The Double Agent: How a Florida Ransomware Negotiator Betrayed Clients for Millions

Angelo Martino, a former ransomware negotiator at DigitalMint, received a 70-month prison sentence for betraying clients by sharing their negotiating positions with BlackCat operators, helping extort $75.3 million from five victims. He also joined two other cybersecurity insiders in launching attacks. The case exposes risks in the ransomware response industry.
The Double Agent: How a Florida Ransomware Negotiator Betrayed Clients for Millions
Written by Ava Callegari

Angelo Martino once held a job meant to shield companies from digital predators. Instead he fed their secrets to the very criminals he was paid to outmaneuver. On Thursday a federal judge in Florida sentenced the 41-year-old to 70 months in prison. The penalty caps a case that exposed a startling vulnerability inside the growing industry of ransomware response.

Martino worked as a negotiator for DigitalMint, a Chicago-based cyber incident response firm. CyberScoop reported he had joined the company in 2022 after earlier stints at Booz Allen Hamilton, Tracepoint and TRM Labs. His expertise gave him access to victims’ insurance limits, internal discussions and bargaining strategies. He sold all of it.

Beginning in April 2023 Martino conspired with operators of the BlackCat, also known as ALPHV, ransomware strain. Court records show he provided confidential details on five separate victims. The goal was simple. Drive the ransom demands higher. Collect a cut. Prosecutors tallied the combined extortion at $75.3 million. A nonprofit paid roughly $26.8 million. A financial services firm handed over nearly $25.7 million. Hospitality companies and others contributed the rest.

But Martino didn’t stop at leaking information. He also teamed with two other cybersecurity professionals to launch their own attacks. Ryan Goldberg, 41, of Georgia, and Kevin Martin, 36, of Texas, both pleaded guilty in late 2025. Each received 48-month sentences in May. The trio deployed BlackCat against additional U.S. targets between April and November 2023. In one case they extracted about $1.2 million in Bitcoin. They split their 80 percent share three ways after paying the ransomware developers and laundering the proceeds.

The Justice Department laid out the scheme in stark terms. Its announcement quoted U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “He was hired to help victims in a moment of crisis. Instead, Martino betrayed them, fed their confidential negotiating positions to ransomware criminals, and helped squeeze them for more money.”

Assistant Attorney General A. Tysen Duva added that victims described businesses nearly destroyed. “The people they hired to help them instead betrayed them to ransomware gangs.” FBI Assistant Director Brett Leatherman put it bluntly. Martino “sold out the very victims he was hired to represent.”

The case stands out for its insider element. Ransomware has spawned an entire support economy. Insurance policies. Incident response teams. Professional negotiators who haggle with attackers over encrypted data and leaked files. Companies often pay. Government warnings against it have done little to slow the practice. And now one of the negotiators has been caught working both sides.

BlackCat itself operates as ransomware-as-a-service. Affiliates rent the malware and tools. Developers take a percentage. The gang gained notoriety for the 2024 breach of Change Healthcare that exposed medical and billing data of more than 192 million Americans. Affiliates behind that attack were never publicly identified. Martino’s dealings with the group predated that incident but followed the same profit model.

Federal investigators seized more than $10 million in cryptocurrency, vehicles, real estate and other assets from Martino. Among the purchases were a food truck and a luxury fishing boat. A restitution hearing is set for September. Martino had surrendered to authorities in March, posted a $500,000 bond and pleaded guilty in April to one count of conspiracy to interfere with interstate commerce by extortion. He faced up to 20 years.

DigitalMint said it had no knowledge of his actions. The firm terminated him immediately after learning of the federal probe in April 2025. Company officials stressed they maintain strict ethical standards and compliance controls.

Yet the damage ran deeper than any single employer. Victims told heartbreaking stories in court filings. Some faced near collapse. Others watched sensitive data hang in the balance while negotiators they trusted quietly tipped the scales toward the attackers. Martino’s sentencing memo, cited across coverage, described him as a “double agent” whose greed drove sustained betrayal of fiduciary duty.

And the pattern may not be isolated. Goldberg and Martin had worked in incident response and negotiation roles too. All three brought specialized knowledge gained defending organizations. They turned it against them. The Hacker News noted this marks the third such insider sentenced in connection with BlackCat. Earlier reports from SecurityWeek and others tracked the group’s evolution and eventual disruption by authorities in late 2023. That operation recovered tools and prevented an estimated $99 million in additional losses.

So what does this mean for companies staring down an attack? The ransomware negotiation business now carries new risks. Clients must vet their responders more aggressively. Contracts need tighter controls on information sharing. Insurance carriers may demand proof of internal safeguards. The entire response chain suddenly looks more porous than before.

Prosecutors emphasized the message. They will chase not only the hackers who encrypt files but the insiders who open the door wider. Martino’s 70 months won’t deter every opportunist. It does signal that the government sees the threat clearly. For an industry built on trust during crisis, that scrutiny arrives at a pivotal time.

Recent coverage underscores how quickly the story spread. TechCrunch’s own reporting on the conviction Friday highlighted the seized assets and the trio’s coordinated attacks. No new indictments surfaced in the past 24 hours, but the case continues to ripple through cybersecurity circles. Discussions on X focused on the betrayal angle, with security professionals expressing dismay at colleagues who crossed the line.

Martino’s fall reveals something fundamental. Technical skill alone doesn’t guarantee loyalty. When millions flow through encrypted chats and cryptocurrency wallets, the temptation can prove overwhelming. Organizations hiring external help in ransomware crises now face an added layer of due diligence. They must ask not only whether the negotiator can lower the demand but whether that negotiator will secretly raise it.

The sentence lands amid broader efforts to disrupt ransomware networks. BlackCat’s infrastructure took hits in 2023. Yet variants and copycats persist. The affiliate model spreads responsibility and complicates attribution. Insiders like Martino make the model even more potent. They bypass many external defenses because they sit inside the response itself.

Victims in this scheme spanned sectors. Nonprofits. Finance. Hospitality. Each suffered according to its ability to pay and the leverage the attackers held. Martino’s communications with co-conspirators reportedly included references to insurance policy caps and instructions on how to pressure for higher offers. Those details, drawn from court exhibits, painted a picture of calculated exploitation.

Federal authorities credited the FBI’s Miami field office as the lead investigator, supported by the Secret Service. Prosecutors from the Computer Crime and Intellectual Property Section and the Southern District of Florida built the case. The operation tied into a larger initiative known as Operation Riptide targeting ransomware activity.

In the end Martino’s story is one of opportunity seized and trust shattered. A professional tasked with reducing harm chose to amplify it. His prison term, asset forfeiture and the public airing of victim statements serve as both punishment and warning. For the ransomware response sector, the conviction forces a reckoning. Expertise is valuable. Integrity, it turns out, is priceless.

Subscribe for Updates

SecurityProNews Newsletter

News, updates and trends in IT security.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us