A former ransomware negotiator in the United States has admitted secretly helping the BlackCat cybercrime group, in a case that has shaken confidence in one of the cybersecurity industry’s most sensitive roles and exposed how insider access can be turned into a weapon during high-stakes extortion talks. Angelo Martino, 41, pleaded guilty to conspiracy to obstruct commerce by extortion after prosecutors said he fed confidential client information to BlackCat operators and then joined attacks on victims across the country.
Federal prosecutors said Martino abused his position while working on behalf of ransomware victims, passing on internal negotiating strategies and insurance policy limits without the knowledge of either clients or his employer. That information helped attackers press for larger payments. Prosecutors also said Martino later conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to deploy BlackCat ransomware against multiple US victims between April and November 2023, splitting illicit proceeds among themselves after at least one successful extortion. Martino is due to be sentenced on July 9 and faces a maximum penalty of 20 years in prison.
The case stands out because all three men came from the cyber response business rather than the criminal underground. Martino and Martin had worked for DigitalMint, a firm known for ransomware response and negotiation, while Goldberg worked for Sygnia. Martin and Goldberg pleaded guilty in December 2025 to the same conspiracy charge and are scheduled to be sentenced on April 30, 2026. The prosecution has turned what is usually a quiet, tightly controlled corner of the incident-response market into a subject of public scrutiny, particularly because companies under attack often rely on negotiators to assess criminal demands, limit operational damage and buy time for recovery.
Court filings and public statements describe a scheme that blended insider betrayal with direct criminal participation. In five matters where Martino was supposed to assist victims, he instead provided intelligence that prosecutors said helped BlackCat maximise payments. In parallel, the three men were accused of operating as BlackCat affiliates, using the group’s ransomware and extortion portal in exchange for a 20% share of ransom proceeds going to the gang’s administrators. One attack yielded about $1.2 million in Bitcoin for the conspirators’ share, while other attempts were not successful. Authorities said they have seized $10 million in assets linked to Martino, including digital currency, vehicles, a food truck and a luxury fishing boat.
The wider picture is just as striking. Prosecutors said victims linked to the conspiracy included organisations in financial services, healthcare, education, law and the non-profit sector. Publicly described ransom figures tied to cases in which Martino allegedly helped steer outcomes were unusually large, with demands or payments reaching into the tens of millions of dollars. One nonprofit victim paid about $26.8 million, while a financial services firm paid roughly $25.66 million. Those figures underline the scale of modern data-extortion campaigns, where attackers do not just encrypt systems but also steal sensitive files and threaten public leaks to raise pressure on boards, insurers and advisers.
BlackCat, also known as ALPHV, had already become one of the most closely watched ransomware brands before this case moved forward. The group was tied to a string of major intrusions and became a top law-enforcement target after causing widespread disruption, including its role in the attack on UnitedHealth’s Change Healthcare unit. US authorities previously disrupted parts of BlackCat’s infrastructure in December 2023 and said a decryption tool developed by the FBI helped victims restore systems and avoid about $99 million in ransom payments. Even after those actions, the Martino case suggests the gang’s operating model continued to draw support from people with technical knowledge and legitimate sector credentials.
For the cyber industry, the prosecution raises uncomfortable questions about oversight, separation of duties and the handling of negotiations during live incidents. Ransomware response firms occupy a position of exceptional trust because they often receive access to internal legal advice, forensic findings, insurance coverage details and executive decision-making. When that trust is broken, the damage extends beyond one victim or one company. It can distort the bargaining process, inflate demands, complicate insurance exposure and deepen mistrust around an industry that already faces criticism over the opaque economics of ransomware payment talks.
Federal prosecutors said Martino abused his position while working on behalf of ransomware victims, passing on internal negotiating strategies and insurance policy limits without the knowledge of either clients or his employer. That information helped attackers press for larger payments. Prosecutors also said Martino later conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to deploy BlackCat ransomware against multiple US victims between April and November 2023, splitting illicit proceeds among themselves after at least one successful extortion. Martino is due to be sentenced on July 9 and faces a maximum penalty of 20 years in prison.
The case stands out because all three men came from the cyber response business rather than the criminal underground. Martino and Martin had worked for DigitalMint, a firm known for ransomware response and negotiation, while Goldberg worked for Sygnia. Martin and Goldberg pleaded guilty in December 2025 to the same conspiracy charge and are scheduled to be sentenced on April 30, 2026. The prosecution has turned what is usually a quiet, tightly controlled corner of the incident-response market into a subject of public scrutiny, particularly because companies under attack often rely on negotiators to assess criminal demands, limit operational damage and buy time for recovery.
Court filings and public statements describe a scheme that blended insider betrayal with direct criminal participation. In five matters where Martino was supposed to assist victims, he instead provided intelligence that prosecutors said helped BlackCat maximise payments. In parallel, the three men were accused of operating as BlackCat affiliates, using the group’s ransomware and extortion portal in exchange for a 20% share of ransom proceeds going to the gang’s administrators. One attack yielded about $1.2 million in Bitcoin for the conspirators’ share, while other attempts were not successful. Authorities said they have seized $10 million in assets linked to Martino, including digital currency, vehicles, a food truck and a luxury fishing boat.
The wider picture is just as striking. Prosecutors said victims linked to the conspiracy included organisations in financial services, healthcare, education, law and the non-profit sector. Publicly described ransom figures tied to cases in which Martino allegedly helped steer outcomes were unusually large, with demands or payments reaching into the tens of millions of dollars. One nonprofit victim paid about $26.8 million, while a financial services firm paid roughly $25.66 million. Those figures underline the scale of modern data-extortion campaigns, where attackers do not just encrypt systems but also steal sensitive files and threaten public leaks to raise pressure on boards, insurers and advisers.
BlackCat, also known as ALPHV, had already become one of the most closely watched ransomware brands before this case moved forward. The group was tied to a string of major intrusions and became a top law-enforcement target after causing widespread disruption, including its role in the attack on UnitedHealth’s Change Healthcare unit. US authorities previously disrupted parts of BlackCat’s infrastructure in December 2023 and said a decryption tool developed by the FBI helped victims restore systems and avoid about $99 million in ransom payments. Even after those actions, the Martino case suggests the gang’s operating model continued to draw support from people with technical knowledge and legitimate sector credentials.
For the cyber industry, the prosecution raises uncomfortable questions about oversight, separation of duties and the handling of negotiations during live incidents. Ransomware response firms occupy a position of exceptional trust because they often receive access to internal legal advice, forensic findings, insurance coverage details and executive decision-making. When that trust is broken, the damage extends beyond one victim or one company. It can distort the bargaining process, inflate demands, complicate insurance exposure and deepen mistrust around an industry that already faces criticism over the opaque economics of ransomware payment talks.
Topics
Technology