Angelo Martino, a former ransomware negotiator at cybersecurity firm DigitalMint, pleaded guilty Monday to helping the ALPHV/BlackCat ransomware gang extort companies while ostensibly working to protect victims. The 41-year-old Florida resident admitted to feeding confidential information to cybercriminals in five separate incidents during 2023, including victims’ insurance policy limits and negotiation strategies.
According to the U.S. Justice Department announcement, Martino worked both sides of ransomware negotiations to maximize criminal payouts in exchange for a cut of the proceeds. He becomes the third ransomware negotiator in the past year to face federal charges for the same scheme.
The Double-Agent Scheme
Martino’s operation involved systematic betrayal of his cybersecurity clients. While DigitalMint paid him to negotiate with ransomware operators on behalf of attack victims, he secretly collaborated with the ALPHV/BlackCat gang starting in April 2023.
The scheme worked by exploiting Martino’s privileged access to sensitive victim information. As a legitimate negotiator, he could review insurance policies, assess financial capabilities, and understand negotiation strategies. TechCrunch reported that he then passed this intelligence directly to the ransomware operators, enabling them to demand higher ransoms with greater success rates.
“Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims,” said Assistant Attorney General A. Tysen Duva in the Justice Department press release. “Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals.”
Pattern of Insider Collaboration
Martino’s guilty plea reveals a disturbing trend of cybersecurity professionals turning against their own industry. Last year, prosecutors charged two other ransomware negotiators in similar schemes: Kevin Tyler Martin, another DigitalMint employee, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity giant Sygnia.
The ALPHV/BlackCat operation functioned as ransomware-as-a-service (RaaS), where core developers maintain the malware infrastructure while affiliates deploy attacks and share profits. This business model creates opportunities for corrupt insiders to maximize returns by providing intelligence from both sides of negotiations.
Authorities had previously mentioned a third unnamed individual connected to the scheme. Martino’s guilty plea confirms he was that third conspirator, completing the picture of a coordinated effort to subvert ransomware response operations from within the cybersecurity industry.
Rising Ransomware Sophistication
The Martino case emerges amid escalating ransomware threats and increasingly sophisticated attack methods. Check Point Research this week highlighted the rapid rise of “The Gentlemen,” a new ransomware gang that claimed 202 attacks in the last quarter alone.
The Gentlemen, which emerged in mid-2025, operates with sophisticated tactics including antivirus killers and complex infection chains. Check Point observed a botnet of more than 1,570 victims connected to the gang’s SystemBC malware, described as “proxy malware frequently leveraged in humanā€‘operated ransomware operations for covert tunneling and payload delivery.”
Comparitech researchers ranked The Gentlemen second only to the Qilin gang in quarterly attack claims, while NCC Group tracked 34 attacks in January and 67 in February. The rapid scaling demonstrates how quickly new ransomware operations can achieve significant impact.
Evolving Attack Tactics Beyond Technical Exploits
Ransomware groups are increasingly moving beyond technical vulnerabilities to exploit behavioral and organizational weaknesses. Abnormal AI’s 2026 Attack Landscape Report analyzed almost 800,000 email attacks across more than 4,600 organizations, revealing a strategic shift toward targeting trusted relationships and routine workflows.
Phishing remains the dominant attack vector at 58% of incidents, but attackers now tailor tactics to specific industries and roles. File-sharing lures concentrate on sectors where document exchange is common, while brand impersonation aligns with targets’ software environments.
Business email compromise (BEC) accounts for 11% of attacks but delivers potentially higher impact. More than 60% of BEC attacks involve vendor email compromise (VEC), exploiting established business relationships to bypass security awareness.
What This Means
The Martino case exposes a critical vulnerability in the cybersecurity industry’s response infrastructure. When ransomware negotiators themselves become threat actors, it undermines the fundamental trust relationships that enable effective incident response.
This insider threat problem extends beyond individual bad actors to systemic issues in how the cybersecurity industry handles sensitive victim information. The fact that three negotiators from major firms participated in similar schemes suggests inadequate oversight and control mechanisms.
For organizations facing ransomware attacks, the case highlights the importance of carefully vetting incident response providers and implementing controls to prevent information sharing with unauthorized parties. The traditional model of trusting cybersecurity professionals with unlimited access to sensitive negotiation details may require fundamental restructuring.
FAQ
How common are corrupt ransomware negotiators?
While three cases have emerged in the past year, the actual prevalence remains unknown. The Justice Department’s prosecutions suggest this may be a broader problem requiring industry-wide attention to insider threat controls.
What information do ransomware negotiators typically access?
Negotiators routinely review insurance policy limits, financial statements, business continuity plans, and negotiation strategies. This privileged access makes them valuable assets for ransomware operators seeking to maximize payouts.
How can organizations protect themselves from corrupt negotiators?
Organizations should implement information compartmentalization, require multiple approval levels for sensitive disclosures, and conduct thorough background checks on incident response providers. Consider using multiple negotiators from different firms to prevent single points of failure.
Sources
- ‘The Gentlemen’ Rapidly Rises to Ransomware Prominence – Dark Reading
- Ransomware negotiator pleads guilty to helping ransomware gang – TechCrunch
- Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 – The Hacker News
- Third US Security Expert Admits Helping Ransomware Gang – SecurityWeek
