Listen to this Post

Introduction: When the Negotiator Becomes the Attacker
Ransomware negotiations are meant to help organizations survive cyber extortion crises. Companies facing encrypted systems or stolen data often rely on specialized negotiators to communicate with attackers and minimize damage. But a shocking federal case in the United States reveals what can happen when the person tasked with helping victims is secretly working for the criminals.
Federal prosecutors have accused a former ransomware negotiator of orchestrating multiple cyberattacks while simultaneously acting as the negotiator for some of the same victims he allegedly targeted. The case highlights the dangerous potential for insider abuse in the largely opaque ransomware negotiation industry. If proven in court, the allegations represent one of the most extreme examples of conflict of interest and insider exploitation ever seen in cybercrime response operations.
Federal Charges Against a Cybersecurity Insider
According to federal prosecutors, 41-year-old Angelo John Martino III from South Florida conducted at least ten ransomware attacks that resulted in more than $75.25 million in ransom payments. At the time, Martino was working as a ransomware negotiator for the cybersecurity firm DigitalMint, placing him in a highly sensitive role where he communicated directly with attackers on behalf of victim organizations.
The allegations suggest a disturbing dual role. Several victims who hired DigitalMint were assigned Martino as their negotiation specialist. According to investigators, this meant that Martino may have been negotiating ransom demands with himself and his criminal partners while posing as a trusted intermediary.
This arrangement allegedly allowed him to manipulate negotiations, control communication, and potentially influence the final ransom amount.
Connection to the ALPHV / BlackCat Ransomware Group
Prosecutors say Martino gained access to an affiliate account with ALPHV, also widely known as BlackCat. This ransomware operation emerged in late 2021 and quickly became one of the most aggressive ransomware-as-a-service groups operating worldwide.
Through this partnership, Martino allegedly worked with other co-conspirators, including individuals with cybersecurity backgrounds, to infiltrate victim networks. Once inside the systems, the attackers reportedly stole sensitive data and deployed ransomware to encrypt critical files.
The attacks reportedly occurred over a six-month period in 2023 and targeted organizations across several sectors, including hospitality, finance, retail, healthcare, and nonprofit organizations.
Previous Co-Conspirators Already Pleaded Guilty
Martino was previously referenced as an unnamed co-conspirator in an earlier federal indictment involving Kevin Tyler Martin, another former DigitalMint negotiator, and Ryan Clifford Goldberg, a former incident response manager at Sygnia.
Both Martin and Goldberg pleaded guilty in December to participating in ransomware attacks. They are scheduled to be sentenced on April 30.
Prosecutors claim that Martino shared confidential negotiation information with his ransomware partners to maximize ransom payouts. Such information may have included how much victims were willing to pay, their urgency to recover systems, and the likelihood that they would comply with ransom demands.
Victims Targeted While Seeking Help
Five of the alleged victims were organizations that had hired DigitalMint to handle ransomware negotiations after their systems were compromised. These included:
A nonprofit organization
A hospitality company
A financial services firm
A retail company
A medical sector organization
Each of these victims ultimately paid a ransom, according to court filings.
Two of those ransom payments were particularly large. Prosecutors say a nonprofit organization paid nearly $26.8 million, while a financial services company paid approximately $25.7 million.
These payments demonstrate the massive financial scale of modern ransomware operations.
DigitalMint Responds to the Allegations
DigitalMint stated that it acted immediately once federal authorities alerted the company about the investigation.
According to CEO Jonathan Solomon, Martino’s system access was suspended on April 3 after the U.S. Department of Justice informed the company about the probe. He was fired the following day.
The company emphasized that it had no knowledge of Martino’s alleged criminal activities prior to the investigation.
DigitalMint also stated that it cooperated fully with law enforcement throughout the case and implemented stronger internal safeguards and oversight mechanisms after the incident.
However, the company declined to disclose whether any affected clients received refunds for negotiation services tied to Martino.
Massive Asset Seizures Linked to the Case
Authorities seized approximately $9.2 million in cryptocurrency held across 21 digital wallets allegedly controlled by Martino.
Investigators also confiscated several luxury assets connected to him, including:
A 1999 Nissan Skyline
A 2024 Polaris RZR
A 2023 trailer
A 29-foot boat manufactured in 2023
In addition to vehicles and equipment, authorities seized two real estate properties located in Nokomis, Florida. One of them is a bayfront home valued at approximately $1.68 million.
