The U.S. Department of Justice is investigating a former employee of DigitalMint, a company that assists victims of ransomware attacks, according to Bloomberg.
The individual is suspected of colluding with hackers to receive a share of the cryptocurrency paid by victims.
DigitalMint President Mark Grens confirmed that a former employee is under investigation. The company has dismissed the individual and is cooperating with law enforcement. The management emphasized that the firm itself is not under investigation.
“We acted swiftly to protect our clients,” stated CEO Jonathan Solomon.
According to Bloomberg, some legal and insurance firms have already advised clients to avoid using DigitalMint’s services due to these allegations.
The DigitalMint website highlights its experience in resolving over 2,000 incidents since 2017. The company is registered with the FinCEN as a money transmitter and holds licenses in several states.
Conflict of Interest
Bill Siegel, head of rival firm Coveware, explained to BleepingComputer that such abuses are possible due to a flawed business model.
He noted that a conflict of interest arises when an intermediary receives a percentage of the ransom amount. This incentivizes them to secure a larger payment rather than act in the client’s best interest. Siegel believes that only a fixed-fee service model is appropriate in this field.
“A negotiator has no incentive to lower the price or disclose all facts to the victim if the company they work for profits from the size of the ransom paid,” stated AFTRDRK CEO James Taliento.
The issue is not new. Back in 2019, a ProPublica investigation revealed that some firms secretly paid attackers while billing clients for “data recovery.” Hacker groups like REvil and GandCrab even created special discount codes for such “partners.”
Companies Pay Less Frequently
The number of companies yielding to attackers is decreasing. According to Coveware, only 25% of attacked organizations paid a ransom in the last quarter of 2024. In contrast, this figure was 85% in the first quarter of 2019.
The median payout amount decreased by 45% to $110,890. This is due to organizations improving cybersecurity and increasingly refusing to fund criminals.
The most active ransomware viruses at the end of 2024 were Akira and Fog, primarily targeting small and medium-sized businesses. Analysts also noted a rise in lone hackers who distrust large RaaS platforms.
Chainalysis also recorded a 35% drop in total payouts—from $1.25 billion in 2023 to $813.55 million in 2024.
Experts attribute this to law enforcement actions and the growing refusal of victims to pay ransoms.
Chainalysis noted that the gap between demanded and paid ransom amounts is widening. According to Kivu Consulting, only about 30% of negotiations result in payment. Victims increasingly restore data from backups, finding it a quicker and cheaper solution.
Methods of laundering funds have also changed, analysts reported. Perpetrators are using mixers less frequently due to sanctions and government actions against services like Tornado Cash and Sinbad.
Instead, operators are increasingly relying on cross-chain bridges. Centralized exchanges remain the primary tool for cashing out funds.
Back in May, Global Ledger analysts outlined the timing of stolen cryptocurrency movements.