"Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself," said assistant attorney general A. Tysen Duva of the Justice Department’s Criminal Division.
Angelo Martino: the guilty plea and admitted role
Angelo Martino, 41, of Land O’Lakes, Florida, has pleaded guilty to a single count of conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion, admitting he secretly worked with the BlackCat ransomware group. According to the Justice Department, Martino began colluding with BlackCat in April 2023. He admitted that while acting as a ransomware negotiator for five corporate victims he passed confidential details — including insurance policy limits and internal negotiation positions — to the group so they could maximize ransom demands, and that he was paid for that information.
Conspiracy with Ryan Goldberg and Kevin Martin to deploy ransomware
The guilty plea extends beyond leaking negotiation information. Martino admitted he conspired with two named associates — Ryan Goldberg of Georgia and Kevin Martin of Texas — to deploy ransomware against various U.S. victims between April and November 2023, effectively serving as a BlackCat affiliate during that period. The Justice Department filing identifies both the coordination of pre-attack behavior and commercial exploitation of victims as part of the conspiracy.
Ransoms, seizures, and a multimillion‑dollar tally
Authorities say they have seized approximately $10 million in assets from Martino, including digital currency, vehicles, a food truck, and a luxury fishing boat. Court documents seen by Infosecurity attribute specific payments to victims: an unnamed hospitality firm paid $16.5 million; a financial services firm paid $25.7 million; and a non‑profit paid $26.8 million. Other victims listed in those documents included retailers, manufacturers, medical companies, engineering firms, and pharmaceutical companies. It is unclear how many of the alleged attacks took place in total or precisely how much revenue the scheme generated overall.
BlackCat (ALPHV): scope, pressure tactics, and takedown details
The group Martino colluded with is identified as BlackCat, also known as ALPHV. The FBI had estimated that BlackCat made as much as $300 million from hundreds of victims up to late 2023. On at least one occasion, a BlackCat affiliate threatened to report a victim to the U.S. Securities and Exchange Commission as a pressure tactic to force payment. The group’s leak site was seized in December 2023 and a decryptor was released for the ransomware; experts, the source reported, claimed that release may have saved victims tens of millions of dollars in payments.
What this means for incident response firms, corporate victims, and insurers
- Incident response firms: Firms that provide negotiation and remediation services will face scrutiny over insider risks and client confidentiality practices, since Martino is believed to have worked for incident response firm Digital Mint and used his role to feed adversaries.
- Corporate victims and forensic teams: Victims that enter negotiations with third‑party negotiators must now consider whether confidential negotiation positions or insurance limits could be exposed to attackers, increasing the importance of vetting and monitoring vendor access to sensitive negotiation information.
- Insurers: Because the admitted scheme involved passing insurance policy limits to attackers and because large, named ransom payments appear in the court documents, insurers and risk underwriters will likely be watching for claims, exposures, and potential fraud investigations tied to negotiated payouts.
Martino will be sentenced on July 9 and faces a statutory maximum sentence of 20 years in prison. The record assembled by prosecutors and the seizure of roughly $10 million in assets underscore both the financial scale alleged in court documents and the difficulty of determining the full extent of the activity: authorities cite multiple multimillion‑dollar payments but concede uncertainty about how many attacks occurred and the total revenue produced.
Link to original story: https://www.infosecurity-magazine.com/news/former-ransomware-negotiator/
