In the high-stakes world of ransomware recovery, victims rely on expert negotiators to minimize damage and lower extortion demands. But in a shocking reversal of roles, federal investigators have unmasked a “mole” who was playing both sides of the table.
Angelo Martino, a former ransomware negotiator at the cybersecurity firm DigitalMint, recently pleaded guilty to conspiring with the notorious ALPHV/BlackCat ransomware group. Rather than protecting his clients, Martino leveraged his insider access to maximize the payouts for the very criminals he was hired to thwart. This case marks a watershed moment for the cybersecurity industry, highlighting a dangerous new vector of insider threat: the corrupted responder.+1
Playing Both Sides: The Double-Agent Strategy
Angelo Martino didn’t just fail at his job; he weaponized it. According to the U.S. Department of Justice, Martino admitted to double-dealing in at least five separate ransomware incidents starting in April 2023.+1
How the Scheme Worked
Martino’s strategy was built on the exploitation of privileged information. While ostensibly representing the victim’s interests, he was secretly feeding “intel” to the ALPHV/BlackCat operators:+1
- Insurance Coverage Limits: He informed hackers exactly how much a victim’s cyber insurance policy would pay out.
- Negotiation Strategies: He tipped off the attackers about the victim’s internal “walk-away” price and financial health.
- Strategic Manipulation: By ensuring the hackers knew the victim’s maximum capacity to pay, he effectively sabotaged any chance of a reduced ransom.
In exchange for this “consulting,” Martino took a significant cut of the final extortion payment, turning the misfortune of his clients into a personal windfall.
The ALPHV/BlackCat Ecosystem: Ransomware-as-a-Service (RaaS)
To understand the scale of the threat, one must look at the ALPHV/BlackCat business model. The group operates under a Cybercrime-as-a-Service (CaaS) or RaaS framework.
In this hierarchy, the core developers maintain the sophisticated encryption software and leak sites, while “affiliates” (like Martino and his co-conspirators) handle the actual deployment and negotiation. This modular structure allows the group to scale rapidly, infecting hundreds of organizations globally.
Law Enforcement Strikes Back
The ALPHV/BlackCat group was a primary target for global law enforcement in 2023. A major operation successfully:
- Seized the group’s dark-web infrastructure.
- Released a public decryptor tool that helped over 500 victims restore their systems without paying.
- Saved an estimated $99 million in potential ransom payments.
However, the “insider” activity discovered in the DigitalMint case shows that even when a gang’s infrastructure is crippled, rogue professionals can keep the extortion engine running.
The Conspiracy Expands: A Trio of Rogue Responders
Martino did not act alone. The investigation revealed a coordinated cell of cybersecurity professionals who turned to crime.
In 2025, fellow DigitalMint employee Kevin Tyler Martin and Ryan Clifford Goldberg (a former incident response manager at Sygnia) were also implicated. Together with Martino, this trio successfully extorted over $1.2 million from a single victim company in Bitcoin.+1
| Name | Former Role | Sentencing Status |
|---|---|---|
| Angelo Martino | Ransomware Negotiator (DigitalMint) | Pleaded Guilty; Sentencing July 9, 2026 |
| Kevin Tyler Martin | Ransomware Negotiator (DigitalMint) | Pleaded Guilty; Sentencing April 30, 2026 |
| Ryan C. Goldberg | IR Manager (Sygnia) | Pleaded Guilty; Sentencing April 30, 2026 |
Export to Sheets
Risk Impact: Why Insider Threats in Security Firms are Critical
When an employee at a bank steals money, it is a crime. When an employee at a cybersecurity firm aids a hacker, it is a systemic failure. The impact of the Martino case is three-fold:
- Marketplace Trust: Organizations may now hesitate to share sensitive financial data with third-party incident response (IR) firms.
- Increased Payouts: The $75 million in combined ransom payments linked to this group shows that insider data significantly drives up the cost of cybercrime.
- Credential Abuse: As IR professionals, these individuals had the “keys to the kingdom”—administrative access that bypassed traditional firewalls and EDR (Endpoint Detection and Response) tools.
Actionable Steps: Protecting Your Organization from “Rogue” Responders
How can a CISO trust their negotiator after the DigitalMint scandal? It requires a shift toward verified transparency.
- Implement Segregation of Duties: Never allow the person managing the technical recovery to be the sole point of contact for the financial negotiation.
- Restrict Insurance Data: Keep insurance policy limits on a “need-to-know” basis. Only executive leadership and legal counsel should have full visibility into coverage caps.
- Third-Party Oversight: If you hire an IR firm, consider a secondary “shadow” auditor to review negotiation logs for signs of collusion or strategy leaks.
- Vetting IR Firms: Ask for evidence of internal monitoring and behavioral analytics (UBA) within the firm’s own infrastructure to ensure their employees aren’t accessing unauthorized client data.
FAQs
1. What was the motive behind Angelo Martino’s betrayal?
Financial gain. By maximizing the ransom paid by victims, Martino and his co-conspirators pocketed a percentage of the Bitcoin payouts, accumulating millions in illicit assets.
2. What kind of prison time does Martino face?
Martino pleaded guilty to one count of conspiracy to commit extortion. He faces a maximum penalty of 20 years in federal prison.
3. Was DigitalMint involved in the crime?
No. The Department of Justice stated that DigitalMint was unaware of the scheme and fully cooperated with the FBI once the investigation was unsealed. The company fired the rogue employees immediately upon notification.
4. What happened to the $10 million in assets seized from Martino?
Authorities seized luxury vehicles, properties, a luxury fishing boat, and significant amounts of cryptocurrency. These funds are typically used for victim restitution or law enforcement funding.
Conclusion: A Wake-Up Call for the Cybersecurity Community
The conviction of Angelo Martino is a sobering reminder that security is not just about tools—it is about people. When the very individuals hired to put out the fire are the ones pouring gasoline on the flames, traditional defense models fail.
Action Item: Review your incident response contracts today. Ensure your partners have rigorous internal controls and that your most sensitive financial data is protected even from those you hire to “save” you.
