A ransomware insider threat has exposed a critical vulnerability in the cybersecurity industry itself. Angelo Martino, 41, of Land O’Lakes, Florida, pleaded guilty in April 2026 to conspiracy to obstruct commerce by extortion after collaborating with BlackCat ransomware operators to maximize payouts from five separate victims. The case reveals how trusted negotiators and incident response professionals can weaponize confidential client information to amplify attacks—a betrayal that strikes at the heart of firms hired to protect against ransomware.
Key Takeaways
- Ransomware insider threat: negotiator shared victim negotiation strategies and insurance limits with BlackCat operators without client knowledge
- Three cybersecurity professionals—Martino, Ryan Goldberg, and Kevin Martin—conspired to deploy BlackCat ransomware from April to December 2023
- The scheme extracted approximately $1.2 million in Bitcoin from one victim, which the conspirators split and laundered
- Martino faces up to 20 years in prison; sentencing scheduled July 9, 2026; Goldberg and Martin pleaded guilty earlier and await sentencing
- All three defendants worked in cybersecurity roles at incident response firms, giving them privileged access to client vulnerabilities and negotiation tactics
How the Ransomware Insider Threat Unfolded
Martino began collaborating with BlackCat in April 2023 while employed as a negotiator at DigitalMint, a U.S.-based cyber incident response company. Rather than protecting clients, he systematically betrayed them. Working as a negotiator on behalf of five different ransomware victims, Martino provided BlackCat attackers with confidential information about the negotiating position and strategy of his company’s clients without the clients’ or his employer’s knowledge or permission. He shared insurance policy limits, internal negotiation positions, and tactical strategies—precisely the intelligence an extortion gang needs to know when to hold firm and when victims can pay more.
BlackCat compensated Martino for this intelligence, creating a financial incentive to maximize harm. This ransomware insider threat was not a moment of weakness or coercion—it was a calculated business arrangement. Martino weaponized his role as a trusted intermediary, the very position designed to reduce ransom payments, and inverted it to increase them.
The Conspiracy Across Three Security Firms
Martino did not act alone. Ryan Goldberg, 40, of Georgia, worked as an incident response manager at Sygnia. Kevin Martin, 36, of Texas, also worked at DigitalMint alongside Martino. Between April 2023 and December 2023, all three men successfully deployed the ransomware known as ALPHV BlackCat against multiple U.S. victims. The irony is brutal: all three men worked in the cybersecurity industry—meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.
The conspirators leveraged their insider knowledge to identify vulnerable targets, deploy malware, and orchestrate extortion with precision. From at least one victim, they extracted approximately $1.2 million in Bitcoin, which they split three ways and laundered to conceal the proceeds. Goldberg and Martin pleaded guilty in December 2025 and January 2026 respectively; both face up to 20 years in prison with sentencing expected in April 2026. Martino’s guilty plea in April 2026 sets his sentencing for July 9, 2026.
Why This Ransomware Insider Threat Matters Now
The case exposes a structural vulnerability in incident response and negotiation firms: they employ security professionals with intimate knowledge of client vulnerabilities, negotiation strategies, and financial capacity to pay ransoms. A single insider with criminal intent can amplify an attack’s impact exponentially. Unlike external attackers who must probe defenses blindly, insiders already know where the vulnerabilities are and how much a victim can afford to pay.
This is not the first time cybersecurity insiders have been recruited by ransomware gangs, but it is among the most damaging because it weaponizes the negotiation process itself. Victims hire firms like DigitalMint and Sygnia specifically to reduce ransom demands through skilled negotiation. When negotiators secretly work for the attackers, victims lose their only leverage. The ransomware insider threat transforms the negotiation table into an adversarial ambush.
What Happens to Victims and the Industry
The five victims Martino negotiated for paid inflated ransoms because they believed they were receiving expert advice to minimize payments. Instead, they were negotiating against an insider working to maximize demands. The financial and reputational damage extends beyond the immediate victims—it undermines trust in the entire incident response ecosystem.
For incident response and negotiation firms, the verdict is a wake-up call. Background checks, security clearances, and insider threat monitoring are now table stakes. Firms must implement compartmentalization so that no single employee has access to all client information. Monitoring tools that flag unusual data access patterns, particularly when employees download or share sensitive negotiation details with external parties, become critical. The ransomware insider threat is not a rare edge case—it is a predictable risk that firms should have anticipated and mitigated.
What sentence will Martino face for the ransomware insider threat?
Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion. He faces a maximum of 20 years in federal prison, with sentencing scheduled for July 9, 2026.
How did the ransomware insider threat scheme distribute the stolen Bitcoin?
The three conspirators split the approximately $1.2 million in Bitcoin extracted from one victim three ways and then laundered the proceeds to conceal their involvement. The scheme operated from April 2023 through December 2023.
Why are cybersecurity professionals vulnerable to recruitment by ransomware gangs?
Cybersecurity professionals working in incident response and negotiation roles have access to high-value intelligence: client vulnerabilities, negotiation strategies, insurance policy limits, and financial capacity to pay ransoms. Ransomware gangs actively recruit insiders because that intelligence multiplies the effectiveness of attacks and eliminates victim leverage in negotiations.
The Martino case is a watershed moment for the incident response industry. It proves that insider threats are not hypothetical—they are active, profitable, and devastating. Firms that fail to implement robust insider threat monitoring, data compartmentalization, and employee vetting will face similar breaches. For victims, the lesson is harder: even the professionals hired to protect them cannot always be trusted. Verification, oversight, and skepticism of negotiation advice are now survival skills in the ransomware era.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
