The negotiator was the leak: insider who betrayed ransomware victims gets 70 months

A former ransomware negotiator who secretly provided BlackCat actors with confidential information about his own clients was sentenced July 9 to 70 months in federal prison. Court records reviewed by CyberScoop show that five organizations he represented paid a combined $75.3 million in ransoms.

The man hired to talk the criminals down was, in effect, working both sides of the table.

Angelo John Martino III, 41, of Land O’Lakes, Florida, worked as a negotiator for DigitalMint, a firm that companies retain in the worst hours of a cyberattack to communicate with extortionists and, ideally, drive the price down. Beginning in April 2023, according to the Justice Department, Martino did the opposite. While representing five U.S. victims in active BlackCat negotiations, he passed the attackers the two things no extortionist should ever see: the victims’ insurance policy limits and their internal negotiating positions.

The BlackCat actors paid him for it.

A double agent inside the negotiation

Federal prosecutors described Martino in a sentencing memorandum as a “double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom.” The memo, quoted by CyberScoop, added: “This was not a crime of opportunity or momentary weakness; it was a sustained abuse of a fiduciary-like relationship driven by a single purpose: greed.”

All five victims paid. According to CyberScoop’s review of court records, a nonprofit paid nearly $26.8 million, a financial services company paid nearly $25.7 million, and a hospitality company paid almost $16.5 million; the remaining two victims paid $6.1 million and $213,000. The combined total reached $75.3 million.

Court records quoted by CyberScoop show how the back channel worked. During one engagement, Martino told a BlackCat affiliate that the victim’s insurance carrier “was only approving small accounts,” then wrote: “Keep denying our offers, and I will let you know once I find out the max they want to pay.” The hospitality industry victim in that negotiation ultimately paid a ransom worth almost $16.5 million.

“Angelo Martino’s victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.

“He was hired to help victims in a moment of crisis,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida, who added that the case “sends a clear message: we will pursue the hackers who deploy ransomware, the insiders who enable them, and the money they steal from American victims.”

From back channel to attack crew

Martino did not stop at selling information. CyberScoop, citing prosecutors, reported that he obtained an ALPHV/BlackCat affiliate account. According to the Justice Department, he then conspired with two other cybersecurity professionals, fellow DigitalMint negotiator Kevin Martin of Texas and Sygnia incident response manager Ryan Goldberg of Georgia, to deploy the ransomware against additional U.S. companies between April and November 2023.

The three men agreed to pay BlackCat’s administrators a 20 percent cut of any ransoms in exchange for access to the ransomware and its extortion platform, the department said. One victim, a medical company, paid about $1.2 million in bitcoin; the conspirators split their share and laundered the proceeds. Four other targets refused to pay.

Goldberg and Martin pleaded guilty in December 2025 and received four-year prison sentences this spring; the Justice Department releases list the sentencing date as April 30 in one announcement and May 1 in another. Goldberg tried to flee prosecution, and the FBI tracked him through 10 countries before he faced justice, Assistant Director Brett Leatherman of the FBI’s Cyber Division said at the time.

Martino surrendered in March, pleaded guilty on April 14 to one count of conspiracy to interfere with interstate commerce through extortion under the Hobbs Act, and faced up to 20 years. As of the July 9 sentencing, law enforcement had seized $10 million in assets from him, the department said, including cryptocurrency, vehicles, a food truck and a luxury fishing boat; CyberScoop reported the seizures also include a bayfront home valued at about $1.68 million and a second house. A hearing to set restitution is scheduled for Sept. 17.

“Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself,” Leatherman said in a statement on the sentencing.

What DigitalMint says happened

The Justice Department’s releases describe Martino’s employer only as a U.S.-based cyber incident response company; CyberScoop identified the firm as DigitalMint, and the company has responded on the record. DigitalMint said it had no knowledge of the scheme. “The actions of Martino and his co-conspirators were deliberately concealed from DigitalMint and were in clear violation of the company’s values, ethical standards and the law,” a company spokesperson said in a statement to CyberScoop.

The company said it maintained industry-standard controls, including background checks, and that Martino used unauthorized side channels visible only to him and the BlackCat negotiators. DigitalMint said it terminated Martino and cut his system access when the Justice Department disclosed its investigation in April 2025. The company declined to say whether it refunded fees to affected clients, citing confidentiality obligations.

Why breach counsel should treat this as a control failure

For the lawyers, insurers and forensic teams who assemble ransomware response, the case lands as a supply-chain integrity problem, not a curiosity. The information Martino sold, policy limits and negotiation strategy, is exactly the information that flows freely among counsel, carriers, brokers and negotiators during an incident. The case gives breach counsel concrete reasons to narrow that flow: share coverage limits with a negotiation firm only when the negotiation plan requires it, insist that all threat-actor communications run through logged, firm-controlled channels, and write audit rights, personnel disclosure and conflict screening into negotiation retainers before an incident, not during one. Carriers and brokers have the same homework; the fewer people who can see a policy limit during a live extortion, the less that limit is worth to an attacker.

The case carries a discovery dimension, too. Negotiation traffic, and the internal deliberations behind it, can surface in follow-on litigation, regulatory inquiries and coverage disputes. Routing negotiator engagements through outside counsel may strengthen applicable privilege arguments when the work is genuinely performed to facilitate legal advice; separately documenting who accessed negotiation information creates an audit trail that can support later litigation, regulatory review and coverage analysis, the trail a Martino-style betrayal would otherwise erase.

Retention agreements deserve a second look as well. Organizations should determine whether their engagement letters for negotiation services expressly address employee integrity monitoring, dual-control review of negotiation traffic and a provider’s duty to disclose government investigations involving assigned personnel. After a case in which prosecutors say a negotiator ran the other side of his own negotiations, any such omission looks less like a boilerplate gap and more like unpriced risk.

The sentencing caps what security press coverage has described as a rare documented instance of U.S. incident-response insiders joining the ransomware economy they were paid to fight. BlackCat itself collapsed after a December 2023 disruption in which the FBI developed a decryption tool that the department says saved victims about $99 million in ransom payments. The insiders who abused its platform from within the response industry are now all headed to federal prison.

When the next ransom demand arrives, most organizations will still need a negotiator. The question this case leaves for every general counsel and CISO is a narrower one: who is watching the person you hired to watch the criminals?


News sources


Assisted by GAI and LLM technologies

Source: HaystackID published with permission from ComplexDiscovery OÜ

Advisor Note: This case highlights a critical reality of modern cyber incident response: organizations must be able to trust not only their technology, but also the people and processes supporting them. HaystackID’s Cyber Discovery and Cybersecurity Services help organizations strengthen preparedness, investigate incidents, and respond to cyber threats through digital forensics, ransomware response support, insider threat investigations, and data governance expertise. By combining cybersecurity and legal data intelligence capabilities, HaystackID helps organizations navigate complex cyber events with confidence. Learn more at HaystackID.com.

Sign up for our Newsletter

Stay up to date with the latest updates from Newslines by HaystackID.

Email
Success! You are now signed up for our newsletter.
There has been some error while submitting the form. Please verify all form fields again.