The U.S. Department of Justice has unsealed a guilty plea from 41-year-old Angelo Martino, a former ransomware negotiator who covertly funneled client intelligence to the BlackCat (ALPHV) ransomware group to inflate ransom demands. Martino conspired with two incident response specialists to deploy BlackCat across multiple U.S. companies in 2023, with one extortion event netting $1.2 million in Bitcoin. Authorities have seized over $10 million in assets, including cryptocurrency, vehicles, a yacht, and a food truck.
What Happened
Martino, employed as a professional ransomware negotiator, represented at least five victim organizations during 2023 incident response engagements. Rather than acting in his clients' interests, he secretly coordinated with BlackCat operators, leaking confidential internal information that allowed the threat actors to fine-tune their extortion strategy. He has pleaded guilty to conspiracy to commit extortion and is scheduled for sentencing on July 9, 2026, facing up to 20 years in prison. Co-conspirators Ryan Goldberg and Kevin Martin, both incident response specialists, have also entered guilty pleas.
What Was Taken
The leaked information was strategic rather than technical, but devastating to victims at the negotiation table. Martino disclosed cyber insurance coverage limits, internal negotiation playbooks, victim financial tolerances, and the maximum payout thresholds clients were willing to authorize. Armed with this insight, BlackCat operators tailored ransom demands to the precise upper boundary of what each victim could pay. In parallel, Martino, Goldberg, and Martin actively deployed BlackCat ransomware against additional U.S. companies between April and November 2023, generating illicit proceeds laundered through cryptocurrency and physical assets.
Why It Matters
This case exposes a systemic trust failure inside the ransomware response ecosystem. Negotiators and incident responders sit at the most sensitive point of a breach, with privileged access to insurance policies, board-level financial limits, and forensic findings. A single corrupt insider can convert a routine incident into a maximally extracted payout, and the victim has no realistic way to detect the betrayal in real time. For insurers, this raises hard questions about how coverage details are shared during active negotiations. For CISOs, it forces a reassessment of which third parties truly need access to financial ceilings during a live extortion event.
The Attack Technique
The "intrusion" was a human one. Martino abused legitimate access granted by his employer and clients during active engagements, exfiltrating sensitive negotiation context through out-of-band communication with BlackCat affiliates. In the parallel deployment scheme, the trio leveraged their professional knowledge of victim environments and defensive blind spots to stage BlackCat ransomware attacks themselves, then profit from the response cycle. The scheme combined insider abuse, double-dealing during negotiation, and direct ransomware affiliate activity into a single revenue pipeline, with proceeds laundered into cryptocurrency, vehicles, a food truck, and a yacht later seized by federal authorities.
What Organizations Should Do
- Compartmentalize negotiation intelligence: never share full cyber insurance coverage limits or maximum authorized payouts with negotiators unless absolutely necessary, and never in writing on shared channels.
- Vet incident response and negotiation vendors rigorously, including background checks, conflict-of-interest disclosures, and references from prior engagements.
- Require dual-control oversight on ransom negotiations, with at least one internal executive or outside counsel observing all communications with threat actors.
- Monitor for anomalous data flows from IR vendor accounts during active engagements, including unusual external messaging or cryptocurrency wallet activity.
- Coordinate early with the FBI and DOJ during ransomware events; federal involvement creates an independent record that constrains insider manipulation.
- Review contractual language with IR providers to mandate breach notification, audit rights, and liability for proven collusion or data leakage.