A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U.S. companies he represented as a ransomware negotiator for DigitalMint in 2023, the Justice Department said Monday.

Angelo John Martino III shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits he gained from his work as a ransomware negotiator to extract the maximum ransom payment for himself and other BlackCat affiliates, according to his plea agreement.

Five of Martino’s victims hired DigitalMint, which assigned the 41-year-old to conduct ransomware negotiations on their clients’ behalf — a rare position he exploited to play both sides. DigitalMint, which is not accused of any knowledge or involvement in the crimes, fired Martino the day after the Justice Department informed the company they were investigating him in April 2025. 

The five U.S.-based victims that hired DigitalMint and unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators include a nonprofit and companies in the hospitality, financial services, retail and medical industries. All five of those victims paid a ransom.

Prosecutors previously said Martino helped accomplices extort a combined $75.3 million in ransom payments, including a nearly $26.8 million payment from the unnamed nonprofit, and a nearly $25.7 million payment from the unnamed financial services company. 

Martino also admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware, also known as ALPHV, against five additional U.S. companies between April and November 2023. 

Goldberg and Martin pleaded guilty in December to participating in a series of ransomware attacks and are scheduled for sentencing April 30.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, said in a statement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”

The case against Martino showcases an extreme, albeit rare, example of the dark underbelly of ransomware negotiation as a practice. The pitfalls of ransomware negotiation are excessive and these backchannel negotiations, which remain largely unscrutinized, can go awry for various reasons. 

Officials shared a series of chats Martino held with co-conspirators and his victims that exemplify the lengths he went to betray DigitalMint’s clients and empower his accomplices with crucial tips for a successful negotiation strategy.

DigitalMint did not respond to a request for comment on Martino’s guilty plea.

Negotiation chats exemplify Martino’s crimes

During an incident response with one of his victims, Martino told a BlackCat affiliate the company’s insurance carrier “was only approving small accounts,” according to his plea agreement. “Keep denying our offers and I will let you know once I find out the max the[y] want to pay,” he added.

“We don’t know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates,” Martino said in a negotiation chat visible to DigitalMint and the victim organization in the hospitality industry. “We are able to give you $1 million now, which is a very serious offer.”

Following Martino’s instructions, the BlackCat accomplice responded: “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time.”

That victim company ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data. The two other victims Martino represented via DigitalMint at the time paid $6.1 million and $213,000 ransoms for similar commitments.

“Ransomware victims turned to this defendant for help, and he sold them out from the inside,” Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, said in a statement.

Martino received a portion of the ransomware payments for his involvement in the conspiracy.

Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. Law enforcement seized multiple vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.

Officials also seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000. 

Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.

“The FBI works every day to dismantle the ransomware ecosystem,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement. “That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals.”

ALPHV/BlackCat was a notorious ransomware and extortion group linked to a series of attacks on critical infrastructure providers. The ransomware variant first appeared in late 2021, and was later used in dozens of attacks on organizations in the health care sector.

The group behind the ransomware strain also claimed responsibility for the February 2024 attack on UnitedHealth Group subsidiary Change Healthcare, which paid a $22 million ransom and became the largest health care data breach on record, compromising data on about 190 million people.

Martino pleaded guilty to conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion. He faces up to 20 years in federal prison and is scheduled for sentencing July 9.

You can read Martino’s plea agreement below.

The post Former DigitalMint ransomware negotiator pleads guilty to extortion scheme appeared first on CyberScoop.

OpenAI updated its security certificates and is requiring all macOS users to update to the latest versions after determining its products, along with many others, were impacted by a widespread supply-chain attack that briefly infected a popular open-source library in late March, the company said in a blog post Friday.

The artificial intelligence vendor said it “found no evidence that OpenAI user data was accessed, that our systems or intellectual property was compromised, or that our software was altered.”

Yet, because a GitHub workflow the company uses to sign certificates for macOS applications downloaded and executed a malicious version of Axios, the company is treating the soon-to-be defunct certificate as compromised.

A North Korean hacking group injected malware into two versions of Axios after it compromised the lead maintainer’s computer via social engineering and took over his npm and GitHub accounts. Jason Saayman, the lead maintainer for Axios, said the malicious versions of the software were live for about three hours before removal. 

Google Threat Intelligence Group, which tracks the threat group as UNC1069, said the impact of the attack was broad with ripple effects potentially exposing other popular packages. The JavaScript libraries flow into dependent downstream software through more than 100 million and 83 million downloads weekly. 

The attack was discovered just weeks after a series of other open-source tools, including Trivy, were compromised by UNC6780, also known as TeamPCP, resulting in aggressive extortion attempts. 

OpenAI insists the malware that infected Axios did not directly impact its certificate, which is designed to help customers confirm they are downloading legitimate software. 

