What happened
Angelo Martino, 41, of Land O’Lakes, Florida, has pleaded guilty to conspiring with the BlackCat ransomware operation to extort the very clients he was hired to protect. Working as a ransomware negotiator starting in April 2023, Martino passed confidential information about his clients’ insurance policy limits and internal negotiation positions to BlackCat operators without his clients’ or employer’s knowledge, enabling the gang to extract higher ransoms.
Martino worked alongside two other incident responders, Ryan Goldberg and Kevin Martin. Goldberg was an incident response manager at cybersecurity firm Sygnia; Martino and Martin both worked for DigitalMint. Between April and November 2023, the three collaborated to deploy BlackCat ransomware against multiple U.S. victims. In one case, they extorted a victim for approximately $1.2 million in Bitcoin and split the proceeds before laundering the funds through various means. Authorities seized $10 million in assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat.
Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion and is scheduled to be sentenced on July 9, 2026, facing up to 20 years in prison. Goldberg and Martin pleaded guilty in December 2025 and are expected to be sentenced later this month.
Who is affected
The five ransomware victims whose negotiation strategies and insurance limits were secretly shared with attackers suffered direct financial harm. The broader incident response industry is also affected, as the case undermines the trust clients place in external responders during their most vulnerable moments.
Why CISOs should care
This is a supply chain and insider threat problem wrapped inside a cybercrime case. The attackers did not need to break through additional defenses to maximize their ransom demands. They had a man on the inside of the victim’s own response team, feeding live intelligence about exactly how much the victim was willing to pay and what their insurance would cover.
For security leaders, the implication is uncomfortable but necessary: the third parties you bring in during an incident have access to information that could be weaponized against you. Vet incident response partners carefully, limit what information any single responder can access, and consider whether your negotiation strategy is being shared more broadly than it needs to be.
3 practical actions
- Vet incident response and negotiation firms with the same rigor as any privileged vendor: Conduct due diligence on the firms and individual responders you engage during ransomware incidents, including background checks and conflict-of-interest reviews, before sharing sensitive information about insurance coverage or negotiation strategy.
- Limit disclosure of insurance policy limits and internal negotiation positions: Treat this information as need-to-know and consider structuring incident response engagements so that individual responders do not have visibility into the full financial picture unless operationally necessary.
- Establish independent oversight of ransomware negotiations: Where possible, have a separate internal team or legal counsel monitor negotiations in parallel rather than delegating full control to an external negotiator, creating a check against unauthorized disclosure or misalignment of interests.
Also in the news today:
-
- Dozens of Malicious Crypto Apps Land in Apple App Store
- Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000
- New Lotus Data Wiper Used Against Venezuelan Energy and Utility Firms
- Italian Regulator Fines National Postal Service Organizations $15 Million for Data Privacy Violations
- Unsecured Perforce Servers Expose Sensitive Data From Major Organizations
- NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs