption><\/figure>\n<p>The median payout amount decreased by 45% to $110,890. This is due to organizations improving cybersecurity and increasingly refusing to fund criminals.<\/p>\n<p>The most active ransomware viruses at the end of 2024 were Akira and Fog, primarily targeting small and medium-sized businesses. Analysts also noted a rise in lone hackers who distrust large <span data-descr=\"Ransomware-as-a-Service\" class=\"old_tooltip\">RaaS<\/span> platforms.<\/p>\n<p><a href=\"https:\/\/www.chainalysis.com\/blog\/crypto-crime-ransomware-victim-extortion-2025\/\">Chainalysis<\/a> also recorded a 35% drop in total payouts\u2014from $1.25 billion in 2023 to $813.55 million in 2024.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/Snimok-ekrana-2025-07-03-161505.webp\" alt=\"Snimok-ekrana-2025-07-03-161505\" class=\"wp-image-261387\"\/><figcaption class=\"wp-element-caption\">For the first time since 2022, ransomware revenues have declined. Data: Chainalysis.<\/figcaption><\/figure>\n<p>Experts attribute this to law enforcement actions and the growing refusal of victims to pay ransoms.<\/p>\n<p>Chainalysis noted that the gap between demanded and paid ransom amounts is widening. According to Kivu Consulting, only about 30% of negotiations result in payment. Victims increasingly restore data from backups, finding it a quicker and cheaper solution.<\/p>\n<p>Methods of laundering funds have also changed, analysts reported. Perpetrators are using mixers less frequently due to sanctions and government actions against services like Tornado Cash and Sinbad.<\/p>\n<p>Instead, operators are increasingly relying on cross-chain bridges. Centralized exchanges remain the primary tool for cashing out funds.<\/p>\n<p>Back in May, Global Ledger analysts <a href=\"https:\/\/u1f987.com\/en\/news\/analysts-outline-timing-of-stolen-cryptocurrency-movements\">outlined<\/a> the timing of stolen cryptocurrency movements.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The U.S. Department of Justice is investigating a former employee of DigitalMint, a company that assists victims of ransomware attacks, according to Bloomberg. The individual is suspected of colluding with hackers to receive a share of the cryptocurrency paid by victims. DigitalMint President Mark Grens confirmed that a former employee is under investigation. The company [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":25091,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,26],"class_list":["post-25092","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-usa"],"aioseo_notices":[],"amp_enabled":true,"views":"90","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25092","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=25092"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25092\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/25091"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=25092"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=25092"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=25092"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}