- What: Angelo Martino, 41, a ransomware negotiator hired by five victim companies, was sentenced to 70 months for secretly feeding BlackCat operators his clients' insurance policy limits and negotiation positions in exchange for a share of the ransoms.
- Impact: Victims paid inflated ransoms because the attackers knew exactly how much they could extract, and two co-conspirators from DigitalMint and Sygnia went further, deploying BlackCat ransomware against U.S. victims between April and November 2023.
- Fix / mitigation: There is no patch for betrayed trust; the mitigation is structural — vet and compartmentalize ransomware negotiators, keep insurance limits on strict need-to-know, and demand victim-controlled communication channels during any negotiation.
- Who's at risk: Any organization that hires external incident response or ransom negotiation help in a crisis, and any cyber-insured company whose policy limits would be gold to an extortionist.
When ransomware detonates, a victim company hands one person almost everything: its financial ceiling, its insurance coverage, its desperation. That person is the negotiator. On July 10, The Hacker News reported that Angelo Martino, 41, of Land O'Lakes, Florida, was sentenced to 70 months in U.S. federal prison for turning that position into a weapon. Hired as a negotiator by five different ransomware victims, Martino secretly fed the BlackCat operators on the other side of the table his clients' confidential negotiating positions and insurance policy limits, then took a cut of the ransoms he helped inflate.
Federal prosecutors called him a 'double agent working to maximize the harm to his clients and the financial gain to cybercriminals who paid him a part of the ransom.' Martino pleaded guilty in April to a one-count information charging him with conspiring to interfere with interstate commerce through extortion. 'Angelo Martino's victims shared heartbreaking accounts of how their businesses were nearly destroyed, while the people they hired to help them instead betrayed them to ransomware gangs,' said Assistant Attorney General A. Tysen Duva of the Justice Department's Criminal Division.
The double-agent playbook
Understand what this leak actually did. A ransomware negotiation is a bluffing game, and the victim's only leverage is uncertainty: the attackers don't know how much the company can really pay. Insurance policy limits and internal walk-away numbers are the whole hand. Martino handed BlackCat that hand for all five clients, without their knowledge or permission. The operators could anchor demands at or near the policy limit and hold firm, knowing every counteroffer was theater. The victims weren't negotiating; they were being priced.
It went beyond leaking — insiders deployed the ransomware
The second half of the case is worse. Martino also colluded with Ryan Goldberg, 41, of Georgia, and Kevin Martin, 36, of Texas, to deploy BlackCat ransomware against multiple U.S. victims between April 2023 and November 2023. Martino and Martin were both employed at DigitalMint; Goldberg was working as an incident response manager at cybersecurity firm Sygnia. Goldberg and Martin pleaded guilty last December and were each sentenced to four years in prison in May 2026. Three security professionals, two established firms, one criminal enterprise operating from inside the industry built to stop it.
Every entity in this conspiracy sat inside the incident response trust boundary: a ransom negotiator and two employees of legitimate security firms, one an IR manager. Victims' standard diligence — hire reputable help, follow the playbook — was exactly the vector.
Follow the money
Law enforcement has seized $10 million in assets from Martino to date, including digital currency, vehicles, a food truck, and a luxury fishing boat bought with illicit proceeds. A restitution hearing is set for September 17, 2026. 'He was hired to help victims in a moment of crisis,' said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. 'This case sends a clear message: we will pursue the hackers who deploy ransomware, the insiders who enable them, and the money they steal from American victims.' FBI Cyber Division Assistant Director Brett Leatherman put it more bluntly: Martino 'sold out the very victims he was hired to represent.'
The RedEye take
This is not a one-bad-apple story, and treating it as one is the mistake. Ransom negotiation grew into a professional niche almost overnight, funded by cyber insurance, operating in crisis conditions, with essentially zero structural oversight. The incentive gradient was always there: the person with the most complete picture of a victim's ability to pay works one anonymous message away from the people setting the price. Martino, Goldberg, and Martin are the first insiders caught monetizing that gradient at scale; it is optimistic to assume they were the only ones. The DOJ deserves credit for prosecuting the enablers and clawing back $10 million rather than stopping at the operators. But the industry should not wait for the next indictment to fix what this case exposed — negotiation and IR firms need auditable controls on who sees victim financial data, and clients should demand proof of them.
What defenders should learn
- Treat negotiators and external IR as high-risk third parties, not saviors. Before crisis strikes, contract for conflict-of-interest attestations, personnel vetting, and audit rights over who at the firm accesses your case data.
- Compartmentalize your insurance policy limits. In this case that single number was the crown jewel. Keep it need-to-know even within your own response team, and never give a negotiator your true ceiling — give them a mandate.
- Insist all attacker communications run through channels your organization controls and logs. A negotiator whose side conversations you cannot observe is an unmonitored trust boundary in the middle of your worst day.
- Treat demands that anchor suspiciously close to your coverage limits as a leak indicator, not bad luck. If the attackers seem to know your numbers, someone told them.
- Bring the FBI in early. Beyond recovery help, law enforcement is an independent check on everyone else in the room — this case was built because investigators followed the insiders, not just the malware.
Ravie Lakshmanan, 'Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks,' The Hacker News, July 10, 2026.
BlackCat itself is now defunct. The lesson of this case outlives it: the ransomware economy doesn't only recruit hackers, it recruits anyone positioned near the money. For five American companies, the most damaging actor in their breach wasn't the one who encrypted the files — it was the one they hired to make it stop.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us