Ex-Ransomware Negotiator Admits to Double-Crossing Victims for Profit

A former ransomware negotiator has pleaded guilty to helping cybercriminals extort companies, marking the third such case in the past year. Angelo Martino, once employed by cybersecurity firm DigitalMint, confessed to betraying his clients by feeding confidential information to the operators of the ALPHV/BlackCat ransomware group.

According to the U.S. Justice Department, Martino admitted to playing both sides during five separate incidents. While ostensibly working for victims, he secretly passed details about their insurance policy limits and negotiation strategies to the criminals. His goal: maximize the extortion payout, from which he took a cut.

The Betrayal Behind the Negotiation Table

Prosecutors described Martino’s actions as a calculated breach of trust. “Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart them,” said Assistant Attorney General A. Tysen Duva. “Instead, he betrayed them and began launching ransomware attacks himself.”

This case is not isolated. In 2024, two other cybersecurity professionals—Kevin Tyler Martin (also a DigitalMint employee) and Ryan Clifford Goldberg (a former incident response manager at Sygnia)—were charged with similar offenses. Authorities had mentioned a third unnamed individual; we now know it was Martino.

How the ALPHV/BlackCat Ransomware Scheme Worked

ALPHV/BlackCat operates as a ransomware-as-a-service model. The gang develops and maintains the file-locking malware, while affiliates deploy it in attacks and share a portion of the ransom with the developers. Martino, along with Martin and Goldberg, essentially became affiliates for six months in 2023.

During that period, the trio extorted over $1.2 million from a single victim, prosecutors said. Martino pleaded guilty to extortion and faces up to 20 years in prison. Authorities have already seized $10 million in assets from him.

The DigitalMint Connection

When reached for comment, an unnamed DigitalMint spokesperson told TechCrunch that the company had no knowledge of Martino’s criminal actions. They added that both employees were fired after the accusations surfaced. However, the case raises questions about oversight in the cybersecurity incident response industry.

Building on this, Martino’s guilty plea highlights a troubling trend: insiders exploiting their access to sensitive victim data for personal gain. As ransomware attacks continue to rise, companies must vet their incident response partners more rigorously.

Law Enforcement Actions Against ALPHV/BlackCat

In 2023, an international coalition of law enforcement agencies seized the dark web leak site of ALPHV/BlackCat, disrupting its operations. They also released a decryption tool to help over 500 victims restore their systems. This takedown, however, did not stop the group’s affiliates from operating independently.

For more insights on ransomware response strategies, check out our guide on building a ransomware response plan. Additionally, learn how to negotiate with cyber insurers without exposing critical data.

As a result, the Martino case serves as a stark reminder: even those hired to protect can become the threat. Companies must implement strict protocols to monitor third-party negotiators and ensure they act solely in the victim’s interest.

Cloud Hosting Giant Vercel Confirms Hack: Customer Credentials Stolen and Sold Online

The cloud app hosting platform Vercel has confirmed that hackers infiltrated its internal systems and made off with sensitive customer data. This breach, which came to light over the weekend, has already led to stolen credentials being listed for sale on cybercriminal forums. The incident underscores the growing threat of supply chain attacks targeting widely used software infrastructure.

How the Vercel Hack Unfolded: A Supply Chain Entry Point

According to Vercel’s official statement, the breach originated from a third-party software maker, Context AI. One of Vercel’s employees downloaded a Context AI app and linked it to their corporate Google account using OAuth. The attackers exploited this connection to hijack the employee’s Google account, gaining unauthorized access to internal systems—including unencrypted credentials.

This attack method is a classic supply chain maneuver: instead of directly targeting the primary company, hackers compromise a smaller, less secure vendor. By doing so, they bypass robust defenses and gain access to a treasure trove of data. In this case, the stolen credentials included customer API keys, source code, and database contents.

What Data Was Stolen from Vercel?

The threat actor, who claimed to represent the notorious ShinyHunters hacking group, posted an advertisement on a cybercriminal forum. The listing, reviewed by TechCrunch, offered access to Vercel customer API keys, source code, and database dumps. However, ShinyHunters themselves later denied involvement in the incident, telling cybersecurity news site Bleeping Computer that they were not responsible.

Vercel has assured customers that its open source projects—Next.js and Turbopack—were not compromised. Nevertheless, the company has begun notifying affected clients and advises all users to rotate any keys or credentials marked as “non-sensitive” in their deployments. CEO Guillermo Rauch shared this warning on X, urging developers to take immediate action.