“The signing certificate present in this workflow was likely not successfully exfiltrated by the malicious payload due to the timing of the payload execution, certificate injection into the job, sequencing of the job itself, and other mitigating factors,” the company said in the blog post. “Nevertheless, out of an abundance of caution we are treating the certificate as compromised, and are revoking and rotating it.”

Older versions of OpenAI’s macOS apps may lose functionality and will no longer be supported when the certificate is fully revoked May 8, the company said.

OpenAI, which hired a third-party digital forensics and incident response firm to aid its investigation and response, pinned the root cause of the security issue on a misconfiguration in its GitHub workflow. The company said it corrected that error and worked with Apple to ensure fraudulent apps posing as OpenAI cannot use the impacted certificate.

The 30-day window is designed to minimize disruption for users, but OpenAI said it will speed up the revocation deadline if it identifies any malicious activity. The company did not immediately respond to a request for comment.

The post OpenAI’s Mac apps need updates thanks to the Axios hack appeared first on CyberScoop.

Authorities seized infrastructure powering four botnets that hijacked a combined three million devices and launched more than 300,000 DDoS attacks collectively, the Justice Department said Thursday.

The botnets — Aisuru, Kimwolf, JackSkid and Mossad — enabled operators to sell access to the infected devices for various cybercrimes. The aftermath spanned thousands of attacks, including some demanding extortion payments from victims, officials said.

The globally coordinated operation, aided by law enforcement actions targeting the botnets’ operators in Canada and Germany, disrupted the command-and-control infrastructure for all four botnets. Two of the botnets set records before the takedown, attracting widespread attention from security researchers and vendors.

The Kimwolf botnet, an Android variant of Aisuru, spread like wildfire after its operators figured out how to abuse residential-proxy networks for local control, according to Sythient. It eventually took over more than 2 million Android TV devices by January. In September, just as Kimwolf was forming, Cloudflare clocked the Aisuru botnet hitting a record-breaking 29.7 terabits-per-second DDoS attack that lasted 69 seconds.

Officials ultimately attributed roughly 200,000 DDoS attacks to Aisuru, 90,000 to JackSkid, 25,000 to Kimwolf and about 1,000 DDoS attack commands to the Mossad botnet. Yet, DDoS attacks from financially-motivated attackers are typically a distraction or misdirection.

“Oftentimes a DDoS attack is just advertising for the size of an operator’s botnet,” Zach Edwards, staff threat researcher at Infoblox, told CyberScoop. Botnet operators cash out by renting these controlled devices to cybercriminals for account abuse, password reset attacks, ad fraud schemes and residential proxy nodes, he added.

Devices infected by the four botnets include digital video recorders, web cameras, Wi-Fi routers and TV boxes. Hundreds of thousands of these devices are located in the United States, federal prosecutors said. 

Authorities did not name the people involved or formally announce any arrests. Yet, they describe the operation in nearly conclusive terms, claiming the action disrupted the botnets’ communications infrastructure — domains, virtual servers and other systems — to prevent further infection and limit or eliminate the botnets’ ability to launch future attacks.

“Cybercriminals infiltrate infrastructure beyond physical borders and Defense Criminal Investigative Service participates in international operations to help safeguard the Department’s global footprint,” Kenneth DeChellis, special agent in charge at the Defense Department’s DCIS cyber field office, said in a statement. Some of the DDoS attacks attributed to these botnets reached IP’s owned by the Department of Defense Information Network.

Botnets often compete for devices to infect and opportunities to scale. As Kimwolf spread and hit those objectives, it captured sweeping interest from researchers, authorities and vendors in a position to help stop it. 

Kimwolf was the largest DDoS botnet ever detected, according to Tom Scholl, vice president at Amazon Web Services, which assisted the operation. “The scale of this botnet is staggering,” he said in a LinkedIn post. 

“Kimwolf represented a fundamental shift in how botnets operate and scale,” Scholl added. “Unlike traditional botnets that scan the open internet for vulnerable devices, Kimwolf exploited a novel attack vector: residential proxy networks.”

Under this mechanism, any organization with vulnerable devices connected to the internet could unwittingly have those devices turned into a node for a botnet or a foothold for a targeted attack.

“This isn’t just some problem that your cousin has because he bought some cheap TV box that promised him free TV channels,” Edwards said. Infoblox previously said nearly 25% of customers had at least one endpoint device in a residential proxy service targeted by Kimwolf.

While it’s intellectually interesting whenever a botnet scales to extraordinary size, it’s also a “sad reminder that oftentimes security takes a back seat to convenience and cost,” Edwards said. 

“The botnets are growing because more and more people are buying weird internet-connected stuff,” he added. “Nothing in this world is free.”

