The U.S. Department of Justice has unsealed a guilty plea from 41-year-old Angelo Martino, a former professional ransomware negotiator who admitted conspiring with the BlackCat/ALPHV ransomware gang to inflate ransom demands against five of his own clients. Investigators have seized over $10 million in assets tied to the scheme, including cryptocurrency, vehicles, a food truck, and a yacht. Martino faces up to 20 years in prison at sentencing on July 9, 2026.
What Happened
According to the DOJ, Martino was retained as a ransomware negotiator on behalf of five U.S. victim organizations during 2023. Rather than acting in his clients' interest, he covertly fed BlackCat/ALPHV operators sensitive information drawn directly from his negotiation engagements, including cyber insurance policy limits and the victims' internal negotiation strategies. Armed with this intelligence, the threat actors calibrated ransom demands to extract the maximum payout the victim could plausibly authorize. Martino received a cut of the resulting proceeds.
The case widens beyond passive collusion. Martino also admitted partnering with two incident response professionals, Ryan Goldberg and Kevin Martin, to actively deploy BlackCat ransomware against multiple U.S. companies between April and November 2023. In one engagement, the trio successfully extorted approximately $1.2 million in Bitcoin from a single victim. Both co-conspirators have already entered guilty pleas.
What Was Taken
The information funneled to BlackCat/ALPHV was not operational network data but commercially sensitive negotiation intelligence, arguably more valuable to an extortion crew than stolen files:
- Cyber insurance coverage limits for at least five victim organizations
- Internal negotiation playbooks, walk-away thresholds, and counter-offer strategy
- Likely visibility into board, legal, and executive decision-making cadence during active incidents
- In the cases tied to direct deployment, full encryption and exfiltration of victim environments, culminating in at least one $1.2 million Bitcoin payment
Why It Matters
This is one of the clearest documented examples of a trusted incident response insider weaponizing privileged engagement data against the clients paying for protection. The negotiator role sits at the most sensitive junction of an incident: counsel, insurer, executive leadership, and adversary all share information through that channel. A compromised negotiator effectively gives the threat actor a seat in the victim's war room.
For defenders and insurers, the case validates a long-standing concern that ransom demands frequently track insurance limits with uncomfortable precision. Until now, that pattern was usually attributed to data exfiltrated from victim networks. The Martino plea confirms that, in at least some cases, the leak originated from the response team itself. Expect renewed regulatory scrutiny of the IR and ransomware negotiation industry, and pressure from cyber insurers to harden vendor vetting.
The Attack Technique
The scheme combined two distinct tradecraft patterns:
- Insider intelligence handoff. During legitimate engagements, Martino passed BlackCat/ALPHV affiliates the victim's insurance ceiling and negotiation posture out of band, allowing the gang to reject lowball offers and anchor demands just below policy limits.
- Active co-deployment. Working with Goldberg and Martin, Martino participated in deploying BlackCat/ALPHV ransomware against additional U.S. targets, then laundered the proceeds through cryptocurrency and physical assets including vehicles and a yacht.
No novel malware or zero-day was required. The trust relationship between victim and negotiator was the vulnerability.
What Organizations Should Do
- Vet IR and negotiation vendors aggressively. Require background checks, conflict-of-interest attestations, and references for any external negotiator before granting them access to insurance and strategy data.
- Compartmentalize insurance policy details. Treat coverage limits as crown-jewel data during an incident. Share on a strict need-to-know basis and never in channels accessible to the full IR vendor team.
- Use multiple parties for verification. Have outside counsel or a separate advisor cross-check negotiator recommendations rather than relying on a single point of contact with the threat actor.
- Monitor negotiator communications. Log and audit all negotiator-to-actor messaging through controlled channels; flag any out-of-band contact with the adversary.
- Coordinate with insurers. Confirm that your carrier's panel vendors are reassessed in light of this case and ask whether enhanced controls are now required for negotiator selection.
- Preserve evidence for law enforcement. If post-incident analysis suggests the adversary knew internal numbers they shouldn't have, escalate to the FBI and DOJ rather than absorbing it as bad luck.