Ransomware Negotiator Pleads Guilty to Working as Double Agent for Cybercriminals

The trust relationship between a victim of a cyberattack and the professional hired to resolve it is absolute. When a company is locked out of its own servers, the ransomware negotiator is the lifeline—the only bridge between the boardroom and the anonymous hackers demanding millions. But in a case that has sent shockwaves through the cybersecurity industry, that bridge was actually a conduit for the attackers.

Angelo John Martino III, a former ransomware negotiator, has pleaded guilty to conspiring with cybercriminals to extort the very companies he was paid to protect. In a betrayal of professional ethics that borders on the cinematic, Martino acted as a double agent, feeding confidential corporate data to the BlackCat (also known as ALPHV) ransomware gang to ensure the attackers could squeeze every possible cent from their victims.

The U.S. Department of Justice announced the guilty plea on Monday, April 20, 2026, detailing a scheme where Martino leveraged his insider access to sabotage negotiations and maximize payouts for the criminals. The case exposes a critical vulnerability in the incident response ecosystem: the human element of trust in the high-stakes world of ransomware mediation.

The Double Agent: How the Betrayal Worked

Martino, 41, of Land O’Lakes, Florida, was employed in 2023 by DigitalMint, a cyber incident response firm and cryptocurrency broker. DigitalMint is tasked with helping victims navigate the complex and often terrifying process of negotiating ransom payments and facilitating the transfer of cryptocurrency to decrypt their data.

From Instagram — related to Double Agent, Department of Justice

According to the U.S. Department of Justice, Martino abused his role to provide BlackCat/ALPHV hackers with sensitive, confidential information about his clients. This was not a simple leak; it was a strategic intelligence operation. Martino shared the internal negotiating positions of the victims and, crucially, the limits of their cyber insurance policies. By knowing exactly how much a company could afford to pay, the BlackCat operators could set their demands at the absolute ceiling, removing the negotiator’s primary lever: the claim that the company simply didn’t have the funds.

The betrayal extended beyond just leaking information. Reports indicate that Martino worked with two other cybersecurity professionals to actively deploy BlackCat ransomware. This transforms the case from one of passive complicity to active participation in the attacks. The other individuals involved were identified as 33-year-old Ryan Clifford Goldberg and 28-year-old Kevin T. [Name truncated/unverified in primary snippets], who were associated with DigitalMint and Sygnia, respectively.

The BlackCat Connection

The BlackCat (ALPHV) ransomware variant is one of the most sophisticated and aggressive in the world. It utilizes a “ransomware-as-a-service” (RaaS) model, where the core developers lease the software to “affiliates” who carry out the actual attacks. By partnering with BlackCat, Martino wasn’t just helping a single group; he was integrating himself into a global criminal infrastructure.

The motive was financial. Martino was paid by the ransomware gang for the intelligence he provided. While the exact amount of his personal kickbacks has not been fully detailed in the initial plea announcements, the overall scale of the extortion was massive. Some reports indicate the scheme helped the gang extort tens of millions of dollars from U.S. Companies.

Why This Matters for the Cybersecurity Industry

For most companies, hiring a ransomware negotiator is a standard part of a disaster recovery plan. These experts are expected to be the “adults in the room,” providing a buffer between the victim and the attacker. The Martino case shatters that assumption, introducing a new layer of risk: the “insider threat” within the response team itself.

This case highlights several systemic issues in how companies handle cyber crises:

  • Concentration of Trust: Companies often hand over their most sensitive financial and legal data to a third-party negotiator without sufficient vetting of that individual’s ongoing activities.
  • The Crypto-Broker Loophole: Because ransomware payments often require specialized knowledge of cryptocurrency mixers and wallets, a small number of brokers hold immense power over the transaction process.
  • Lack of Oversight: The fact that Martino could operate as a double agent for an extended period suggests a lack of rigorous auditing and monitoring within the incident response firms involved.

The Impact on Future Negotiations

Moving forward, the “trust but verify” model will likely be replaced by a “verify then trust” approach. Corporations may begin demanding more transparency regarding the background checks and monitoring of the specific individuals—not just the firms—assigned to their cases. There is also likely to be increased pressure on the Department of Justice and the FBI to map the financial ties between “legitimate” cybersecurity consultants and the RaaS affiliates they negotiate with.

🛡️ Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023 #Shorts

Key Takeaways from the Martino Case

Case Summary: U.S. V. Angelo Martino III
Detail Verified Information
Defendant Angelo John Martino III, 41, Florida
Employer DigitalMint (Cyber Incident Response)
Primary Adversary BlackCat / ALPHV Ransomware Gang
Core Crime Conspiring to commit ransomware attacks and extortion
Method Leaking insurance limits and negotiating positions to attackers
Timeline Activities occurred primarily in 2023; Guilty plea April 2026

What Happens Next?

The guilty plea is only the first step in the legal process. Martino now faces sentencing, which will likely depend on the total amount of financial loss attributed to his actions and the extent of his cooperation with federal investigators. The DOJ is likely interested in using Martino to further infiltrate or map the BlackCat affiliate network, which has historically been tricky to dismantle due to its decentralized nature.

What Happens Next?
Ransomware Negotiator Pleads Guilty Companies Angelo Martino

For the victims—the U.S. Companies that were betrayed by their own consultant—the path to recovery is complicated. They may have legal grounds for civil litigation against DigitalMint for failing to supervise their employee, though the primary focus remains the recovery of data and the securing of their networks.

The next confirmed checkpoint in this legal saga will be the sentencing hearing for Angelo Martino III. While a specific date has not been widely publicized in the initial reports, the proceedings will follow the standard federal court timeline for conspiracy and extortion charges.

Do you think the cybersecurity industry needs stricter federal licensing for ransomware negotiators? We want to hear your thoughts on the “insider threat” in incident response. Share this article and join the conversation in the comments below.

Leave a Comment