A Florida cybersecurity professional was sentenced Thursday to 70 months in federal prison for betraying five ransomware victims to the BlackCat gang while pretending to negotiate on their behalf — inflating ransoms that totaled $75.3 million and exposing a structural vulnerability that the unregulated ransomware negotiation industry has not addressed. Angelo John Martino III, 41, of Land O’Lakes, Florida, spent six months in 2023 simultaneously feeding his clients’ insurance policy limits and negotiating ceilings to the very attackers he was hired to fight, and separately operating as a BlackCat affiliate alongside two colleagues who also worked in incident response.
The case, prosecuted by the U.S. Attorney’s Office for the Southern District of Florida and led by the FBI’s Miami Field Office, is the first to reach sentencing for an insider betrayal at a professional ransomware negotiation firm — and federal officials say it raises hard questions about an entire industry that operates without licensing requirements, ethics codes, or mandatory audit trails.
How Martino Ran Both Sides of the Same Negotiation
Martino joined DigitalMint, a U.S.-based cyber incident response firm that helps organizations navigate ransomware attacks, in 2022 — by which point, court records show, he was already engaging in criminal activity. DOJ sentencing press release His role gave him direct access to exactly the intelligence an attacker most needs: a victim’s maximum payment tolerance, its insurance coverage ceiling, and the internal strategy its leadership had approved.
Beginning in April 2023, Martino obtained a dedicated ALPHV/BlackCat affiliate account — accessible only to him and BlackCat operators — and used it to run a hidden second communication channel parallel to DigitalMint’s visible client-facing negotiation. CyberScoop’s case report On the visible channel, he performed what looked like standard ransomware negotiation on behalf of five clients. On the hidden channel, he fed BlackCat affiliates the intelligence that allowed them to apply precisely calibrated pressure.
Court records document the mechanism in granular detail. During one negotiation, Martino told a BlackCat affiliate that the victim’s insurance carrier “was only approving small accounts,” then directed the affiliate to keep rejecting offers: “Keep denying our offers and I will let you know once I find out the max the[y] want to pay.” On the victim-facing channel, Martino said to the same attackers: “We are able to give you $1 million now, which is a very serious offer.” The BlackCat affiliate, following Martino’s own instructions, responded: “We know how much you can pay.” That hospitality-industry victim ultimately paid nearly $16.5 million. plea agreement chat logs
The technical architecture that made this possible was the absence of any audit layer on negotiator communications with ransomware operators. DigitalMint’s compliance controls — including background checks — were designed for the documented channel, not for the unauthorized ALPHV affiliate account that Martino opened and operated separately. The two channels ran simultaneously; the standard incident-response tooling had no mechanism to detect one while the other was being logged.
Five Victims. $75.3 Million. No Refunds Confirmed.
The five companies Martino betrayed through DigitalMint paid ransoms between April and September 2023. The amounts — confirmed in court documents and reported by CyberScoop — show how effectively the intelligence transfer inflated each outcome:
A nonprofit organization paid nearly $26.8 million. A financial services company paid nearly $25.7 million. The hospitality company whose chat logs appear in court records paid almost $16.5 million. Two additional victims paid $6.1 million and $213,000 respectively. The combined total paid by Martino’s clients was $75.3 million. confirmed victim ransom totals
DigitalMint has not confirmed whether it refunded any clients. When asked directly, a company spokesperson told CyberScoop: “We are not able to discuss specific client relationships or fee arrangements due to confidentiality obligations.” DigitalMint spokesperson statement
Martino also conspired separately with two colleagues — Kevin Tyler Martin, 36, another DigitalMint ransomware negotiator, and Ryan Clifford Goldberg, 41, who served as an incident response manager at Sygnia — to directly deploy BlackCat ransomware against five additional U.S. organizations between April and November 2023. The three registered as BlackCat affiliates, paying the gang a 20% commission on any ransom collected in exchange for access to the malware and extortion infrastructure. DOJ affiliate conspiracy charges In one confirmed attack, on a medical company in May 2023, the trio extorted approximately $1.3 million in Bitcoin, split the proceeds among themselves, and laundered the funds through cryptocurrency transactions. The other four targets did not pay.
Martin and Goldberg pleaded guilty in December 2025 and were each sentenced in April 2026 to four years in prison. Martino, whose additional role in the negotiation betrayal made him more culpable, received the stiffer sentence of 70 months.
Ransomware Negotiation Has No Ethics Board, No License, No Audit Logs
The Martino case proves something that critics of the ransomware negotiation industry had long argued was possible but had not been prosecuted: when a negotiator registers as an affiliate of the same gang attacking their client, they hold what amounts to a structural advantage over both parties. They know the victim’s ceiling from the inside. They know the attacker’s floor from the affiliate portal. The negotiation — which the victim is paying for — becomes theater.
“Ransomware threat actors have a long and well-documented history of attempting to build direct relationships with negotiation firms,” said Magnus Jelen, an executive at incident response firm Coveware. “In some cases, they have even developed mechanisms designed to allow unethical intermediaries to profit from ransom payments without full visibility for victims.” CNN insider-threat investigation
That structural problem exists because the ransomware negotiation profession is entirely unregulated. There is no licensing requirement. No ethics code. No mandatory disclosure of relationships with threat actor groups. No requirement to log and preserve negotiator communications with attackers for independent audit. No oversight body with enforcement authority. A ransomware negotiator operates with privileged access to victims’ most sensitive financial information and faces no professional consequence — beyond criminal prosecution — for using it against them.
