Home Security Ransomware Negotiator Angelo Martino Pleads Guilty…
Ransomware Negotiator Angelo Martino Pleads Guilty to Aiding BlackCat - featured image
Security

Ransomware Negotiator Angelo Martino Pleads Guilty to Aiding BlackCat

Digital Mind News Digital Mind News
4 min read

Angelo Martino, a former ransomware negotiator, pleaded guilty Monday to helping the ALPHV/BlackCat ransomware gang extort companies while ostensibly working to protect victims. The 41-year-old Florida resident admitted to feeding confidential information to cybercriminals in five separate incidents, including victims’ insurance policy limits and negotiation strategies.

Martino becomes the third ransomware negotiator in the past year to face criminal charges for the same scheme. According to the U.S. Justice Department, he worked for cybersecurity firm DigitalMint while secretly collaborating with the ransomware operators to maximize their payouts in exchange for a cut of the profits.

The Double-Agent Scheme

Martino’s operation began in April 2023 when he started collaborating with ALPHV/BlackCat operators. While companies hired him to negotiate ransom reductions and facilitate recovery, he was simultaneously working to increase the criminals’ profits.

“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva in the Justice Department announcement. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself.”

The scheme involved Martino providing sensitive information that only trusted negotiators would typically access:

  • Insurance policy limits of victim organizations
  • Internal negotiation strategies and decision-making processes
  • Financial capacity assessments to determine maximum possible payouts
  • Timeline pressures affecting the victim’s willingness to pay

ALPHV/BlackCat operated as a ransomware-as-a-service (RaaS) platform, where the core gang develops and maintains the malware while affiliates deploy it in attacks and share profits with the developers.

Pattern of Insider Betrayal

Martino’s guilty plea reveals a broader pattern of cybersecurity professionals going rogue. TechCrunch reported that two other DigitalMint employees faced similar charges in the past year.

Kevin Tyler Martin, another DigitalMint employee, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, were previously accused of helping the same ransomware gang. At the time, prosecutors mentioned a third unnamed individual who was part of the scheme — now confirmed to be Martino.

This pattern highlights a critical vulnerability in the cybersecurity industry: trusted insiders with access to sensitive victim information can become high-value assets for ransomware operators. The betrayal is particularly damaging because these professionals have legitimate access to confidential information that would be extremely difficult for attackers to obtain through traditional means.

Rising Ransomware Sophistication

The Martino case emerges as ransomware groups demonstrate increasing sophistication in their operations. Check Point Research recently highlighted the rapid rise of “The Gentlemen,” a ransomware-as-a-service outfit that claimed hundreds of victims within months of launching in mid-2025.

The Gentlemen group demonstrates advanced tactics including:

  • Antivirus killers to disable security software
  • Complex infection chains to avoid detection
  • SystemBC malware for covert tunneling and payload delivery
  • Corporate targeting rather than opportunistic consumer attacks

Check Point observed victim telemetry showing a botnet of more than 1,570 victims connected to SystemBC’s command and control server. Comparitech researchers found The Gentlemen claimed 202 attacks last quarter, ranking second only to Qilin’s 353 claims.

Email Attack Evolution

Ransomware operators are also evolving their initial attack vectors beyond traditional technical exploits. Abnormal AI’s 2026 Attack Landscape Report analyzed almost 800,000 email attacks across more than 4,600 organizations, revealing a shift toward exploiting behavioral and organizational weaknesses.

The research shows attackers now target trusted relationships and routine workflows:

  • Phishing accounts for 58% of all email attacks
  • Business email compromise (BEC) comprises 11% of attacks
  • Vendor email compromise (VEC) represents 60% of all BEC attacks
  • More than 20% of phishing attacks use redirect chains to obscure malicious pages

Attackers tailor their tactics to specific industries and roles. File-sharing lures target organizations where document exchange is common, while brand impersonation aligns with the complexity of the target’s software environment.

What This Means

The Martino case exposes a fundamental trust problem in cybersecurity incident response. Organizations facing ransomware attacks must rely on external negotiators and consultants, but these trusted advisors can become attack vectors themselves when compromised or turned.

This insider threat is particularly dangerous because it operates within the legitimate incident response process. Unlike traditional attacks that security teams can detect and block, rogue negotiators exploit their authorized access to sensitive information.

The pattern of multiple cybersecurity professionals at the same firm going rogue suggests systemic vulnerabilities in how the incident response industry vets and monitors its personnel. Organizations may need to implement additional oversight mechanisms when working with external negotiators, including:

  • Dual approval processes for sharing sensitive financial information
  • Background monitoring of negotiators during active incidents
  • Compartmentalized information sharing to limit exposure
  • Independent verification of negotiation recommendations

The rise of sophisticated ransomware groups like The Gentlemen, combined with insider threats like Martino, creates a perfect storm for organizations. As technical defenses improve, attackers increasingly focus on human and procedural vulnerabilities that are harder to detect and prevent.

FAQ

How did Angelo Martino help the BlackCat ransomware gang?
Martino provided confidential information to BlackCat operators while working as a ransomware negotiator for victims, including insurance policy limits and negotiation strategies. He received a cut of the increased ransom payments in exchange for helping maximize the criminals’ profits.

How many cybersecurity professionals have been caught helping ransomware gangs?
At least three cybersecurity professionals have pleaded guilty or been charged with helping ransomware gangs in the past year: Angelo Martino, Kevin Tyler Martin (also from DigitalMint), and Ryan Clifford Goldberg (from Sygnia). All worked in incident response roles with access to sensitive victim information.

What is ransomware-as-a-service and how does it work?
Ransomware-as-a-service (RaaS) is a business model where cybercriminal groups develop and maintain ransomware tools, then rent them to affiliates who conduct the actual attacks. The affiliates pay a percentage of ransom profits back to the RaaS operators, similar to a franchise model.

Sources

#angelo martino#blackcat angelo#cybersecurity professional#insider threat#martino pleads#negotiator angelo#ransomware negotiator
Digital Mind News
Digital Mind News

Digital Mind News is an AI-operated newsroom. Every article here is synthesized from multiple trusted external sources by our automated pipeline, then checked before publication. We disclose our AI authorship openly because transparency is part of the product.

Related

Don't Miss