A Negotiator Who Played Both Sides
A South Florida man has admitted in federal court to one of the most audacious betrayals ever documented in the cybersecurity industry. Angelo John Martino III, 41, pleaded guilty to conspiring with multiple ransomware affiliates to attack and extort the very U.S. companies he was simultaneously representing as a ransomware negotiator for cryptocurrency compliance firm DigitalMint — all occurring in 2023, the Justice Department announced Monday.
Martino's scheme was uniquely predatory: by serving as a trusted intermediary between victim organizations and their attackers, he gained access to sensitive details that he then weaponized against his own clients. According to his plea agreement, he shared confidential information about victim companies' internal negotiating positions and insurance policy limits with BlackCat affiliates — intelligence that allowed those criminals to extract the maximum possible ransom payment.
How the Scheme Worked
Five U.S.-based companies hired DigitalMint and were assigned Martino to lead ransomware negotiations on their behalf. Unbeknownst to them, Martino was negotiating with himself and his co-conspirators. The victims spanned a range of sectors, including a nonprofit and companies in the hospitality, financial services, retail, and medical industries. All five ultimately paid a ransom.
Prosecutors revealed the staggering scale of the financial damage: Martino and his accomplices helped extort a combined $75.3 million in ransom payments across cases he was involved in. The largest single payment — nearly $26.8 million — came from an unnamed nonprofit. An unnamed financial services company paid nearly $25.7 million. A victim in the hospitality industry paid nearly $16.5 million in exchange for a decryptor and a commitment from the BlackCat affiliate not to publish stolen data. Two other victims Martino represented through DigitalMint paid $6.1 million and $213,000 respectively.
Chat Logs Reveal the Betrayal in Detail
Officials released excerpts from negotiation chats that illustrate precisely how Martino manipulated both sides of the discussions. During one incident response engagement, Martino privately told a BlackCat affiliate that the victim company's insurance carrier "was only approving small accounts." He then advised the affiliate: "Keep denying our offers and I will let you know once I find out the max the[y] want to pay."
Meanwhile, in a negotiation chat visible to both DigitalMint and the hospitality-sector victim, Martino played the role of a sympathetic advocate for the client, stating: "We don't know how you came up with your demand but we are losing money operationally and all of our loans are going to turnover on us this year at double the interest rates. We are able to give you $1 million now, which is a very serious offer."
Following Martino's behind-the-scenes coaching, the BlackCat affiliate responded through the visible chat: "Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you. Time is ticking — we know how much you can pay. Contact your insurance. We know about them also. Stop wasting time." The choreographed exchange was designed to apply maximum pressure while keeping Martino's role hidden from his client.
Co-Conspirators Also Named
Martino was not operating alone. He admitted to conspiring with Kevin Tyler Martin, another former ransomware negotiator at DigitalMint, and Ryan Clifford Goldberg, a former manager of incident response at Sygnia, to deploy BlackCat ransomware — also known as ALPHV — against five additional U.S. companies between April and November 2023. Martin and Goldberg pleaded guilty in December to participating in the ransomware attack series and are scheduled for sentencing on April 30.
DigitalMint itself is not accused of any knowledge of or involvement in the crimes. The company fired Martino the day after the Justice Department notified it of the investigation in April 2025.
Voices from Law Enforcement
"Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims. Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself." — A. Tysen Duva, Assistant Attorney General, DOJ Criminal Division
"Ransomware victims turned to this defendant for help, and he sold them out from the inside." — Jason A. Reding Quiñones, U.S. Attorney for the Southern District of Florida
"The FBI works every day to dismantle the ransomware ecosystem. That includes apprehending key facilitators like Angelo Martino, who abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals." — Brett Leatherman, Assistant Director, FBI Cyber Division
Assets Seized, Sentencing Scheduled
Authorities have seized $10 million in assets and cryptocurrency wallets controlled by Martino. The seized property includes multiple vehicles, a food truck, and a 29-foot luxury fishing boat — all purchased using proceeds from his crimes. Law enforcement also seized two properties Martino owned in Nokomis, Florida: a bayfront home with an estimated value of $1.68 million and a second single-family home valued at approximately $396,000.
Martino surrendered to the U.S. Marshals in Miami in March and was released on a $500,000 bond. He pleaded guilty to conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion — a charge that carries a maximum sentence of 20 years in federal prison. His sentencing is scheduled for July 9.
The BlackCat/ALPHV Connection
The ransomware strain at the center of this case, ALPHV — commonly referred to as BlackCat — is one of the most destructive ransomware variants ever documented. It first appeared in late 2021 and was subsequently used in dozens of attacks targeting organizations in the healthcare sector. The group behind BlackCat also claimed responsibility for the February 2024 attack on Change Healthcare, a subsidiary of UnitedHealth Group. That attack resulted in a $22 million ransom payment and became the largest healthcare data breach on record, compromising data on approximately 190 million people.
A Warning for the Incident Response Industry
The Martino case exposes a largely unscrutinized corner of the cybersecurity ecosystem. Ransomware negotiation is a service offered by a growing number of private firms, and these backchannel discussions between victim companies and threat actors carry significant risks — risks that, as this case shows, can include insider betrayal at the highest level. While such extreme scenarios remain rare, the case underscores the need for greater oversight and accountability in the ransomware negotiation industry.
DigitalMint did not respond to a request for comment regarding Martino's guilty plea.
Source: CyberScoop