The person a company hires to negotiate down a ransomware demand has to be told everything: what the cyber insurance covers, what the board will pay, how desperate the victim really is. One of those trusted negotiators spent seven months in 2023 handing all of it straight to the gang on the other side of the table.
Angelo Martino, a 41 year old ransomware negotiator at Chicago incident response firm DigitalMint, was sentenced on July 3 to 70 months in federal prison after admitting he secretly worked for the BlackCat (ALPHV) ransomware operation while pretending to fight it on behalf of his employer's clients. According to the U.S. Department of Justice, he pleaded guilty to conspiracy to interfere with interstate commerce by extortion.
How the betrayal worked
Beginning in April 2023, Martino used a private chat channel his employer could not see to relay clients' confidential material to BlackCat's negotiators. He effectively told the attackers what to ask for, including victims' insurance policy limits and their internal deliberations, and took a cut of the proceeds. In one case he informed DigitalMint he was passing along a client's offer while quietly telling the gang the client would actually pay $2 million more. The client paid the extra money.
Five DigitalMint clients whose talks Martino handled paid ransoms of between $213,000 and $26.8 million between April and September 2023, more than $75 million in total. The victims included a hospitality company, a nonprofit, a financial services firm, a retailer and a medical company, all of whom had hired DigitalMint to protect them.
From informant to affiliate
Feeding intelligence to the gang was not the end of it. In May 2023 Martino signed up as a BlackCat affiliate in his own right and shared that access with a second DigitalMint negotiator, Kevin Martin, and Ryan Goldberg, an incident response manager at security firm Sygnia. The three had been plotting since 2022, before DigitalMint even hired Martin. Working together, they deployed BlackCat directly against fresh victims, pocketing $1.2 million from a medical device company alone. Martin and Goldberg were each sentenced to four years in prison in April 2026.
Investigators seized roughly $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck and a luxury fishing boat. A hearing to set how much he must pay in restitution is scheduled for September 17.
Why it matters
BlackCat was one of the most aggressive ransomware crews of its era, notorious for attacking healthcare providers and once publishing stolen breast cancer imaging to pressure a victim. Law enforcement disrupted its infrastructure in December 2023 and the FBI released a decryption tool, but the group's affiliate model outlived the takedown. This case is a reminder that extortion crews recruit from inside the defense industry itself, echoing the insider recruitment that powered groups like LAPSUS$. DigitalMint and Sygnia both say they were unaware of the conspiracy and fired the employees once the Justice Department told them, a claim neither the court nor the evidence disputed, which means standard vetting failed to catch a seven month plot spanning three insiders at two firms.
For defenders, the lesson is to treat incident response vendors as privileged insiders: use segregated communications, log and review negotiator activity, and where possible keep more than one set of eyes on live ransom talks.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.