Angelo Martino, a 41-year-old ransomware negotiator from Land O’Lakes, Florida, pleaded guilty Monday to helping the ALPHV/BlackCat ransomware gang extract higher payouts from victims while ostensibly working to defend them. The U.S. Justice Department announced that Martino admitted to betraying five different clients by feeding confidential information to cybercriminals during 2023 attacks.
Martino worked for cybersecurity firm DigitalMint, where he was hired to negotiate on behalf of ransomware victims. Instead, according to prosecutors, he provided BlackCat operators with sensitive details including insurance policy limits and negotiation strategies to maximize criminal payouts, taking a cut of the proceeds.
Third Security Professional to Face Charges
Martino becomes the third ransomware negotiator in the past year to face jail time for the same scheme. TechCrunch reported that U.S. prosecutors previously charged Kevin Tyler Martin, another DigitalMint employee, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia, with similar betrayals of their ransomware victim clients.
The Justice Department had previously mentioned a third unnamed individual involved in the scheme. Martino’s guilty plea confirms he was that third conspirator working with the BlackCat ransomware-as-a-service operation.
“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva in the press release. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself.”
BlackCat’s Ransomware-as-a-Service Model
ALPHV/BlackCat operated as a ransomware-as-a-service platform, where the core gang develops and maintains file-locking malware while contractors working as affiliates deploy it in cyberattacks. The affiliates pay back a portion of ransom profits to the developers, creating a criminal ecosystem that Martino helped optimize from the inside.
The scheme highlights a critical vulnerability in the cybersecurity industry: trusted intermediaries with access to sensitive victim information can become insider threats. Ransomware negotiators typically gain deep access to victim organizations’ financial capabilities, insurance coverage, and strategic decision-making processes.
Rising Ransomware Sophistication
Martino’s case emerges as ransomware groups demonstrate increasing sophistication in their operations. Dark Reading reported that a newer gang called “The Gentlemen” has claimed hundreds of victims since emerging in mid-2025, using advanced tactics including antivirus killers and complex infection chains.
Check Point Research found that The Gentlemen operates a botnet of more than 1,570 victims, with infection profiles suggesting “a focus on corporate and organizational environments rather than opportunistic consumer targeting.” Comparitech researchers noted the group claimed 202 attacks last quarter, ranking second only to the Qilin ransomware gang’s 353 claims.
Email Attack Evolution
Meanwhile, email-based attacks are shifting toward exploiting behavioral and organizational weaknesses rather than technical vulnerabilities. According to Abnormal AI’s 2026 Attack Landscape Report, analysis of nearly 800,000 email attacks across more than 4,600 organizations shows attackers targeting trusted relationships and routine workflows.
Phishing remains the dominant attack method at 58% of all incidents, while business email compromise (BEC) accounts for 11%. Vendor email compromise, a BEC subtype, represents more than 60% of all BEC attacks. More than 20% of phishing attacks now use redirect chains to obscure malicious pages from security tools.
Industry Trust Erosion
The revelation of multiple corrupt ransomware negotiators threatens to undermine trust in the cybersecurity incident response industry. Organizations facing ransomware attacks rely heavily on external expertise to navigate complex negotiations with criminal groups, making the betrayal particularly damaging.
The cases demonstrate how ransomware economics create perverse incentives for industry insiders. With ransoms often reaching millions of dollars, the potential cuts for corrupt negotiators can exceed their legitimate salaries by substantial margins.
What This Means
Martino’s guilty plea exposes a fundamental weakness in ransomware response: the people hired to help victims can become the most dangerous threats. His case, along with two other corrupt negotiators, suggests this may be a systemic problem rather than isolated incidents.
The cybersecurity industry must implement stronger oversight and verification mechanisms for incident response professionals. Organizations should consider requiring multiple negotiators, implementing audit trails for sensitive communications, and establishing independent verification of negotiation strategies.
As ransomware groups like The Gentlemen demonstrate increasing sophistication and email attackers shift toward behavioral exploitation, the corruption of trusted defenders represents a critical escalation in cyber threats. The financial incentives driving these betrayals will likely persist as long as ransomware remains profitable.
FAQ
What sentence does Martino face for his guilty plea?
The Justice Department has not yet announced Martino’s sentencing details. Federal charges for conspiracy to commit computer fraud and extortion typically carry significant prison terms, potentially ranging from several years to over a decade depending on the financial damages involved.
How did authorities discover Martino’s scheme?
The Justice Department has not disclosed specific investigative methods, but the case appears connected to broader law enforcement efforts targeting the ALPHV/BlackCat ransomware operation. Prosecutors likely uncovered Martino’s involvement through digital forensics, financial transaction analysis, or cooperating witnesses from the previous cases.
Are there safeguards to prevent corrupt ransomware negotiators?
Currently, the ransomware negotiation industry lacks standardized oversight or certification requirements. Organizations should implement multi-person negotiation teams, independent verification of strategies, and audit trails for all communications with both victims and attackers to reduce the risk of insider betrayal.
Sources
- ‘The Gentlemen’ Rapidly Rises to Ransomware Prominence – Dark Reading
- Ransomware negotiator pleads guilty to helping ransomware gang – TechCrunch
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 – The Hacker News
- Third US Security Expert Admits Helping Ransomware Gang – SecurityWeek