Legal Proceedings and Restrictions
Martino surrendered to U.S. Marshals in Miami and was released on a $500,000 bond.
He now faces charges of conspiracy to interfere with commerce through extortion. If convicted, he could receive a prison sentence of up to 20 years.
While awaiting further legal proceedings, Martino is prohibited from working in the cybersecurity industry and cannot travel outside the Southern District of Florida.
His next scheduled court appearance is set for March 19, when he is expected to enter a plea.
The Broader Impact of ALPHV / BlackCat
The ransomware group associated with Martino’s alleged activities, ALPHV or BlackCat, has been tied to numerous major cyberattacks against organizations worldwide.
One of the most notorious incidents attributed to the group was the February 2024 breach of Change Healthcare, a subsidiary of UnitedHealth Group.
That attack resulted in a $22 million ransom payment and exposed sensitive data belonging to roughly 190 million individuals, making it the largest healthcare data breach ever recorded.
What Undercode Say:
The Hidden Risk of Ransomware Negotiation
This case highlights a rarely discussed vulnerability inside the ransomware response industry: insider risk. Negotiators are often granted access to sensitive internal information about victims, including financial capabilities, operational pressures, and crisis timelines. In the wrong hands, that information can become a powerful weapon.
Unlike traditional incident response services, ransomware negotiation operates in a gray zone. These negotiations occur through encrypted channels, anonymous chats, and cryptocurrency payments. Oversight is minimal, and the process is rarely transparent to regulators or the public.
That lack of visibility creates opportunities for abuse.
Conflict of Interest in Cyber Crisis Response
The alleged actions of Martino demonstrate an extreme example of conflict of interest. If the accusations are true, he exploited the exact role designed to protect victims.
Being both the attacker and the negotiator would allow a criminal to manipulate the entire lifecycle of a ransomware incident. The attacker could control the ransom demand, determine how negotiations unfold, and influence the victim’s decision-making process.
This level of control fundamentally undermines the trust organizations place in cybersecurity consultants during crises.
The Insider Threat Problem in Cybersecurity Firms
Cybersecurity firms often employ individuals with deep technical expertise and access to sensitive operational tools. While background checks and vetting procedures are common, they may not always detect malicious intent or undisclosed criminal behavior.
Insider threats remain one of the most difficult risks to mitigate. Employees with legitimate access can bypass many traditional security controls. When those employees work in incident response or negotiation roles, the potential damage increases significantly.
This case may push cybersecurity firms to rethink internal monitoring and ethical safeguards.
Ransomware Economics and the Incentive Structure
The enormous ransom payments mentioned in the case illustrate how lucrative ransomware operations have become.
Payments exceeding $25 million are no longer rare in high-profile attacks. When the stakes reach this level, the incentive for insiders to collaborate with criminal groups increases dramatically.
Cybercriminal organizations increasingly recruit individuals with legitimate cybersecurity expertise. These insiders bring technical knowledge, operational access, and credibility that criminals would otherwise struggle to obtain.
Regulatory and Industry Implications
The Martino case may trigger renewed calls for regulation of ransomware negotiation services.
Currently, the industry operates with relatively little oversight. There are few formal standards governing how negotiations should be conducted, who is allowed to perform them, or how conflicts of interest should be managed.
Future regulations may require stricter compliance controls, transparency reporting, or independent auditing of ransomware negotiation processes.
Trust in the Cybersecurity Industry
Perhaps the most damaging impact of this case is the erosion of trust.
Organizations rely heavily on cybersecurity consultants during emergencies. If companies begin to fear that negotiators themselves could be compromised, it may change how victims approach ransomware incidents.
Some organizations may choose to avoid third-party negotiators entirely, while others may demand stricter verification processes and contractual safeguards.
Fact Checker Results
✅ Federal prosecutors formally charged Angelo John Martino III with conspiracy related to ransomware extortion.
✅ Authorities seized cryptocurrency assets and luxury items allegedly linked to the proceeds of cybercrime.
❌ There is currently no evidence that DigitalMint as a company knowingly participated in the alleged attacks.
Prediction
🔐 Governments will likely introduce stronger oversight for ransomware negotiation services and incident response firms.
💰 Insider-driven cybercrime cases may become more common as ransomware groups increasingly recruit cybersecurity professionals.
⚖️ The outcome of this case could set an important legal precedent for accountability within the cyber-extortion economy.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberscoop.com
Extra Source Hub (Possible Sources for article):
https://www.linkedin.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