The takedowns mark a continuation of a consistent, ongoing crackdown targeting large-scale botnets, cybercrime marketplaces, malware, infostealers and other cybercrime tools. Some of the malicious networks hampered or rendered nonoperational by disruptions and arrests during the past year include: DanaBot, Rapper Bot, Lumma Stealer, AVCheck and SocksEscort.

More than 20 companies and organizations assisted with the coordinated disruption, including law enforcement from the Netherlands and Europol. Efforts to stop botnets will continue as these malicious networks proliferate in new places and new ways. 

“We’re living in a device-compromise–DDOS-botnet-merry-go-round and while many of us wish something could slow it down, the challenges continue to grow,” Edwards said. “This is still a bad day for serious threat actors, and any day like that is something we should all celebrate.”

The post Justice Department disrupts botnet networks that hijacked 3 million devices appeared first on CyberScoop.

Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.

Professional NBA and NFL athletes were allegedly deceived and victimized by a 34-year-old Georgia man’s sneaky social-engineering scheme that he ran while impersonating a well-known adult film star, the Justice Department said Monday.

Kwamaine Jerell Ford allegedly initiated and committed some of the crimes while incarcerated in federal prison for a similar, widespread phishing scam that also targeted college and professional athletes and musical artists starting in 2015. 

“While serving time for stealing credit card numbers from athletes and celebrities to fund his lifestyle, Ford allegedly engaged in the same conduct again,” Theodore S. Hertzberg, U.S. attorney for the Northern District of Georgia, said in a statement.

The alleged repeat offender, while adopting the persona of an adult film model, tricked professional athletes into providing him their iCloud login credentials and multifactor authentication codes for those accounts to steal financial and personally identifiable information to pay for personal expenses.

Ford is accused of executing more than 2,000 unauthorized transactions on professional athletes’ debit and credit cards from November 2020 to September 2024, according to an unsealed indictment. He was in federal custody for the first 14 months of the conspiracy and released on probation for prior crimes in January 2022.

Prosecutors did not name victims, divulge how many athletes Ford allegedly victimized during his latest scheme, or how much money he obtained through the conspiracy. 

He pleaded not guilty Friday to 22 charges for crimes including wire fraud, obtaining information by computer from a protected computer, access device fraud, aggravated identity theft and sex trafficking. Ford is being held without bail pending a trial. 

Using the adult film model’s identity, Ford allegedly enticed his high-profile victims to communicate with him on social media by falsely claiming he would send them adult film content through iCloud.

When a professional athlete responded, Ford allegedly sent phishing messages to the victim designed to look like legitimate Apple customer service text messages. Officials said Ford spoofed legitimate Apple customer service accounts and posed as an Apple customer support representative to request victims’ login details via text messages.

Prosecutors said Ford told his victims the messages contained a video file shared through an iCloud link that required them to reply with an MFA code. Ford allegedly attempted to access his victims’ iCloud accounts at the same time, triggering an MFA code delivery to the victim’s device.

Professional athletes who provided their iCloud MFA codes to Ford were ultimately tricked into giving him complete access to their iCloud accounts, officials said. Ford allegedly used that access to steal sensitive data, driver’s licenses and credit card information that he used for personal spending.

Ford also, while impersonating the adult film star, allegedly victimized an OnlyFans model by claiming he would advance their career. Prosecutors said Ford enticed the OnlyFans model to engage in and record commercial sex acts with professional athletes without their consent. 

“Ford clearly did not learn from his prior conviction for a similar scheme. This time, he allegedly escalated his criminal activity — stealing identities and money while also moving into coercion and sex trafficking,” Peter Ellis, acting special agent in charge at the FBI Atlanta office, said in a statement. 

Ford allegedly advertised the victim to targeted athletes, coordinated their travel to coincide with athletes’ known locations, and negotiated payments from the athletes for sex with the victim. Prosecutors said Ford took a financial cut from those commercial sex acts, many of which the victim was coerced into filming without the athletes’ knowledge. 

Ford is also accused of using these videos from the OnlyFans model to engage with additional athletes under false pretenses. When the OnlyFans model resisted filming the sex acts, Ford allegedly coerced them to send him money in lieu of the videos.

In 2019, Ford was sentenced to three years in prison and ordered to pay restitution of almost $700,000 after he pleaded guilty to computer fraud and aggravated identity theft. That scheme, which also ran for about four years, allowed Ford to hack into more than 100 Apple accounts belonging to high-profile professional athletes and rappers. 

Ford was still in prison for those crimes when he allegedly established a new scheme targeting similar victims on some of the same technology platforms.

You can read the indictment below.

The post Zero lessons learned: Convicted scammer allegedly ran another athlete-focused phishing scam from federal prison appeared first on CyberScoop.