A ransomware negotiator — someone hired by victims to fight hackers — was secretly feeding the hackers everything. Insurance limits. Internal negotiation strategy. Real-time positioning. The whole time.
That’s not a hypothetical. Angelo Martino, a negotiator at Illinois-based DigitalMint, pleaded guilty in April 2026 to conspiring with the BlackCat/ALPHV ransomware gang against five U.S. companies he was supposed to be protecting.¹ He was joined by a second DigitalMint employee and a former incident response manager at cybersecurity firm Sygnia — three insiders, all on the wrong side.² Total ransom payments across the scheme: over $75 million, with two individual payments exceeding $25 million each.³ Martino personally walked away with $10 million in assets before the DOJ seized them.⁴
A senior DOJ official told CNN the case is “groundbreaking” — and flagged that at least one additional incident response firm is under investigation right now.⁵
Your Vendors Are Your Perimeter
The DigitalMint case is the most visible version of a threat pattern that’s been escalating across accounting and financial services for 18 months.
The attack surface has shifted. Hackers aren’t just targeting your firm directly — they’re moving through the platforms and providers you’ve already cleared to be inside your environment:
- File transfer platforms like MoveIt and CrushFTP have been actively exploited. Accounting firms using these tools became secondary victims — data exfiltrated, separate ransoms demanded — even though they did nothing wrong.⁶
- Tax software update servers were infiltrated in 2025, pushing ransomware automatically to over 14,000 practices through a trusted update channel.⁷
- Payroll vendors and managed IT providers are consistent entry points. Third-party breaches doubled in a single year, per the 2025 Verizon Data Breach Investigations Report.⁸
This is the double extortion model: steal the data, lock the systems, then threaten to publish client financials and SSNs publicly if you don’t pay again. It’s now the standard playbook.⁹
Why Your Firm is on the List
Accounting and legal firms hold concentrated repositories of immediately monetizable data — Social Security numbers, tax returns, payroll records, full business financials across dozens of clients simultaneously. Criminals know your filing season calendar. They time attacks for maximum operational pressure, when downtime costs the most and your negotiating position is weakest.¹⁰
The Gramm-Leach-Bliley Act Safeguards Rule now applies directly to CPA firms and tax professionals. The IRS audits firms on cybersecurity readiness when a breach or client complaint is reported.¹¹ Compliance isn’t a checkbox — it’s a live liability.
What This Actually Requires
You can have a solid firewall and still get hit through a vendor with admin access to your systems. Cybersecurity in 2026 means actively managing every third-party relationship that touches your environment — not just at onboarding.
That’s where having a local IT partner changes the equation. When something goes wrong mid-tax season, you don’t need a national support line reading your ticket cold. You need someone who already knows your systems, your client data environment, and your risk profile.
CMIT Solutions works with accounting firms, legal offices, and financial professionals across Cincinnati, Florence, and Covington — providing third-party vendor reviews, layered monitoring, documented incident response plans, and the staff training that keeps well-meaning employees from accidentally becoming the breach themselves.
Tired of talking to frustrating AI bots when your technology breaks?
Call a local expert today or book a consultation with a real human IT professional.
Not sure where your biggest exposure is right now? Contact Mike Martini today for a personalized audit: mmartini@cmitsolutions.com
Sources: ¹TechCrunch, Apr. 2026 ²The Register, Nov. 2025 ³⁴Tom’s Hardware, Apr. 2026 ⁵CNN Politics, Apr. 2026 ⁶Kennedys Law, May 2025 ⁷Bellator Cyber, Mar. 2026 ⁸Tech Advisory, Nov. 2025 ⁹Plexus Technology, Jul. 2025 ¹⁰Nerds Support, Mar. 2025 ¹¹Ibid.
CMIT Solutions | Serving Cincinnati, Florence, Covington & Northern Kentucky Managed IT | Cybersecurity | Secure AI Workspace | Local Support
