The U.S. Department of Justice has confirmed that 41-year-old Florida resident Angelo Martino, a former ransomware negotiator, pleaded guilty to conspiracy to commit extortion after secretly collaborating with the BlackCat (ALPHV) ransomware gang. Martino funneled confidential victim information to attackers across at least five negotiation engagements in 2023, directly enabling inflated ransom demands. Authorities have seized more than $10 million in assets tied to the scheme, and Martino faces up to 20 years in prison at his July 9, 2026 sentencing.

What Happened

According to DOJ filings, Martino was retained as a professional ransomware negotiator on behalf of at least five victim organizations during 2023. Rather than acting in the interest of his clients, he covertly passed sensitive negotiation intelligence to BlackCat affiliates, including the victims' cyber insurance coverage ceilings and their internal negotiating strategies. Armed with this inside knowledge, BlackCat operators calibrated ransom demands to the maximum amount victims could plausibly pay, then funneled a share of the proceeds back to Martino. Investigators also determined that Martino worked with two incident response specialists, Ryan Goldberg and Kevin Martin, to directly deploy BlackCat ransomware against multiple U.S. companies between April and November 2023. One incident alone yielded approximately $1.2 million in Bitcoin. Both co-conspirators have already pleaded guilty.

What Was Taken

The compromised information did not originate from a traditional network intrusion. Instead, the leaked material was the highly sensitive data entrusted to Martino in his professional capacity:

• Cyber insurance policy limits and coverage details for five victim organizations
• Internal negotiation strategies, red lines, and settlement authority thresholds
• Confidential victim communications intended to be privileged within the incident response process
• Operational context that allowed BlackCat to anchor demands against each victim's financial capacity

In parallel, victims of the Goldberg/Martin BlackCat deployments suffered the full range of ransomware impact: encrypted systems, operational disruption, and extorted payments totaling at least $1.2 million in a single known case.

Why It Matters

This case is a watershed moment for the incident response ecosystem. Ransomware negotiators occupy a position of extreme trust, holding the exact information threat actors most want: how much a victim can pay, how desperate they are, and what their legal and insurance constraints look like. Martino's guilty plea confirms what defenders have long feared: that insider compromise of the IR supply chain is not theoretical. The ransomware economy has matured to the point that it is economically rational for criminal groups to recruit or co-opt the very professionals hired to defend against them. Every organization that has engaged an outside negotiator or IR firm in the past several years should now treat the possibility of leaked negotiation data as a credible historical risk.

The Attack Technique

Unlike most ransomware stories, the tradecraft here was human, not technical. Martino exploited legitimate access granted to him by his employer and clients. The scheme had two distinct tracks:

1. Negotiation intelligence leakage. While fulfilling his contracted role, Martino relayed insurance limits and negotiation posture to BlackCat affiliates via out-of-band channels, allowing attackers to price ransoms against the victim's true payment capacity.
2. Direct ransomware deployment. Working with Goldberg and Martin, Martino helped deploy BlackCat payloads into U.S. corporate environments, converting insider positioning into active intrusions. Proceeds were laundered through cryptocurrency and physical assets, later seized by authorities, including vehicles, a food truck, and a yacht.

No novel malware or zero-day was involved. The exploit was trust.

What Organizations Should Do

1. Vet IR and negotiation vendors rigorously. Require documented background checks, conflict-of-interest disclosures, and contractual prohibitions on side communications with threat actors for any firm or individual representing you in a ransomware event.
2. Compartmentalize insurance and negotiation data. Treat cyber insurance coverage limits as among the most sensitive data in the response. Share them only with named individuals on a strict need-to-know basis, and never include them in broad IR chat channels.
3. Log and monitor negotiator communications. Require negotiation platforms and chat logs to be owned by the victim or counsel, with full auditability, rather than controlled solely by the vendor.
4. Retrospectively review 2023 BlackCat engagements. Any organization that worked with Martino, his employer, or Goldberg/Martin during April to November 2023 should assume negotiation data was compromised and coordinate with counsel and law enforcement.
5. Engage counsel early and route IR under privilege. Retaining outside counsel to direct the IR firm adds an oversight layer and legal accountability that pure vendor relationships lack.
6. Report suspected negotiator misconduct. Unusual demand escalations timed to internal disclosures, or attackers who appear to know undisclosed limits, should be escalated to the FBI and DOJ immediately.

Sources: Betrayal in the Ranks: U.S. Ransomware Negotiator Leaked Sensitive Data to BlackCat to Inflate Ransom Demands - Thailand Computer Emergency Response Team (ThaiCERT)