A Florida man who worked as a ransomware negotiator at a US cyber incident response firm has pleaded guilty to conspiring with the BlackCat/ALPHV ransomware group, feeding the attackers confidential information about his own clients while simultaneously negotiating on their behalf. Angelo Martino, 41, of Land O'Lakes, Florida, admitted to providing BlackCat operators with clients' insurance policy limits and internal negotiation strategies without his employer's or clients' knowledge. The operators paid Martino for the intelligence, which they used to maximize ransom demands against five victims. He was supposed to be helping those same victims reduce their payments.[1]
See: https://redskyalliance.org/xindustry/those-darn-blackcats
Martino's conduct went beyond mere data leaking. Beginning in April 2023, he conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to actively deploy BlackCat ransomware against US targets. All three held cybersecurity industry roles, a fact the US Department of Justice (DOJ) emphasized in its announcement. After successfully extorting one victim for approximately $1.2 million in Bitcoin, the three men split their share of the ransom and laundered the proceeds through multiple channels. The conspiracy ran from April through November 2023. To date, law enforcement has seized more than $10 million in assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat.
US Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division was direct about the nature of the betrayal, saying: "Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims. Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself."
US Attorney Jason A. Reding Quiñones for the Southern District of Florida focused on the insider access angle and what the case signals to others, saying: "Ransomware victims turned to this defendant for help, and he sold them out from the inside. He abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion."
FBI Cyber Division Assistant Director Brett Leatherman noted that the case reinforces a point the bureau has long pushed: ransomware is not exclusively an offshore problem. "His guilty plea demonstrates that, for all the international aspects of cybercrime, the threat is also here in the United States," Leatherman said, adding that Martino "abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals."
Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion and faces a maximum of 20 years in prison. Sentencing is scheduled for 9 July. Goldberg and Martin separately pleaded guilty to the same charge in December 2025. Both are scheduled to be sentenced on 30 April and each faces the same 20-year maximum. The FBI's Miami field office is leading the investigation, with assistance from the US Secret Service.
The BlackCat/ALPHV group was one of the more prolific ransomware-as-a-service operations before law enforcement action in December 2023, when the FBI disrupted the group's infrastructure, developed a decryption tool, and seized several BlackCat-operated websites. That decryption tool allowed field offices and international partners to help hundreds of victims recover their systems, saving an estimated $99 million in ransom payments.
Martino's case is a reminder that insider threats in the incident response (IR) industry pose the same risks as elsewhere in the enterprise, potentially worse, given the privileged access those responders have during an active crisis. Organizations that engage third-party ransomware negotiators or IR firms should consider what contractual, technical, and operational controls govern how sensitive negotiation data is handled and who has access to it.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.secureworld.io/industry-news/ransomware-negotiator-secretly-worked-both-sides
Comments