“This case is disturbing on so many levels. It is a betrayal of trust, plain and simple,” said Shawn Tuma, a cyber and data law practice group leader at Spencer Fane LLP. “When companies are hit with ransomware, they’re at their most vulnerable, and they turn to DFIR professionals for help, trusting them with the keys to the kingdom.” SecureWorld industry analysis
Coveware has since moved to eliminate ransom payment processing fees for its clients — “advice on ransom payments must be completely objective and free from incentive bias,” Jelen said — but that change is voluntary and unilateral. No industry-wide standard requires it. CNN on Coveware’s fee changes
Senior DOJ officials described the Martino case to CNN as “groundbreaking” and said the department is considering roundtables with cybersecurity firms to discuss insider-threat prevention. Col. Cedric Leighton, a retired Air Force intelligence officer, has called for the creation of a professional certification structure comparable to the American Medical Association: “The cybersecurity community has to create a guild similar to the AMA for doctors. They would police themselves like other professional organizations do.” SecureWorld on certification calls
What BlackCat Was — and What Martino’s Sentencing Signals
BlackCat, which first appeared in late 2021, was one of the most prolific ransomware operations before its dismantling. The FBI linked the group to more than 1,000 victims worldwide and documented at least $300 million in ransom payments through September 2023. FBI BlackCat joint advisory Its targets included hospitals, universities, pipelines, and financial institutions. The Justice Department disrupted the gang in December 2023, seized its infrastructure, and deployed a decryption tool that helped hundreds of victims restore systems — saving them an estimated $99 million in additional ransom payments. DOJ BlackCat disruption announcement
But as the Martino sentencing illustrates, the criminal ecosystem around ransomware extends into the professional services industry paid to respond to it.
“Angelo Martino’s victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. DOJ sentencing announcement
“Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself,” said Brett Leatherman, Assistant Director of the FBI Cyber Division.
Law enforcement seized $10 million in assets from Martino, including a bayfront home valued at approximately $1.68 million, a second single-family home valued at approximately $396,000, multiple vehicles, a food truck, and a 29-foot luxury fishing boat. Martino is scheduled to return to court on September 17, 2026 for a hearing to determine the total restitution amount. asset seizure reporting
DigitalMint acknowledged the failure of its controls without characterizing it as preventable. “DigitalMint maintained controls consistent with industry standards, including background checks and compliance procedures, but Martino intentionally hid his conduct from the company, including through separate, unauthorized communication channels,” a company spokesperson said. DigitalMint’s public response The defense — “consistent with industry standards” — is precisely the problem prosecutors and critics say needs to change. If industry standards cannot detect a negotiator holding an active ALPHV affiliate account, the standards are not adequate.
Is Your Ransomware Response Team Being Vetted Like a Vendor?
Any organization that retains a ransomware negotiator faces the same structural exposure that Martino’s clients did. The following questions are now standard due-diligence items that did not exist as a category before this prosecution:
Does the incident response firm segregate client-facing negotiation channels from all external communications, with mandatory logging? Is the negotiation team subject to real-time conflict-of-interest screening against known threat actor affiliate registries? Does the engagement agreement include mandatory disclosure requirements for any prior relationship between a negotiator and a ransomware group’s infrastructure? Does the firm use a fixed-fee structure that removes the financial incentive to allow ransom negotiations to drift higher?
No regulatory framework currently requires any of these controls. Demanding them contractually is, for now, the only protection available to a company in crisis.
Frequently Asked Questions
How did the ransomware negotiator secretly work for the attackers at the same time?
Martino obtained a separate ALPHV/BlackCat affiliate account that operated outside DigitalMint’s documented client channels. On one channel, he performed visible negotiations on his clients’ behalf. On the other — accessible only to him and BlackCat operators — he fed the attackers real-time intelligence about each victim’s insurance ceiling and maximum payment tolerance. DigitalMint’s compliance controls had no audit layer on communications running through the external affiliate account, so the dual operation went undetected for six months.
Is ransomware negotiation a regulated profession?
No. Ransomware negotiation currently operates with no licensing requirement, no mandatory ethics code, no disclosure obligations, and no oversight body with enforcement authority. Negotiators hold privileged access to a victim’s most sensitive financial information but face no professional consequence — beyond criminal prosecution — for misusing it. The Martino case has prompted DOJ officials to consider industry roundtables on insider-threat prevention, and experts have called for a certification structure comparable to what governs physicians or attorneys, but no such requirement exists as of July 2026.
How much did Martino’s clients actually pay in ransoms?
The five DigitalMint clients Martino betrayed paid a combined $75.3 million in ransoms between April and September 2023 — significantly more than they would have paid without Martino’s intelligence-sharing. Individual payments included approximately $26.8 million by a nonprofit, $25.7 million by a financial services company, and $16.5 million by a hospitality firm. DigitalMint has not confirmed whether any of these clients received refunds.
What can organizations do before hiring a ransomware response firm?
Security and legal teams can demand specific contractual protections before retaining any ransomware negotiation firm: segregated, auditable communication channels for all negotiator-attacker contacts; fixed-fee billing structures that remove financial incentives tied to ransom size; mandatory conflict-of-interest disclosures for all personnel with access to client negotiating strategy; and a third-party audit right over negotiation logs. Because no regulation currently mandates any of these controls, the burden of demanding them falls on the organization — ideally before an attack occurs, not during one.
