DigitalMint Insider Threat: $75M Lesson for SAMA Banks

When a Saudi bank engages an external incident response firm during a ransomware crisis, it implicitly hands over its most sensitive negotiation leverage: cyber-insurance limits, internal communications, board pressure, and the maximum amount it can afford to pay. The DigitalMint case — unsealed in U.S. federal court on April 30, 2026 — proves that this trust can be weaponized from inside the response vendor itself, with consequences that map directly onto SAMA's third-party risk obligations.

What Actually Happened in the DigitalMint Insider Threat Case

Angelo Martino, a 41-year-old ransomware negotiator employed by Chicago-based DigitalMint, pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware-as-a-service group. Working alongside co-conspirators Ryan Goldberg (an incident responder at cybersecurity firm Sygnia) and Kevin Martin (also at DigitalMint), Martino orchestrated a vertically integrated extortion operation. Goldberg gained initial access. Martin executed the encryption. Martino then "negotiated" on behalf of the very victims his colleagues had attacked — feeding insurance limits and internal redlines into a private BlackCat chat channel. Five clients paid a combined $75.25 million, including a single $25.66 million ransom from a U.S. financial services firm. Goldberg and Martin received four-year federal prison sentences; Martino is set for sentencing in July 2026.

Why Incident Response Vendors Are a Privileged Attack Surface

An incident response retainer grants a third party privileges that no junior employee, no developer, and no SaaS integration ever receives. The IR firm sees raw network traffic during forensics, stages persistence in the form of EDR agents, holds copies of stolen data for chain-of-custody, and — most critically — knows exactly what the victim cannot afford to lose. In a SAMA-regulated bank, that data set extends to customer PII protected under PDPL, transaction histories under SAMA Cyber Security Framework requirements, and SWIFT operational details. Yet most procurement teams vet IR vendors with the same checklist they apply to a stationery supplier: insurance certificate, NDA, references. The DigitalMint case shows that this is structurally insufficient.

The Specific Risks for SAMA-Regulated Financial Institutions

Saudi banks are particularly exposed for three reasons. First, the regional pool of qualified DFIR responders is small, meaning the same individuals rotate across Tier-1 banks and accumulate cross-institutional knowledge. Second, SAMA CSCC Domain 3.3.15 (Cyber Security Event Management) and the upcoming refresh of the SAMA Cyber Resilience Framework expect documented IR playbooks and pre-approved vendors — but say little about how to monitor the integrity of those vendors during an active engagement. Third, NCA ECC control 2-13-3 mandates third-party security but typically focuses on suppliers like cloud and SaaS, not on response retainers that activate only during a breach. PDPL Article 19 obligations on data processors apply equally to an IR firm that handles incident artifacts containing personal data, and a leak by that processor is the bank's regulatory event to report.

The Hidden Failure Mode: Negotiator Kickbacks and Inflated Demands

Beyond outright collusion, financial institutions should consider a quieter variant — negotiators who steer clients toward larger payments to maximize commission or kickbacks. Martino's case is instructive because the public timeline shows a negotiator who never aggressively pushed the threat actor to lower demands. SAMA-regulated banks rarely audit the chat transcripts of their own negotiators against the threat actor, and almost never benchmark final payments against published data sets like Coveware and Chainalysis quarterly reports. That blind spot is exactly where this kind of fraud lives.

Recommendations and Practical Steps for Saudi CISOs

1. Dual-vendor incident response retainers. Engage two unaffiliated IR firms on retainer. Activate one for forensics and the other — with no commercial connection to the first — for negotiation oversight. The probability of insider collusion in two separate firms collapses dramatically.
2. Mandatory background re-screening for IR personnel. Contractually require annual fresh background checks (criminal, financial, sanctions) for every named responder who can access your environment, not just at onboarding.
3. Out-of-band negotiation channel ownership. The Tor or session communication channel with the threat actor must be controlled by your CISO or external counsel, not by the IR vendor exclusively. Maintain read-only access for an independent observer.
4. Pre-disclosure of insurance limits is forbidden. Insurance policy limits should never appear in any IR firm's case file or shared workspace until after a payment decision is approved by the board cyber committee.
5. Telemetry on responder workstations. Where contractually possible, require that any device touching your incident data is enrolled in your EDR with full visibility, including outbound DNS to non-business domains.
6. SAMA-aligned vendor incident reporting clauses. Update IR contracts so any criminal investigation, indictment, or regulatory action against the vendor's employees triggers immediate disclosure within 24 hours, mirroring SAMA CSCC reporting timelines.
7. Threat-actor chat log audit at engagement close. After every IR engagement, review the full negotiation transcript and benchmark the final ransom against industry medians. Significant deviations warrant escalation.

Conclusion

The DigitalMint case is not an exotic outlier — it is the predictable result of a market structure that grants extraordinary trust to a small group of responders during a victim's worst week. Saudi banks operating under SAMA CSCC, NCA ECC, and PDPL should treat their incident response retainers as Tier-1 critical suppliers, with continuous due diligence, dual-vendor architectures, and audit trails that survive the engagement. The cost of getting this wrong is not theoretical: it is now a documented $75 million number with federal indictments attached.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.