A Florida man who worked as a ransomware negotiator at a U.S. cyber incident response firm has pleaded guilty to conspiring with the BlackCat/ALPHV ransomware group—feeding the attackers confidential information about his own clients while simultaneously negotiating on their behalf.
Angelo Martino, 41, of Land O'Lakes, Florida, admitted to providing BlackCat operators with clients' insurance policy limits and internal negotiation strategies without his employer's or clients' knowledge. The operators paid Martino for the intelligence, which they used to maximize ransom demands against five victims. He was supposed to be helping those same victims reduce what they paid.
Martino's conduct went beyond leaking data. Beginning in April 2023, he conspired with Ryan Goldberg of Georgia and Kevin Martin of Texas to actively deploy BlackCat ransomware against U.S. targets. All three held cybersecurity industry roles—a fact the Department of Justice emphasized in its announcement.
After successfully extorting one victim for approximately $1.2 million in Bitcoin, the three men split their share of the ransom and laundered the proceeds through multiple channels. The conspiracy ran from April through November 2023.
To date, law enforcement has seized more than $10 million in assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat.
[RELATED: The Ultimate Betrayal: When Cyber Negotiators Became the Attackers]
Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division was direct about the nature of the betrayal, saying:
"Angelo Martino's clients trusted him to respond to ransomware threats and help thwart and remedy them on behalf of victims. Instead, he betrayed them and began launching ransomware attacks himself by assisting cyber criminals and harming victims, his own employer, and the cyber incident response industry itself."
U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida focused on the insider access angle and what the case signals to others, saying:
"Ransomware victims turned to this defendant for help, and he sold them out from the inside. He abused his position at a cyber incident response company to feed confidential information to BlackCat actors, helping them maximize ransom payments from American victims. He then went further, joining the conspiracy himself to deploy ransomware and profit from extortion."
FBI Cyber Division Assistant Director Brett Leatherman noted that the case reinforces a point the bureau has pushed for years: ransomware is not exclusively an offshore problem.
"His guilty plea demonstrates that, for all the international aspects of cybercrime, the threat is also here in the United States," Leatherman said, adding that Martino "abused the trust placed in him as a private sector negotiator by collaborating with ransomware criminals."
Martino pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion, and faces a maximum of 20 years in prison. Sentencing is scheduled for July 9.
Goldberg and Martin separately pleaded guilty to the same charge in December 2025. Both are scheduled to be sentenced on April 30, and each faces the same 20-year maximum.
The FBI's Miami field office is leading the investigation, with assistance from the U.S. Secret Service. Trial Attorneys Christen Gallagher and Jorge Gonzalez of the DOJ's Computer Crime and Intellectual Property Section (CCIPS), along with Assistant U.S. Attorneys Thomas Haggerty and Quinshawna Landon for the Southern District of Florida, are prosecuting the case.
The BlackCat/ALPHV group was one of the more prolific ransomware-as-a-service operations before law enforcement action in December 2023, when the FBI disrupted the group's infrastructure, developed a decryption tool, and seized several BlackCat-operated websites. That decryption tool allowed field offices and international partners to help hundreds of victims recover their systems, saving an estimated $99 million in ransom payments.
Martino's case is a reminder that insider threats in the incident response (IR) industry pose the same risks as elsewhere in the enterprise—potentially worse, given the privileged access those responders have during an active crisis.
Organizations that engage third-party ransomware negotiators or IR firms should consider what contractual, technical, and operational controls govern how sensitive negotiation data is handled and who has access to it.
The full DOJ press release is available here.
Follow SecureWorld News for more cybersecurity news.