Ransomware Negotiator Pleads Guilty: The BlackCat Insider Threat That Cost Victims $75 Million

Photo by Ben Kim on Unsplash

Key Takeaways

• Angelo John Martino III pleaded guilty on April 21, 2026 to secretly feeding BlackCat ransomware operators victims' insurance limits and negotiation strategies while posing as a legitimate negotiator.
• A three-person conspiracy extracted more than $75 million in ransom payments from five victims between April and November 2023.
• This is the third ransomware negotiator in approximately one year to face federal charges, exposing a systemic failure in an almost entirely unregulated industry.
• AI-powered behavioral monitoring tools and strict data-sharing policies can detect and deter this type of insider betrayal before it costs your organization millions.

What Happened

Angelo John Martino III, 41, of Land O'Lakes, Florida, pleaded guilty on April 21, 2026 to one count of conspiracy to obstruct commerce by extortion — a federal charge known as a Hobbs Act conspiracy. He faces up to 20 years in prison, with sentencing scheduled for July 9, 2026.

Between April and November 2023, Martino worked as a ransomware negotiator — a professional hired to communicate with cybercriminals on behalf of victim organizations to lower ransom demands and manage the recovery process. On the surface, it sounds like a valuable service. In practice, Martino was simultaneously feeding critical intelligence to BlackCat/ALPHV operators, including victims' cyber insurance policy limits and real-time negotiation strategies. He was essentially a double agent sitting at your crisis management table.

He operated as part of a three-person conspiracy alongside Ryan Goldberg of cybersecurity firm Sygnia and Kevin Martin of cryptocurrency payment firm DigitalMint. Together, the scheme extracted more than $75 million in total ransom payments from five separate victims: $26.8 million from a nonprofit organization, $25.6 million from a financial services firm, $16.5 million from a hospitality company, and $6.1 million from a retailer. Law enforcement seized $10 million in assets from Martino alone — including digital currency, vehicles, a food truck, and a luxury fishing boat. Co-conspirators Goldberg and Martin each pleaded guilty in December 2025 and forfeited $324,123.26 apiece.

Critically, this is the third ransomware negotiator within approximately one year to face federal charges for an identical type of insider betrayal scheme — a fact that transforms what might seem like an isolated scandal into a serious, systemic industry problem.

Photo by 1981 Digital on Unsplash

Why It Matters for Your Organization's Security

This case does more than expose one corrupt individual. It tears open a vulnerability that every organization relying on third-party vendors during a crisis must confront immediately: the insider threat. According to 2024 data, the average annual cost of insider-related incidents reached $16.2 million per organization — up 40% from $11.45 million in 2020. Even more alarming, 76% of organizations experienced insider attacks in 2024, compared to 66% in 2019. Insider threats are accelerating, and the ransomware negotiation industry represents one of its most dangerous — and least scrutinized — frontiers.

BlackCat/ALPHV, which emerged in late 2021 as a ransomware-as-a-service (RaaS — a criminal business model where operators rent out malware tools to affiliates who execute the attacks) operation, had already compromised over 1,000 victims and collected nearly $300 million in ransom payments by September 2023. The group is widely believed to be a reconstitution of the notorious REvil operators and was responsible for major attacks including a $100 million operational impact on MGM Resorts, a $15 million ransom paid by Caesars Entertainment, and the catastrophic 2024 Change Healthcare breach that resulted in a $22 million ransom payment. The FBI disrupted BlackCat's infrastructure in December 2023 — releasing a decryption tool that saved victims an estimated $68 million in ransoms — but the group's willingness to leverage insider access illustrates why disrupting technical infrastructure alone is never enough.

From a data protection standpoint, what made Martino's betrayal so catastrophically effective was simple: he handed attackers your negotiating ceiling. When your cyber insurance policy limits are disclosed to ransomware operators, they know exactly how much to demand. Victims of this scheme were almost guaranteed to pay at or near their maximum insured amount. Treating your insurance details as classified information is now a non-negotiable element of sound data protection policy.

The DOJ's January 2026 Skadden alert acknowledged "a considerable increase in governmental scrutiny of individuals and vendors involved in each step of the ransomware attack response process." CyberScoop described the broader industry problem as operating on "the thin line between saving a company and funding a crime — with no structural safeguards preventing negotiators from playing both sides." DigitalMint CEO Jonathan Solomon stated the DOJ informed the company of the allegations in April 2025 and Martino "was terminated the next day," adding the company found "no evidence of other criminal conduct beyond what is reflected in the charging documents" — a reminder that even reputable firms can harbor bad actors.

The silver lining in broader ransom data is that organizations are pushing back more effectively. The median ransom payment fell 50% year-over-year to $1 million in 2025. Only 29% of victims paid the full initial demand, though 49% still paid something to recover their data. This suggests that strong incident response planning — including verified, trustworthy negotiators — materially reduces financial exposure. Cybersecurity best practices must now explicitly include third-party vendor vetting as a core component of ransomware preparedness. Threat intelligence programs that monitor vendor behavior during active incidents are no longer optional — they are essential. Security awareness training should extend beyond phishing simulations to educate executives and legal teams about third-party risk at the negotiating table.

The AI Angle

This case illustrates precisely where AI-driven security tools deliver measurable, immediate value — not just at the perimeter, but inside your own incident response process.

Modern behavioral analytics platforms such as Microsoft Sentinel's User and Entity Behavior Analytics (UEBA — software that establishes normal patterns of user activity and flags deviations) or Darktrace's Cyber AI Analyst are built to detect anomalous insider behavior that human analysts routinely miss. In a scenario like Martino's, these tools could flag unusual data access outside a negotiator's defined scope, unexpected communications with unknown external endpoints, or suspicious timing of information requests during an active incident. Threat intelligence platforms enhanced by machine learning can cross-reference negotiation communications against known threat actor tactics and dark web chatter in near real-time, raising alerts when an advisor's behavior mirrors known attacker coordination patterns.

