threat_intelligence633 wordsRead on Arc Codex

The inside job that cost ransomware victims millions

When a ransomware crew locks up your servers, the outside negotiator you hire has to know everything about you so that they can negotiate a smaller ransom payment. You tell them what your cyber-insurance covers and what your board is willing to pay. You have to. That’s the whole reason you hire one. But what if your trusted negotiator is a crook? Angelo Martino, a 41-year-old ransomware negotiator at Chicago-based incident response firm DigitalMint, spent seven months in 2023 handling all of that information. But instead of using it to help minimize damage for his company’s clients, he passed it straight to the BlackCat ransomware gang that was extorting them. In exchange, he got a cut of the criminal proceeds. He was sentenced on July 3 to 70 months in federal prison for conspiracy to interfere with interstate commerce by extortion. The private chat tab Beginning in April 2023, Martino used an intermediary chat channel—one his employer couldn’t see—to relay clients’ confidential material to negotiators for the BlackCat/ALPHV ransomware gang. That enabled him to pass along valuable information about clients’ cyber-insurance policy limits and their internal discussions about negotiations. In short, he told the attackers what to ask for. They asked for a lot. Five DigitalMint clients whose negotiations Martino handled paid ransoms of between $213,000 and $26.8 million between April and September 2023, totalling more than $75 million. The victims included a hospitality company, a nonprofit, a financial services company, a retail company, and a medical company. All of them had hired DigitalMint to help them. In one case, Martino told DigitalMint that he was sending a client’s ransom offer to the attackers while secretly telling the ransomware gang the client would pay $2 million more. The client ultimately paid the extra money because of his actions. Then it got worse Feeding intelligence to BlackCat apparently wasn’t enough. In May 2023, Martino signed up as a BlackCat affiliate himself and shared that access with fellow DigitalMint negotiator Kevin Martin and Sygnia incident response manager Ryan Goldberg. The three had been conspiring since the previous year to run this operation, before DigitalMint even hired Martin. The trio began deploying BlackCat directly against additional victims. Their takings included $1.2 million from a medical device company. Martin and Goldberg were each sentenced to four years in prison in April 2026. Authorities also seized roughly $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a luxury fishing boat. He didn’t exactly fly under the radar. BlackCat was a particularly nasty ransomware operation. It targeted healthcare facilities and even published photos of victims’ breast cancer imaging. After law enforcement disrupted the gang’s infrastructure in December 2023, the FBI released a decryption tool to help victims recover their files. Vetting and monitoring need improvement DigitalMint says it didn’t know about the scheme and that Martino deliberately hid his actions from the company. Along with Sygnia, it fired the employees after the Department of Justice told them about the crimes. We have no reason to dispute the companies’ claims of ignorance, and neither did the court. That’s arguably more worrying because it means whatever vetting and monitoring procedures the organizations had in place failed to uncover a seven-month criminal conspiracy involving three insiders across two different companies. You could argue that Martino got off lightly. Federal sentencing guidelines recommended between six and 7.25 years in prison, and prosecutors had asked for a sentence somewhere in the middle of that range. Either way, he’ll spend much of the rest of the decade behind bars. A hearing to determine how much he’ll have to pay in restitution is scheduled for September 17. We don’t just report on threats—we remove them Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.