A ransomware negotiator insider threat has exposed one of the cybersecurity industry’s deepest vulnerabilities. Angelo Martino, 41, of Land O’Lakes, Florida, pleaded guilty on April 21, 2026, to conspiring with BlackCat ransomware operators and two co-conspirators to launch attacks against U.S. companies and extort millions in Bitcoin.
Key Takeaways
- Angelo Martino pleaded guilty to leaking victims’ insurance details to BlackCat ransomware operators in April 2026.
- Martino worked as a ransomware negotiator at DigitalMint, a cyber incident response company, while secretly aiding attackers.
- He shared confidential information from five victims, including insurance policy limits and internal negotiation strategies.
- The trio extorted one victim for approximately $1.2 million in Bitcoin and laundered proceeds through cryptocurrency.
- Authorities seized $10 million in assets from Martino, including digital currency, vehicles, and a luxury fishing boat.
How a Trusted Insider Became an Attacker
Martino’s role as a ransomware negotiator insider threat turned catastrophic when he began collaborating with BlackCat operators starting in April 2023. Working at DigitalMint, a U.S.-based cyber incident response company, Martino had access to confidential victim information that companies desperately wanted to protect. Instead of safeguarding that data, he weaponized it. According to the U.S. Department of Justice, Martino shared insurance policy limits, internal negotiation positions, and strategic details from five victims without their knowledge or his employer’s consent. BlackCat paid Martino for this intelligence, which allowed the gang to calculate exactly how much each victim could afford to pay in ransom.
This ransomware negotiator insider threat represents a calculated betrayal. U.S. Attorney Jason A. Reding Quiñones stated: “Ransomware victims turned to this defendant for help, and he sold them out from the inside”. The scheme was not opportunistic—it was deliberate. Martino worked with two co-conspirators: Ryan Goldberg, an incident response manager at Sygnia, and Kevin Tyler Martin, who also worked at DigitalMint. All three men possessed specialized cybersecurity knowledge that made their crimes especially damaging.
The Extortion Conspiracy and Asset Seizure
Between April 2023 and late 2023, Martino, Goldberg, and Martin did more than leak information—they actively deployed BlackCat ransomware against multiple U.S. victims themselves. The trio extorted one victim for approximately $1.2 million in Bitcoin, splitting the proceeds three ways and paying BlackCat’s administrators a 20% share for access to the ransomware and extortion portal. They laundered the stolen funds through cryptocurrency channels, attempting to hide the money trail.
Federal authorities moved swiftly to dismantle the operation. Martino faced charges of conspiracy to interfere with interstate commerce by extortion, intentional damage to protected computers, and related offenses. Goldberg and Martin pleaded guilty before Martino and each faces up to 20 years in prison. When agents executed search warrants and asset seizures, they recovered $10 million in assets from Martino alone, including digital currency holdings, vehicles, a food truck, and a luxury fishing boat. This seizure demonstrates the scale of illicit proceeds the trio generated.
A Systemic Industry Vulnerability Exposed
Martino’s guilty plea marks the third ransomware negotiator insider threat case prosecuted in the past year, signaling a troubling pattern. The cybersecurity incident response industry relies on trust—victims hire firms like DigitalMint and Sygnia to defend them during their most vulnerable moments. When insiders weaponize that trust, the entire ecosystem fractures. Assistant Attorney General A. Tysen Duva emphasized this betrayal: “Angelo Martino’s clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims. Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself”.
What makes this ransomware negotiator insider threat particularly damaging is the information asymmetry it created. Victims negotiating with attackers believed they were haggling from a position of incomplete knowledge—that the attackers did not know their financial constraints. Martino shattered that assumption by providing BlackCat with precise insurance policy limits and negotiation strategies. This intelligence gave attackers an overwhelming advantage, allowing them to demand amounts that matched or exceeded what victims could actually pay. The scheme transformed ransomware negotiation from a haggling process into a calculated extraction based on insider intelligence.
What Happens Next
Martino’s guilty plea means he will face sentencing without a trial. He was initially identified as “Co-Conspirator 1” in an October 2025 indictment but was formally named in March 2026 when documents were unsealed. His sentence will likely reflect the severity of his crimes—conspiracy to extort, intentional computer damage, and money laundering—all compounded by his position of trust within the cybersecurity industry. Goldberg and Martin, who pleaded guilty earlier, are awaiting sentencing on similar charges.
The case underscores a critical vulnerability in cybersecurity firms: insider risk. Unlike traditional security breaches, which can be prevented with encryption and access controls, insider threats require vetting, monitoring, and institutional safeguards that many firms may still be developing. DigitalMint and Sygnia now face reputational damage and potential civil liability from victims who trusted them with sensitive information. The industry will likely respond with stricter background checks, compartmentalization of sensitive data, and monitoring systems designed to detect suspicious information access—but those measures come too late for the victims Martino betrayed.
FAQ
What is a ransomware negotiator insider threat?
A ransomware negotiator insider threat occurs when someone working within a cybersecurity or incident response firm secretly assists ransomware attackers by leaking victim information, negotiation strategies, or insurance details. This allows attackers to maximize ransom demands with insider knowledge.
How much money did Martino and his co-conspirators extort?
The trio extorted one documented victim for approximately $1.2 million in Bitcoin. Authorities seized $10 million in total assets from Martino, suggesting the full scope of illicit proceeds was substantially larger.
Why is this case significant for the cybersecurity industry?
This is the third ransomware negotiator insider threat case prosecuted in a year, revealing a systemic vulnerability in incident response firms. It demonstrates that trusted insiders with specialized cybersecurity knowledge can weaponize that expertise to harm the very clients they are hired to protect.
Angelo Martino’s guilty plea exposes a hard truth: the cybersecurity industry’s greatest vulnerability may not be external attackers, but trusted insiders willing to betray their clients for profit. As ransomware attacks continue to evolve, firms must recognize that background checks and access controls alone are insufficient—they need active monitoring, compartmentalization, and a culture of accountability to prevent the next insider from selling out their victims.
This article was written with AI assistance and editorially reviewed.
Source: Tom's Hardware