Integrating AI-powered monitoring into your security awareness and incident response workflows creates an automated, objective oversight layer that does not depend on human trust alone. When it comes to data protection, AI can watch every step of your breach response — not just your network perimeter. That is a capability no human team can replicate at scale.

What Should You Do? 3 Action Steps

1. Vet Ransomware Response Vendors Before You Need Them

Do not wait until you are under attack to research negotiators and incident response firms. Conduct background checks, verify credentials through independent sources, and check for prior litigation or disciplinary history. Ask for client references you can contact directly — not just names provided by the vendor. Establish a pre-approved vendor list as a documented component of your cybersecurity best practices policy. The time pressure of an active ransomware event makes it almost impossible to conduct thorough due diligence in the moment, and attackers know it.

2. Implement a Strict Data Protection Policy for Incident Information

Never disclose your cyber insurance policy limits to any negotiator unless your legal counsel has explicitly approved it in writing. Treat insurance details, internal recovery timelines, and system architecture information as classified during any ransomware event. Implement a formal need-to-know data protection protocol for all incident-related information and require your legal team — ideally using attorney-client privilege protections — to oversee all third-party communications. Document every piece of information shared with external vendors from the first moment of engagement. This documentation becomes critical evidence if insider betrayal is later suspected.

3. Deploy AI-Powered Insider Threat Monitoring During Active Incidents

Activate behavioral monitoring tools that track all vendor and user activity the moment an incident is declared. UEBA-capable solutions can detect anomalous patterns — such as a negotiator accessing files outside their scope or communicating with unknown endpoints — in near real-time. Pair technology with a clear incident response protocol that mandates independent review of all third-party advisor recommendations. Establish a chain-of-custody process for all ransom-related decisions, requiring sign-off from legal counsel, your CISO (Chief Information Security Officer — the executive responsible for cybersecurity strategy), and senior leadership before any payment is authorized. Cybersecurity best practices in 2026 demand that trust in crisis vendors be verified, not assumed.

Frequently Asked Questions

How can I tell if my ransomware negotiator is secretly working with the attackers against my organization?

Watch for these warning signs: ransom demands that escalate toward your exact insurance policy limits, advice that consistently favors the attackers' preferred timeline, reluctance to document communications in writing, and pressure to pay quickly without exploring law enforcement decryption resources. Use AI-powered UEBA (behavioral monitoring) tools to track negotiator activity during the incident. Require all communications to be routed through your legal counsel and maintain a detailed audit trail of every vendor interaction. If a negotiator discourages you from contacting the FBI — a resource that saved victims an estimated $68 million during the BlackCat disruption in December 2023 — treat that as a serious red flag.

What steps should small businesses take right now to protect themselves from ransomware negotiator fraud?

Start by building a pre-vetted vendor list before any incident occurs — check references, run background checks, and verify credentials through independent channels. During an incident, implement a strict data protection policy: never share cyber insurance policy limits with any external party without legal oversight. Consider engaging a law firm experienced in cybersecurity to supervise the negotiation process, which adds attorney-client privilege protections to sensitive communications. Activate any behavioral monitoring tools you have during the incident, and always notify the FBI's Internet Crime Complaint Center (IC3) simultaneously with your insurer — law enforcement involvement often unlocks decryption tools and threat intelligence unavailable through commercial channels alone.

Are ransomware negotiation firms currently regulated or licensed by any U.S. government agency?

No. Ransomware negotiation is currently a largely unregulated industry in the United States, with no federal licensing requirements, mandatory background checks, or professional standards body. However, the DOJ's January 2026 Skadden alert signals a significant increase in federal scrutiny across all vendors involved in ransomware response — including negotiators, forensic firms, and cryptocurrency payment processors like DigitalMint. The guilty pleas of three negotiators within approximately one year suggest formal regulation may follow. Until it does, your organization must rely entirely on contractual protections, independent due diligence, and AI-powered oversight tools during incidents.

Why does sharing cyber insurance policy details with ransomware attackers cause victims to pay dramatically higher ransoms?

Ransomware operators anchor their demands to whatever ceiling they believe you can pay. When an insider like Martino disclosed insurance limits to BlackCat, the attackers knew precisely the maximum amount insurers would cover — and calibrated demands accordingly. This is why victims in the Martino scheme paid amounts including $26.8 million from a nonprofit and $25.6 million from a financial services firm, likely at or near their policy ceilings. Withholding insurance details creates genuine negotiating leverage. By contrast, when attackers are guessing at your true financial ceiling, they are forced to make concessions to avoid losing the payment entirely — a dynamic that helps explain why the median ransom payment fell 50% year-over-year to $1 million in 2025 among better-prepared organizations.

What are the most important incident response steps organizations should take in the first 24 hours of a ransomware attack?

Within the first hour: isolate affected systems immediately to prevent lateral movement (the spread of attackers through connected systems on your network), and activate your incident response plan. Simultaneously notify the FBI's IC3 and your cyber insurer — do not notify one without the other. Within the first six hours: engage a pre-vetted incident response firm and have your legal counsel in every communication from that point forward. Implement your data protection lockdown — restrict access to insurance details, system architecture, and recovery timelines. Within 24 hours: explore law enforcement decryption resources before authorizing any payment. The FBI's disruption of BlackCat's infrastructure in December 2023 released a decryption tool that saved an estimated $68 million in ransoms for victims who engaged law enforcement early. Security awareness training for your executive team should cover this timeline before an incident occurs, not during one.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.