WTF?! Federal prosecutors say a ransomware negotiator exploited the very channels used to manage cyberattacks, turning sensitive breach data into leverage for the hackers he was supposed to fight. That negotiator, Angelo Martino, 41, was sentenced to 70 months in prison after pleading guilty to conspiring with affiliates of the BlackCat ransomware operation.
Martino worked for DigitalMint, a firm that helps companies navigate ransomware incidents, including negotiating payments with attackers. In that role, he worked on active breach cases and had access to detailed information about victims, including ransom demands, insurance coverage, and internal negotiation strategies. According to prosecutors, he used that access to quietly assist the attackers.
Court filings describe how Martino communicated with BlackCat operators through multiple channels tied to the group's infrastructure. Alongside standard negotiation chats, he used a separate "intermediary" function within BlackCat's panel and the encrypted messaging platform Tox. Those channels enabled direct exchanges with attackers outside the victims' view.
"The purpose of these intermediary chat communications was to maximize the ransom payments paid by those victims to the BlackCat actors," prosecutors wrote. "This information provided by the defendant without the victims' knowledge included the victims' insurance policy limits and internal negotiation positions. In exchange for providing confidential information, the defendant received a portion of the ransomware payments in digital currency."
Prosecutors said the information helped shape ransom demands during negotiations. Between April and September 2023, five affected clients paid more than $75 million to BlackCat affiliates. Some of those payments were likely higher than they otherwise would have been because of the information Martino provided.

The victims included organizations across financial services, healthcare, retail, hospitality, and the nonprofit sector. In addition to the ransom payments, the attacks disrupted operations and, in some cases, affected service delivery.
Martino later obtained affiliate access to BlackCat's ransomware platform in May 2023. That access, typically reserved for trusted partners who deploy the malware, was shared with two co-conspirators, Kevin Martin and Ryan Goldberg.
"After the defendant obtained affiliate access, the defendant, Co-conspirator 1, and Co-Conspirator 2 agreed to, and did use the BlackCat ransomware and platform to attack and extort victims and share the ransom proceeds amongst themselves and with the BlackCat admin," the filing states.
Using those credentials, the group launched additional attacks beyond the incidents tied to Martino's clients. One targeted a medical device company that paid $1.2 million. Other victims did not pay but still experienced operational and financial fallout.

Prosecutors said Martino received millions of dollars in cryptocurrency tied to the scheme. While some of those assets were seized by the FBI, a portion had already been converted into purchases, including two homes, a boat, and several vehicles. He has been ordered to forfeit property and pay 10% of his income after his release.
Martino had asked for a shorter 24-month sentence, citing his cooperation with authorities in the prosecution of his co-conspirators. Martin and Goldberg were each sentenced to four years in prison earlier this year.
Law enforcement officials emphasized the breach of trust at the center of the case. "Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself," said FBI Cyber Division Assistant Director Brett Leatherman.
BlackCat, also known as ALPHV, operates as a ransomware-as-a-service platform, providing malware and infrastructure to affiliates who carry out attacks and share proceeds. The group has been linked to a range of high-profile incidents, including the 2024 disruption of Change Healthcare's payment systems. The FBI said in 2023 that it developed a decryption tool for the ransomware and seized parts of the group's infrastructure. Affiliates continued operating after those actions.
DigitalMint said it was unaware of Martino's conduct and described itself as "also an unknowing victim." The company said it terminated the employees involved after being contacted by the Department of Justice and cooperated with investigators.
According to DigitalMint, Martino bypassed internal safeguards by using unauthorized communication channels that were not visible within its systems. The company said its controls were consistent with industry standards but that his actions were deliberately concealed.
The case highlights a risk in ransomware response: negotiators often work within systems controlled by attackers while handling sensitive data. Prosecutors said that access was used to benefit the attackers, not the victims.