Editor’s Note: Ransomware response runs on borrowed trust, and on July 9 a federal court put a price on breaking it. Angelo Martino, a negotiator retained to talk BlackCat attackers down, instead fed them his clients’ insurance limits and negotiating positions while five victims paid $75.3 million, according to court records reviewed by CyberScoop; he will serve 70 months.

For cybersecurity, privacy, compliance and eDiscovery professionals, the case converts an abstract worry about the incident response supply chain into a documented, prosecuted fact pattern. Every organization that pre-negotiates breach panels, negotiation services and coverage terms now has a concrete reason to revisit who sees policy limits, how negotiation channels are logged and what integrity obligations sit inside vendor retainers.

Watch two developments next: the Sept. 17 restitution hearing, which may clarify victim-recovery expectations, and whether carriers and breach counsel begin incorporating Martino-style safeguards into panel and engagement requirements. The prosecution demonstrates that misconduct inside the response chain can be identified and punished; the contracts and controls governing that chain still have catching up to do.


Content Assessment: The negotiator was the leak: insider who betrayed ransomware victims gets 70 months

Information - 94%
Insight - 93%
Relevance - 92%
Objectivity - 92%
Authority - 93%

93%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "The negotiator was the leak: insider who betrayed ransomware victims gets 70 months."


Industry News – Cybersecurity Beat

The negotiator was the leak: insider who betrayed ransomware victims gets 70 months

ComplexDiscovery Staff

A former ransomware negotiator who secretly provided BlackCat actors with confidential information about his own clients was sentenced July 9 to 70 months in federal prison. Court records reviewed by CyberScoop show that five organizations he represented paid a combined $75.3 million in ransoms.

The man hired to talk the criminals down was, in effect, working both sides of the table.

Angelo John Martino III, 41, of Land O’Lakes, Florida, worked as a negotiator for DigitalMint, a firm that companies retain in the worst hours of a cyberattack to communicate with extortionists and, ideally, drive the price down. Beginning in April 2023, according to the Justice Department, Martino did the opposite. While representing five U.S. victims in active BlackCat negotiations, he passed the attackers the two things no extortionist should ever see: the victims’ insurance policy limits and their internal negotiating positions.

The BlackCat actors paid him for it.

A double agent inside the negotiation

Federal prosecutors described Martino in a sentencing memorandum as a “double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom.” The memo, quoted by CyberScoop, added: “This was not a crime of opportunity or momentary weakness; it was a sustained abuse of a fiduciary-like relationship driven by a single purpose: greed.”

All five victims paid. According to CyberScoop’s review of court records, a nonprofit paid nearly $26.8 million, a financial services company paid nearly $25.7 million, and a hospitality company paid almost $16.5 million; the remaining two victims paid $6.1 million and $213,000. The combined total reached $75.3 million.

Court records quoted by CyberScoop show how the back channel worked. During one engagement, Martino told a BlackCat affiliate that the victim’s insurance carrier “was only approving small accounts,” then wrote: “Keep denying our offers, and I will let you know once I find out the max they want to pay.” The hospitality industry victim in that negotiation ultimately paid a ransom worth almost $16.5 million.

“Angelo Martino’s victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.

“He was hired to help victims in a moment of crisis,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida, who added that the case “sends a clear message: we will pursue the hackers who deploy ransomware, the insiders who enable them, and the money they steal from American victims.”

From back channel to attack crew

Martino did not stop at selling information. CyberScoop, citing prosecutors, reported that he obtained an ALPHV/BlackCat affiliate account. According to the Justice Department, he then conspired with two other cybersecurity professionals, fellow DigitalMint negotiator Kevin Martin of Texas and Sygnia incident response manager Ryan Goldberg of Georgia, to deploy the ransomware against additional U.S. companies between April and November 2023.