Context AI’s Role in the Breach

Context AI, which builds evaluation tools for AI models, acknowledged on its website that it suffered a breach in March involving its Office Suite consumer app. The app allowed users to automate workflows across third-party services—and the hackers likely stole OAuth tokens during that intrusion. Context AI initially notified only one customer but now believes the incident is broader than first thought.

The company has not disclosed why it delayed reporting the breach or whether it received any ransom demands. This lack of transparency raises questions about how many other organizations might be affected downstream. Vercel warned that the hack could impact “hundreds of users across many organizations,” potentially triggering a cascade of secondary breaches throughout the tech industry.

Protecting Your Data After the Vercel Breach

If you use Vercel for hosting or deployment, here are immediate steps to take:

• Rotate all API keys and credentials that are not marked as “sensitive” in your Vercel dashboard.
• Audit OAuth connections linked to your corporate accounts. Revoke any that you don’t recognize or no longer use.
• Enable multi-factor authentication on all Google Workspace accounts to add an extra layer of security.
• Monitor your logs for unusual activity, especially from third-party apps.

For broader guidance on securing your development pipeline, check out our article on best practices for securing CI/CD pipelines. You might also find our guide on how to prevent supply chain attacks useful for long-term protection.

The Bigger Picture: Supply Chain Attacks on the Rise

This incident is the latest in a string of supply chain breaches targeting software developers whose code powers a significant portion of the web. By compromising widely used tools, hackers can steal credentials from a massive pool of targets simultaneously. The Vercel hack is a stark reminder that even industry leaders are vulnerable when their vendors have weak security postures.

As investigations continue, both Vercel and Context AI are under pressure to provide more details. For now, developers must remain vigilant. The stolen credentials are already circulating on dark web forums, and the full extent of the damage may not be known for weeks.

Infosecurity Magazine Server Error: How to Resolve It Quickly

Seeing a server error on Infosecurity Magazine can be frustrating, especially when you need critical cybersecurity news or analysis. This Infosecurity Magazine server error typically appears as a generic message urging you to refresh or return to the homepage. While the cause might be temporary, understanding how to handle it can save you time and hassle.

What Causes the Infosecurity Magazine Server Error?

Server errors often stem from temporary glitches on the website’s end, such as high traffic, maintenance, or a misconfigured server. In some cases, your browser’s cache or network settings might trigger the issue. However, the error does not usually indicate a serious problem with your device or account.

Common Triggers for This Error

High demand for content, such as during a major cybersecurity event, can overload the server. Additionally, scheduled updates or unexpected downtime may lead to the error. On the user side, outdated browser data or conflicting extensions can sometimes mimic server problems.

Step-by-Step Fixes for the Infosecurity Magazine Server Error

Before contacting support, try these straightforward solutions. Most users resolve the issue within minutes by following these steps.

1. Refresh the Page

Start by pressing F5 or clicking the refresh button on your browser. This forces the server to reload the page. If the error was temporary, the content should appear normally. Repeat this once or twice, but avoid excessive refreshing, which could strain the server.

2. Clear Your Browser Cache and Cookies

Outdated cached data can conflict with the server’s latest version. Clear your browser’s cache and cookies, then restart the browser. For Chrome, go to Settings > Privacy and Security > Clear browsing data. This often resolves persistent errors.

3. Use a Different Browser or Device

Sometimes, browser-specific issues cause the error. Try accessing Infosecurity Magazine using a different browser like Firefox or Edge, or switch to a mobile device. If the site loads, the problem lies with your original browser’s configuration.

4. Check Your Internet Connection

A weak or unstable internet connection can mimic server errors. Restart your router or try connecting via a different network. Use a site like Down for Everyone or Just Me to verify if the error is widespread.

When to Wait or Contact Support

If the above steps don’t work, the error might be server-side. In such cases, waiting 30 minutes to an hour often resolves it. The original message advises checking back shortly, which is sound advice for temporary issues.

How to Reach Infosecurity Magazine Help

For persistent problems, contact the Infosecurity Magazine support team via their contact page. Provide details like the error message, your browser type, and any steps you’ve tried. This helps them diagnose the issue faster.

Preventing Future Server Errors

While you can’t control the server, you can minimize disruptions. Bookmark the homepage for quick access, and consider subscribing to their newsletter for updates during outages. Additionally, keep your browser updated to avoid compatibility issues.

As a final note, server errors are common on high-traffic sites. By following these troubleshooting steps, you can resolve the Infosecurity Magazine server error efficiently. If all else fails, the support team is just a message away.