Ransomware Negotiator Sentenced for Betraying Clients to BlackCat

Ransomware negotiator Angelo Martino sentenced 70 months for betraying clients to BlackCat ALPHV

A ransomware negotiator is supposed to help victim organizations reduce what they pay. Angelo Martino did the opposite. He secretly told the attackers how much each client was willing to pay. He collected a cut of every ransom. Eventually he launched his own attacks using the BlackCat ransomware. A Florida court has sentenced the 41-year-old to 70 months in prison.

Martino’s Role at DigitalMint

Martino worked at DigitalMint, a firm that assists organizations during cyberattacks and leads ransom negotiations. His job was to secure favorable terms for clients and reduce the final payment where possible. For each case, Martino received detailed attack information. That included the initial demand, the client’s insurance coverage, and the victim’s internal negotiation strategy.

That confidential information gave Martino a precise picture of each client’s limits. He knew the exact insurance maximum. He also understood how urgently each company needed its systems restored. He could see the highest offer management would ever make. Rather than using that knowledge to protect clients, he passed it directly to members of BlackCat, also known as ALPHV.

The Hidden Communication Channel

From April 2023 onward, Martino communicated with BlackCat representatives via the Tox messaging platform. He also used a private channel within the BlackCat negotiation panel. That channel was visible only to Martino, the ransomware group’s negotiators, and its affiliates who conducted the attacks. His employer and the victim organizations had no access to the conversation.

Martino disclosed insurance policy limits and clients’ internal negotiating positions. Armed with that intelligence, the ransomware operators could demand more money and hold out longer. Knowing a victim’s ceiling removes any incentive to accept a smaller payment. The attacker simply waits for the maximum.

More Than 75 Million Dollars Paid by Clients

In exchange for this information, Martino received a share of each ransom payment in cryptocurrency. Court records show that five DigitalMint clients paid members of the scheme more than 75 million dollars in total. Individual payments ranged from approximately 213,000 dollars to 26.8 million dollars. Investigators believe the insider intelligence helped inflate demands by millions of dollars.

The victims included a hotel company, a nonprofit organization, a financial firm, a retailer, and a healthcare organization. Operational disruptions prevented these companies from serving their customers. The financial and medical sectors suffered the most severe consequences.

Martino Spent the Proceeds on Real Estate and Vehicles

The scheme earned Martino several million dollars in cryptocurrency. The FBI seized a portion of his digital assets, but he had already spent a significant sum. With the proceeds, he purchased two homes in Florida, a boat, and several vehicles.

From Insider Tip to Active Affiliate

Approximately one month after he began secretly feeding information to BlackCat, Martino shifted to direct attacks. In May 2023, he obtained an affiliate account within the group’s platform. That access allowed him and his associates to use BlackCat’s ransomware, negotiation panel, and infrastructure to pressure victims.

Martino shared the account with two accomplices. Kevin Martin, another negotiator at DigitalMint, and Ryan Goldberg, an incident response specialist at Sygnia, joined the scheme. All three had professional backgrounds in cybersecurity and a thorough understanding of how organizations respond to infections.

BlackCat’s affiliate model allowed outside criminals to conduct attacks using the group’s ready-built infrastructure. Administrators maintained the malware, data-leak websites, victim chat systems, and payment processing. Affiliates identified targets, breached networks, stole data, and triggered encryption. The standard arrangement gave administrators 20 percent of each ransom payment.

Five Additional Victims, One Payout

Martino, Martin, and Goldberg attacked five additional organizations. Four refused to pay but still incurred costs from downtime, system recovery, and remediation. One medical device manufacturer agreed to pay 1.2 million dollars. The group divided that payment among themselves and the BlackCat administrators.

BlackCat encrypted files on corporate networks and exfiltrated data before locking systems. Victims then faced demands for both a decryption key and a promise not to publish the stolen information. That double-extortion pressure compelled payments even from organizations that maintained offline backups.

BlackCat’s Broader Impact, Including Change Healthcare

The group attacked hundreds of organizations. One of its most disruptive incidents was the February 2024 breach of the Change Healthcare payment network. The resulting outage disrupted payment and insurance claim processing across American healthcare. Medical providers were unable to process reimbursements for weeks.

Law enforcement launched an operation against BlackCat’s infrastructure in 2023. Investigators obtained access to the group’s systems, developed a decryption tool, and helped victims recover their data. Authorities also seized several of the group’s websites. US agencies continue to offer up to 10 million dollars for information on BlackCat administrators and affiliates.

Sentences and Cooperation

Charges against Kevin Martin and Ryan Goldberg were announced before authorities publicly named the third conspirator. In April 2026, a court sentenced each to four years in prison. Martino pleaded guilty and cooperated with investigators to help build the case against his accomplices.

The defense requested a two-year sentence, citing Martino’s cooperation. The prosecution sought a harsher penalty. Sentencing guidelines recommended a range of 70 to 87 months. The court imposed the minimum term within that range.

Martino was convicted of conspiracy to commit extortion affecting interstate commerce. The maximum penalty for that charge is 20 years. In addition to the 70-month prison term, he must forfeit assets purchased with criminal proceeds. After his release, he will surrender 10 percent of his income toward restitution for the victims.

Responses from DigitalMint and Sygnia

DigitalMint stated that management had no knowledge of the employees’ criminal conduct. After receiving information from the Department of Justice, the company terminated the individuals involved and cooperated fully with investigators. DigitalMint said Martino circumvented internal controls and used hidden communication channels inaccessible to his employer.

Sygnia similarly terminated Goldberg after learning of the investigation. The company was not named as a suspect and provided relevant information to the FBI.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply