Ex-Ransomware Negotiator Admits to Double-Crossing Victims for Profit

A former ransomware negotiator has pleaded guilty to helping cybercriminals extort companies, marking the third such case in the past year. Angelo Martino, once employed by cybersecurity firm DigitalMint, confessed to betraying his clients by feeding confidential information to the operators of the ALPHV/BlackCat ransomware group.

According to the U.S. Justice Department, Martino admitted to playing both sides during five separate incidents. While ostensibly working for victims, he secretly passed details about their insurance policy limits and negotiation strategies to the criminals. His goal: maximize the extortion payout, from which he took a cut.

The Betrayal Behind the Negotiation Table

Prosecutors described Martino’s actions as a calculated breach of trust. “Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart them,” said Assistant Attorney General A. Tysen Duva. “Instead, he betrayed them and began launching ransomware attacks himself.”

This case is not isolated. In 2024, two other cybersecurity professionals—Kevin Tyler Martin (also a DigitalMint employee) and Ryan Clifford Goldberg (a former incident response manager at Sygnia)—were charged with similar offenses. Authorities had mentioned a third unnamed individual; we now know it was Martino.

How the ALPHV/BlackCat Ransomware Scheme Worked

ALPHV/BlackCat operates as a ransomware-as-a-service model. The gang develops and maintains the file-locking malware, while affiliates deploy it in attacks and share a portion of the ransom with the developers. Martino, along with Martin and Goldberg, essentially became affiliates for six months in 2023.

During that period, the trio extorted over $1.2 million from a single victim, prosecutors said. Martino pleaded guilty to extortion and faces up to 20 years in prison. Authorities have already seized $10 million in assets from him.

The DigitalMint Connection

When reached for comment, an unnamed DigitalMint spokesperson told TechCrunch that the company had no knowledge of Martino’s criminal actions. They added that both employees were fired after the accusations surfaced. However, the case raises questions about oversight in the cybersecurity incident response industry.

Building on this, Martino’s guilty plea highlights a troubling trend: insiders exploiting their access to sensitive victim data for personal gain. As ransomware attacks continue to rise, companies must vet their incident response partners more rigorously.

Law Enforcement Actions Against ALPHV/BlackCat

In 2023, an international coalition of law enforcement agencies seized the dark web leak site of ALPHV/BlackCat, disrupting its operations. They also released a decryption tool to help over 500 victims restore their systems. This takedown, however, did not stop the group’s affiliates from operating independently.

For more insights on ransomware response strategies, check out our guide on building a ransomware response plan. Additionally, learn how to negotiate with cyber insurers without exposing critical data.

As a result, the Martino case serves as a stark reminder: even those hired to protect can become the threat. Companies must implement strict protocols to monitor third-party negotiators and ensure they act solely in the victim’s interest.