PROBABLYPWNED
Threat IntelligenceJuly 10, 20264 min read

Ransomware Negotiator Who Fed Intel to BlackCat Gets 70 Months

Angelo Martino leaked client insurance limits and negotiation strategies to the ransomware gang he was hired to negotiate against. Federal court sentences the double agent to nearly six years.

Alex Kowalski

A Florida ransomware negotiator has been sentenced to 70 months in federal prison after prosecutors proved he was secretly feeding victim intelligence to the attackers he was hired to negotiate against. Angelo Martino, 41, of Land O'Lakes, Florida, worked for incident response company DigitalMint while simultaneously helping BlackCat/ALPHV ransomware operators maximize their extortion demands.

The sentence, handed down this week, caps a case that revealed how deeply the ransomware ecosystem can be compromised by insiders with access to victim organizations' most sensitive information.

The Double Agent

Martino represented five ransomware victims as their negotiator between April and November 2023. His job was to communicate with attackers, negotiate lower ransom payments, and help clients navigate incident response. Instead, he passed confidential client information directly to BlackCat operators.

The intelligence included insurance policy limits—critical information for attackers trying to calibrate ransom demands. If attackers know a victim has $5 million in cyber insurance coverage, they can demand exactly that amount rather than risking a lowball demand or asking for more than the victim can realistically pay.

Martino also shared internal negotiation strategies, giving attackers insight into how victims planned to respond and what tactics might convince them to pay faster.

Prosecutors described him as "a double agent working to maximize the harm to his clients."

Co-Conspirators and Broader Scheme

Martino wasn't working alone. Two other cybersecurity professionals pleaded guilty in December 2025 and received four-year sentences in May 2026:

  • Ryan Goldberg, 41, of Georgia, worked as an incident response manager at cybersecurity firm Sygnia
  • Kevin Martin, 36, of Texas, was employed at DigitalMint alongside Martino

The trio didn't just share intelligence—they actively participated in deploying BlackCat ransomware against additional victims. The conspiracy extended beyond their client betrayal into direct attack involvement.

Asset Seizures

Law enforcement seized approximately $10 million in assets connected to the scheme, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat. The seizures suggest the conspirators profited substantially from their arrangement with BlackCat, likely through payment splits on successful extortions.

BlackCat/ALPHV was one of the most prolific ransomware operations until a coordinated law enforcement disruption in December 2023, followed by the gang's apparent exit scam in early 2024. The group claimed over $300 million in ransom payments before shutting down.

Why This Matters

The ransomware industry has professionalized to the point where specialized negotiators exist as a service category. Victims hire firms to handle communications with attackers, assuming those firms will advocate on their behalf. This case demonstrates that assumption isn't always safe.

For organizations evaluating incident response vendors, the case raises uncomfortable questions:

  1. How do you vet negotiators? Background checks won't reveal someone actively collaborating with threat actors
  2. What access do you grant? Negotiators need to understand your financial position, but that same information is weaponizable
  3. How do you compartmentalize? Limiting what any single vendor knows may reduce insider threat exposure

The broader ransomware ecosystem continues to evolve. We've covered AI-assisted ransomware operations that automate parts of the attack chain. Insider access to victim infrastructure and intelligence represents another optimization—one that's harder to detect and defend against.

Legal Precedent

Martino pleaded guilty in April 2026 to conspiring to interfere with interstate commerce through extortion. The 70-month sentence reflects the severity of betraying clients who trusted him during their most vulnerable moments.

The case may deter other potential insiders, though enforcement remains challenging. Proving that a negotiator shared intelligence requires either cooperating witnesses or forensic evidence of communications with threat actors—both difficult to obtain.

For organizations responding to ransomware incidents, our ransomware defense guide covers the fundamentals. But this case is a reminder that technical controls only go so far when humans with legitimate access choose to betray that trust.

The Department of Justice's full press release includes additional details on the charges and sentencing.

Related Articles