Ransomware ‘Negotiator’ Faces 20 Years in Prison for Allegedly Betraying His Employers

A Florida man who allegedly worked as a ransomware negotiator has pleaded guilty to conspiring with cybercriminals to carry out ransomware attacks against U.S. organizations—while simultaneously advising victims on how to respond.

Key takeaways:

• A ransomware negotiator has pleaded guilty to secretly working with the BlackCat (ALPHV) ransomware crew
• He is accused of sharing sensitive client data to help hackers maximize ransom payments
• The insider also allegedly helped deploy ransomware attacks against victims
• Authorities seized over $10 million in illicit assets

According to the U.S. Department of Justice, Angelo Martino, 41, abused his role at a cyber incident response firm to help the BlackCat (ALPHV) ransomware group, one of the most notorious ransomware-as-a-service operations in recent years.

His job was to help organizations recover from ransomware attacks. Instead, prosecutors say, he secretly worked with the attackers behind the scenes.

Playing both sides of the negotiation

Between April and November 2023, Martino acted as a negotiator for multiple ransomware victims. During that time, he allegedly leaked highly sensitive information to the attackers, including insurance coverage limits and internal negotiation strategies.

This intelligence allowed cybercriminals to fine-tune their demands and extract higher ransom payments.

Authorities say the attackers paid Martino for this insider access. In some cases, he allegedly went even further—actively participating in ransomware deployments alongside co-conspirators.

In one documented incident, the group extorted roughly $1.2 million in Bitcoin, later splitting and laundering the proceeds.

A broader conspiracy

Court documents say Martino was part of a larger scheme involving other cybersecurity professionals, including a former incident response manager and another ransomware negotiator.

“Martino has admitted to conspiring with Ryan Goldberg of Georgia and Kevin Martin of Texas to successfully deploy BlackCat ransomware between April 2023 and November 2023 against multiple victims located throughout the United States,” according to the US Department of Justice.

“All three men worked in the cybersecurity industry and leveraged their knowledge and skills to commit these crimes,” the department adds. “After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their share of the ransom three ways and laundered the funds through various means.”

Law enforcement has seized $10 million worth of assets from Martino, including digital currency, cars, a food truck, and a luxury fishing boat “that Martino obtained using proceeds of the offense or acquired as a result of the offense.”

Guilty plea

Martino pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion.”

He is scheduled to be sentenced on July 9 and faces up to 20 years in prison.

Martin and Goldberg, his co-conspirators, separately entered guilty pleas to the same charge in December 2025, and face the same penalty.

A judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Law enforcement actions against BlackCat operators

The DOJ’s announcement follows prior actions to disrupt the BlackCat ransomware operation, during which the FBI seized several websites operated by the BlackCat ransomware actors and developed a decryption tool that allowed hundreds of victims to restore their systems, saving some $99 million in ransom payments.

At that time, the FBI also seized several websites operated by the BlackCat ransomware actors.

You may also want to read:

Cybercrime Losses Hit a Record $21 Billion Last Year, Fueled by AI

Alleged RedLine malware developer extradited to United States

Lapsus$ claims AstraZeneca breach exposes code and credentials