19.6 C
London
Saturday, July 11, 2026
Home alphv Ransomware negotiator hired to represent victims was working for the attackers
ransomware-negotiator-hired-to-represent-victims-was-working-for-the-attackers
Ransomware negotiator hired to represent victims was working for the attackers

Ransomware negotiator hired to represent victims was working for the attackers

3
0

A former ransomware negotiator was sentenced to 70 months in prison yesterday after colluding with BlackCat scammers to extort the victims he was hired to protect.

As a ransomware negotiator for the company DigitalMint, Florida resident Angelo Martino’s job was “to negotiate with cybercriminals to mitigate the ransoms paid by [DigitalMint’s] clients,” the US government said in a sentencing memorandum on Tuesday. “Instead, Martino provided the cybercriminals with confidential negotiation information to maximize the ransoms in exchange for a portion of the ransom payments. Five of the victims whom Martino was supposed to help paid over $75 million to ransomware affiliates, including likely millions of dollars in ransom demands inflated as a result of the confidential information provided by Martino.”

Martino, 41, pleaded guilty and asked for a 24-month sentence, noting that he “provided substantial assistance that contributed to the indictment and conviction of two co-defendants.” As described in this November 2025 article, the co-defendants were Texas resident Kevin Martin, a ransomware negotiator for DigitalMint, and Georgia resident Ryan Goldberg, an incident manager at security firm Sygnia.

Martino had not yet been named by authorities when charges against Martin and Goldberg were announced last year. Martin and Goldberg were each sentenced to four years in prison in April 2026.

To compensate victims, Martino must forfeit property and pay 10 percent of any salary he earns after release. The government is due to submit a proposed order of forfeiture by next week.

Martino received millions of dollars in cryptocurrency as proceeds from the conspiracy, according to a factual proffer signed by Martino and US prosecutors. The FBI seized cryptocurrency from Martino, though he had already used much of it to buy two houses in Florida, a boat, and several vehicles.

“Sold out the very victims he was hired to represent”

Martino was charged in February with conspiracy to interfere with interstate commerce by extortion. He faced a maximum sentence of 20 years. The US said that sentencing guidelines based on Martino’s limited criminal history suggest a range of 70 to 87 months, and recommended “a sentence of at least the mid-point of this range.”

Victims of the scheme paid ransoms ranging from $213,000 to $26.8 million between April 2023 and September 2023. Besides the financial loss, the conspiracy “affected the ability of victims including companies in the financial services and health industry to provide services to customers,” the US said. Victims included a hospitality company, a nonprofit, a financial services company, a retail company, and a medical company, all of which had hired DigitalMint.

“Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself,” FBI Cyber Division Assistant Director Brett Leatherman said yesterday.

Ransomware encrypts and steals data from computer networks in order to extort ransom payments. BlackCat, also known as ALPHV, caused chaos in the healthcare system by taking down the Change Healthcare payment network in February 2024 and was used against hundreds of other victims. The FBI said in December 2023 that it developed a decryption tool that gave victims the ability to restore their systems and seized several websites used by the ransomware group.

BlackCat administrators granted access to “affiliates,” who deployed the ransomware against victims and typically gave 20 percent of the proceeds to the BlackCat administrators. The government is still offering rewards of up to $10 million for information on BlackCat administrators and affiliates.

Martino and co-conspirators, in addition to working against their own clients’ interests, deployed the BlackCat ransomware themselves against five other victims, according to the US government.

“Martino further used his knowledge of ransomware and connections with ransomware actors to secure an affiliate account for himself, Martin, and Goldberg with ALPHV BlackCat,” the US said. “As an ALPHV BlackCat affiliate, the three men deployed ransomware against five victims, successfully extorting one payment for $1.2 million [from a medical device company]. Although the other victims did not pay the ransom demand, they nevertheless suffered consequential losses from the attacks.”

Chats with BlackCat attackers

Martino worked at DigitalMint from November 2022 to April 2025, first as an independent cybersecurity consultant and later as a full-time employee. DigitalMint is based in Chicago, and Martino worked remotely on a company-issued laptop.

“As part of his duties, the defendant was provided with details regarding the attack and information regarding the ransom demand and typically the victim’s applicable insurance coverage and negotiating strategy,” the factual proffer said.

Martino used BlackCat’s live chat system to negotiate ransom payments. Starting in April 2023, he “began communicating with BlackCat actors through the messaging platform Tox and in a separate ‘intermediary chat’ tab of the BlackCat panel,” which “was only accessible to the defendant and the BlackCat negotiators and affiliates,” the factual proffer said.

Martino used the intermediary chat tab to provide confidential information about clients.

“The purpose of these intermediary chat communications was to maximize the ransom payments paid by those victims to the BlackCat actors,” the court document said. “This information provided by the defendant without the victims’ knowledge included the victims’ insurance policy limits and internal negotiation positions. In exchange for providing confidential information, the defendant received a portion of the ransomware payments in digital currency.”

In May 2023, Martino obtained affiliate access to the BlackCat panel, and he shared that access with the co-conspirators. “After the defendant obtained affiliate access, the defendant, Co-conspirator 1, and Co-Conspirator 2 agreed to, and did use the BlackCat ransomware and platform to attack and extort victims and share the ransom proceeds amongst themselves and with the BlackCat admin,” the factual proffer said.

DigitalMint “also an unknowing victim”

In a statement provided to Ars today, DigitalMint said it had no knowledge of Martino’s criminal actions while he was employed there. DigitalMint said it fired the employees involved in the conspiracy after learning of the allegations from the Department of Justice, “and fully cooperated with federal authorities throughout the investigation.”

“The actions of Martino and his co-conspirators were deliberately concealed from DigitalMint and were in clear violation of the company’s values, ethical standards, and the law,” DigitalMint said. “The government has now publicly made it clear that DigitalMint was also an unknowing victim of these crimes.”

DigitalMint said Martino evaded the company’s internal safeguards that attempt to prevent fraud.

“DigitalMint maintained controls consistent with industry standards, including background checks and compliance procedures, but Martino intentionally hid his conduct from the company, including through separate, unauthorized communication channels that the government’s filings describe as accessible only to Martino and the BlackCat negotiators and affiliates,” DigitalMint said. “When federal authorities brought the allegations to the company’s attention, DigitalMint acted immediately.”

Sygnia told CNN and other media outlets in November that it terminated Goldberg “immediately upon learning of the situation.” Sygnia said the company itself was not a target of the investigation and that it was working closely with the FBI.