3 min read

The ransomware negotiator who was working for the other side

Graham CLULEY

July 13, 2026

The ransomware negotiator who was working for the other side

When a company falls victim to a ransomware attack, it is not uncommon for it to turn to experts for help.

Specialist ransomware negotiation firms handle communications with criminal gangs on a victim's behalf. They know how the ransomware gangs operate, how to buy time, and how to push back on extortionate demands. They can help manage the technical side of any payment if needed, and help a corporate victim assess whether decryptors actually work.

What victims don't expect is that their trusted negotiator might be separately sharing details of the victim's cyber-insurance policy and negotiation strategy directly with the attackers themselves.

That's precisely what Florida man Angelo John Martino III did, and last week a federal judge sentenced him to 70 months in prison for it.

41-year-old Martino worked as a ransomware negotiator for DigitalMint, an incident response company based in Chicago. His job was to negotiate on behalf of organisations who had been held to ransom by ransomware attacks.

However, starting in April 2023, Martino started to live a double life. Unknown to his employer or clients, Martino was feeding information to the BlackCat (also known as ALPHV) ransomware group through a hidden tab within the same BlackCat negotiation panel he used for his legitimate work.

In exchange for a cut of the ransom payment, Martino fed the criminals everything they wanted: victims' insurance policy limits, their internal negotiating positions, and their financial circumstances.

On one occasion, Martino secretly tipped off a BlackCat affiliate that the victim's insurance company had only approved a limited payout.

In the official negotiation chat - visible to both DigitalMint and the victim - he acted the role of concerned intermediary with aplomb. However, behind the scenes, the gang already knew exactly what they could extract.

The BlackCat operator's response in the official negotiation chat was clear: "We know how much you can pay. Contact your insurance. We know about them also."

The ransomware victim, a hospitality company, ultimately paid out nearly US $16.5 million.

In total, five of Martino's clients collectively made more than US $75.3 million in ransom payments between April and September 2023. This included a non-profit organisation that paid nearly US $26.8 million, and a financial services company that paid nearly US $25.7 million - each payment likely inflated due to the information Martino shared with the extortionists.

But that wasn't the limit of Martino's wrongdoing, because he and two colleagues (Kevin Martin, another DigitalMint negotiator, and Ryan Goldberg, an incident response manager at cybersecurity firm Sygnia) deployed BlackCat ransomware against more victims themselves.

The trio kept 80% of ransoms and paid 20% to the BlackCat gang, as affiliates - successfully extorting US $1.2 million from a medical device company.

In April 2026, Goldberg and Martin were both sentenced to four years in prison.

Martino spent the cryptocurrency proceeds of his criminal activity on two Florida properties, a boat, and several vehicles. Authorities say that they have seized US $10 million of his assets, and a hearing in September will determine what other restitution he will have to make.

"Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself," said Assistant Director Brett Leatherman of the FBI Cyber Division. “[The] sentence demonstrates that the FBI will pursue not just the criminals who deploy ransomware, but the insiders who enable them. Working with our partners, the FBI will find those who betray that trust and hold them accountable.”

US authorities have described DigitalMint as an "unknowing victim," and said that Martino deliberately concealed what he was doing from his employer. The company has since changed the way its negotiators communicate with ransomware gangs, and is working with the Department of Homeland Security to establish a registry for the currently highly-unregulated world of ransomware negotiation.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader