Russian citizen Aleksei Volkov received 81 months in federal prison on March 24, 2026. The 26-year-old sold corporate network access to the Yanluowang ransomware group. The same week, prosecutors charged Angelo Martino, 41, a DigitalMint ransomware negotiator who secretly ran BlackCat attacks against his own firm's clients.
Volkov operated under the handle "chubaka.kor" between July 2021 and November 2022. He breached employee accounts, escalated to network-level access, and sold that access to Yanluowang operators. In some cases he charged as little as $1,000 in Bitcoin for credentials to a corporate network. Yanluowang operators then encrypted victims' data and demanded ransoms in the tens of millions.
Seven US organisations confirmed as victims include a bank, a telecommunications company, and an engineering firm. Two paid a combined $1.5 million. Volkov earned more than $256,000 from his brokering activities. The FBI traced payments through a cryptocurrency account verified with identity documents under "Aleksei Olegovich Volkov," an OPSEC failure that handed prosecutors direct evidence. Chat logs recovered from servers documented his conversations with Yanluowang operators, including pricing.
The Southern District of Indiana court set actual losses at $9.1 million. Intended losses reached $24 million.
Italian police arrested Volkov in Rome on January 18, 2024. He pleaded guilty on November 25, 2025, to six counts spanning identity fraud, access device trafficking, computer fraud conspiracy, and money laundering conspiracy. Restitution was set at $9,167,198.19.
Yanluowang first appeared in late 2021. The group combined file encryption (appending the ".yanluowang" extension) with DDoS pressure and harassing phone calls to force payment. Court documents do not name Cisco among Volkov's victims, but the networking vendor disclosed in August 2022 that Yanluowang targeted it in May 2022. Cisco linked the intrusion to a broker with ties to UNC2447, Lapsus$, and Yanluowang, a profile consistent with Volkov's activities.
The group collapsed in November 2022 after its own internal chats and source code were leaked online. Kaspersky researchers found a flaw in the encryption algorithm and released a free decryptor the same year.
Volkov's co-conspirators then used the access Volkov provided to infect the affected computer networks and systems with malware. This malware encrypted the victims' data and prevented the victims from accessing it, damaging their business operations.
— DOJ press release, March 24, 2026
Angelo Martino surrendered to US Marshals in Miami on March 10, 2026. Prosecutors charged him with conspiracy to interfere with commerce by extortion. Between April 2023 and April 2025, he ran BlackCat (also known as ALPHV) attacks while working as a ransomware negotiator at DigitalMint.
Five of Martino's alleged victims hired DigitalMint for help. DigitalMint assigned Martino as their negotiator. He sat on both sides of the table, advising the victim while extorting them through BlackCat. Prosecutors allege he fed confidential information from ongoing negotiations to BlackCat operators to extract higher payouts.
Martino had been identified only as "Co-Conspirator 1" in the November 2025 indictment of two co-defendants. Kevin Tyler Martin, a former DigitalMint negotiator in Texas, pleaded guilty in December 2025. Ryan Clifford Goldberg, a former Sygnia incident response manager in Georgia, did the same. Both face sentencing on April 30, 2026.
Across 10 attacks in the indictment, six produced ransom payments totalling more than $75.25 million. Two individual payments exceeded $25 million each. As BlackCat affiliates, Martino and his co-conspirators paid 20% of proceeds to BlackCat's administrators.
Authorities seized nearly $9.2 million in cryptocurrency from 21 wallets controlled by Martino. The haul included Bitcoin, Monero, Ripple, Solana, and Stellar. Luxury vehicles and properties were also confiscated. Martino faces up to 20 years in prison.
We strongly condemn these former employees' criminal behavior, which violated our values, ethical standards and the law. DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges.
— Jonathan Solomon, CEO, DigitalMint
DigitalMint learned of the DOJ probe in April 2025. The firm suspended Martino's access the same day and fired him the next. The company did not directly answer whether it refunded clients whom Martino victimised.
Just as threat actors have access to all the red teaming tools we use in security, many in security have access to the tools threat actors use. For a small number of people in this industry that is going to be a huge temptation, especially seeing how much money some cybercriminals make.
— Allan Liska, ransomware analyst, Recorded Future
The Martino case is the first prosecution of a ransomware insider at a US incident response firm.
Volkov sold network access for $1,000. His buyers demanded millions. Martino earned trust as a negotiator, then weaponised it. The two cases expose the same structural weakness. The ransomware economy depends on intermediaries, and those intermediaries are now the DOJ's primary targets.
FBI SAC Skiles urged companies to vet negotiators before engagement. Sessions should run on auditable platforms. No single individual should control both the victim and threat-actor channels. Background checks should include cryptocurrency wallet screening.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