The three men agreed to pay BlackCat’s administrators a 20 percent cut of any ransoms in exchange for access to the ransomware and its extortion platform, the department said. One victim, a medical company, paid about $1.2 million in bitcoin; the conspirators split their share and laundered the proceeds. Four other targets refused to pay.

Goldberg and Martin pleaded guilty in December 2025 and received four-year prison sentences this spring; the Justice Department releases list the sentencing date as April 30 in one announcement and May 1 in another. Goldberg tried to flee prosecution, and the FBI tracked him through 10 countries before he faced justice, Assistant Director Brett Leatherman of the FBI’s Cyber Division said at the time.

Martino surrendered in March, pleaded guilty on April 14 to one count of conspiracy to interfere with interstate commerce through extortion under the Hobbs Act, and faced up to 20 years. As of the July 9 sentencing, law enforcement had seized $10 million in assets from him, the department said, including cryptocurrency, vehicles, a food truck and a luxury fishing boat; CyberScoop reported the seizures also include a bayfront home valued at about $1.68 million and a second house. A hearing to set restitution is scheduled for Sept. 17.

“Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself,” Leatherman said in a statement on the sentencing.

What DigitalMint says happened

The Justice Department’s releases describe Martino’s employer only as a U.S.-based cyber incident response company; CyberScoop identified the firm as DigitalMint, and the company has responded on the record. DigitalMint said it had no knowledge of the scheme. “The actions of Martino and his co-conspirators were deliberately concealed from DigitalMint and were in clear violation of the company’s values, ethical standards and the law,” a company spokesperson said in a statement to CyberScoop.

The company said it maintained industry-standard controls, including background checks, and that Martino used unauthorized side channels visible only to him and the BlackCat negotiators. DigitalMint said it terminated Martino and cut his system access when the Justice Department disclosed its investigation in April 2025. The company declined to say whether it refunded fees to affected clients, citing confidentiality obligations.

Why breach counsel should treat this as a control failure

For the lawyers, insurers and forensic teams who assemble ransomware response, the case lands as a supply-chain integrity problem, not a curiosity. The information Martino sold, policy limits and negotiation strategy, is exactly the information that flows freely among counsel, carriers, brokers and negotiators during an incident. The case gives breach counsel concrete reasons to narrow that flow: share coverage limits with a negotiation firm only when the negotiation plan requires it, insist that all threat-actor communications run through logged, firm-controlled channels, and write audit rights, personnel disclosure and conflict screening into negotiation retainers before an incident, not during one. Carriers and brokers have the same homework; the fewer people who can see a policy limit during a live extortion, the less that limit is worth to an attacker.

The case carries a discovery dimension, too. Negotiation traffic, and the internal deliberations behind it, can surface in follow-on litigation, regulatory inquiries and coverage disputes. Routing negotiator engagements through outside counsel may strengthen applicable privilege arguments when the work is genuinely performed to facilitate legal advice; separately documenting who accessed negotiation information creates an audit trail that can support later litigation, regulatory review and coverage analysis, the trail a Martino-style betrayal would otherwise erase.

Retention agreements deserve a second look as well. Organizations should determine whether their engagement letters for negotiation services expressly address employee integrity monitoring, dual-control review of negotiation traffic and a provider’s duty to disclose government investigations involving assigned personnel. After a case in which prosecutors say a negotiator ran the other side of his own negotiations, any such omission looks less like a boilerplate gap and more like unpriced risk.

The sentencing caps what security press coverage has described as a rare documented instance of U.S. incident-response insiders joining the ransomware economy they were paid to fight. BlackCat itself collapsed after a December 2023 disruption in which the FBI developed a decryption tool that the department says saved victims about $99 million in ransom payments. The insiders who abused its platform from within the response industry are now all headed to federal prison.

When the next ransom demand arrives, most organizations will still need a negotiator. The question this case leaves for every general counsel and CISO is a narrower one: who is watching the person you hired to watch the criminals?



News sources



Assisted by GAI and LLM technologies

Additional reading

Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Gemini, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).