The DOJ has unsealed charges against Angelo John Martino III, a former ransomware negotiator at DigitalMint, accusing him of conducting at least 10 ransomware attacks while simultaneously negotiating ransom payments on behalf of five of his own victims. Total extortion across his conspiracy: $75.25 million. This is the second DigitalMint employee charged in the same scheme; and it exposes a systemic insider threat vector the industry has largely ignored.

What Happened

Martino, 41, of South Florida, allegedly obtained an affiliate account on ALPHV/BlackCat and conspired with former cybersecurity professionals to breach victim networks, exfiltrate and encrypt data, and extort ransom payments across a six-month window in 2023.

Five of Martino's victims hired DigitalMint for incident response; and DigitalMint assigned Martino to negotiate on their behalf. He was, in effect, negotiating ransoms with himself and his co-conspirators while holding full access to victim communications, negotiation strategy, and financial limits.

Prosecutors allege Martino fed confidential negotiation intelligence, including how much victims were willing to pay, back to his ALPHV co-conspirators to maximize ransom extraction. All five victims paid.

Martino was the unnamed co-conspirator in a November 2025 indictment against Kevin Tyler Martin (former DigitalMint negotiator) and Ryan Clifford Goldberg (former incident response manager at Sygnia). Both Martin and Goldberg pleaded guilty in December 2025 and are scheduled for sentencing April 30.

DigitalMint suspended Martino's access on April 3 after DOJ notification and terminated him the next day. The company is not accused of knowledge or involvement.

What Was Taken

Victim data types are not fully enumerated in public court records, but the confirmed victim profile spans:

• A nonprofit organization
• Companies in hospitality, financial services, retail, and medical industries

All five victims that engaged DigitalMint paid ransom. Given the ALPHV double-extortion model, encrypt and exfiltrate before demanding payment, stolen data likely includes sensitive financial records, patient/client PII, and internal operational data across all five organizations. Volume not yet disclosed.

Why It Matters

This isn't a supply chain attack or a zero-day exploit; it's a deliberate insider corruption of the incident response ecosystem itself. The threat model here is one defenders rarely account for: the responder as the adversary.

Key strategic implications:

• The IR firm engagement surface is now a confirmed attack vector. Martino's access to victim negotiation strategy gave ALPHV a real-time intelligence feed during active incidents.
• ALPHV affiliate infrastructure was used by credentialed incident responders. This suggests ransomware-as-a-service affiliate programs have successfully recruited from within the defensive security industry.
• Two DigitalMint employees in the same scheme signals possible systemic recruitment, not a lone-wolf anomaly. The industry should treat IR firm vetting as a security control, not an administrative formality.
• Confidential negotiation data as an attack amplifier is a novel and underappreciated risk. Victims who disclosed payment thresholds to their negotiator may have directly inflated their own ransom.

The Attack Technique

Martino and co-conspirators used a three-phase approach:

1. Initial access: Network intrusion methods not yet fully detailed in public court records, but consistent with ALPHV affiliate TTPs (phishing, credential stuffing, VPN exploitation).
2. Double extortion: Data exfiltration followed by encryption, standard ALPHV playbook.
3. Negotiation manipulation: The novel layer: Martino leveraged his DigitalMint role to access victim negotiation posture and relay intelligence to co-conspirators in real time, maximizing ransom yield.

The scheme ran for approximately six months in 2023, during which Martino maintained dual roles without detection by his employer.

What Organizations Should Do

1. Vet your IR vendors like you vet privileged insiders. Background checks, conflict-of-interest disclosures, and ongoing monitoring should apply to any third party with access to incident data.
2. Compartmentalize negotiation strategy. Payment thresholds, cyber insurance limits, and board-level decisions should not flow freely to external negotiators without need-to-know controls.
3. Implement dual-party oversight on ransom negotiations. No single external negotiator should have unilateral access to both victim communications and ransom decisions.
4. Review your cyber insurance policy for IR firm accountability clauses. If your insurer assigned the negotiator, audit that firm's personnel vetting practices.
5. Treat ALPHV/BlackCat affiliate infrastructure as a persistent threat. Despite the FBI takedown in late 2023, affiliate tooling and relationships survive. Assume former ALPHV affiliates are operating under new banners.
6. If you engaged DigitalMint in 2023, conduct a retrospective review. Assess whether Martino was assigned to your incident and whether any negotiation intelligence may have been compromised.

Sources

• CyberScoop; Feds say another DigitalMint negotiator ran ransomware attacks and helped extort $75 million