A former ransomware negotiator admitted to feeding victims’ confidential data to ALPHV/BlackCat, aiming to increase criminal payouts—raising fresh questions about trust, controls, and incident response risk.
A former ransomware negotiator has pleaded guilty to helping cybercriminals extort companies, underscoring how lucrative—and fragile—trust can be during a crisis.
Angelo Martino. once associated with incident-response firm DigitalMint. entered the guilty plea after prosecutors said he effectively played both sides in multiple extortion cases.. Although he was positioned as working with victims. he admitted to passing confidential information back to the operators behind the ALPHV/BlackCat ransomware operation. including details about victim insurance limits and negotiation tactics.. Prosecutors said his aim was to help maximize criminals’ payouts, taking a cut in the process.
The deal matters for more than the individual case.. It highlights a central tension in cyber incident response: companies often rely on small teams—sometimes even single vendors or specialists—to guide high-stakes decisions under pressure.. When negotiators are trusted to manage the communication. contain the damage. and coordinate remediation. the line between “help” and “harm” becomes dangerously thin if internal controls are weak or if incentives are misaligned.
ALPHV/BlackCat is described as ransomware-as-a-service. a model where the core malware operators provide the tools and infrastructure. while “affiliates” carry out attacks.. In that setup. the affiliates’ relationship to their targets is mediated through negotiation dynamics—how much the victim can pay. what the attacker believes they can get. and how quickly the victim will make decisions.. Prosecutors allege Martino didn’t just assist during an attack; he helped refine the negotiation in ways that would translate directly into higher ransom outcomes.
The Justice Department also said Martino pleaded guilty to extortion and faces up to 20 years in prison. with authorities stating they have seized $10 million in assets.. The same case framing emphasizes that he is at least the third ransomware negotiator to face jail in the past year tied to similar conduct—suggesting this is not an isolated aberration but part of a broader failure pattern the industry is still struggling to contain.
For businesses. the practical consequence is uncomfortable: even the most prepared teams can be exposed if the incident-response process assumes good faith without verification.. Negotiation often happens fast, with limited time to audit what information is shared and with whom.. Victims may also feel constrained by operational urgency—preserve evidence. stop the spread. communicate with insurers. and manage public relations—while attackers exploit that scramble.. In that environment, a negotiator’s access to sensitive details can become a leverage point for criminals.
There is also an industry-wide angle.. Prosecutors previously accused other individuals connected to incident-response work of acting as ransomware affiliates. including a former DigitalMint employee and a former incident response manager at a different cybersecurity firm.. The Martino plea now clarifies that the unnamed person mentioned earlier was him.. Taken together. the pattern raises questions about vetting. monitoring. and segregation of duties inside security providers—especially for roles that sit at the intersection of victim communication and attacker-facing strategy.
Ransomware-as-a-service ecosystems are designed to scale, and negotiation is one of the mechanisms that makes that scaling profitable.. If criminal actors can learn insurance constraints and strategy. they can tailor pressure. extend or shorten timelines. and steer victims toward outcomes that better fit the attackers’ economics.. That makes negotiation intelligence valuable—meaning the risk isn’t only malware infection.. The business risk extends into confidential commercial information and decision-making processes.
For the next chapter, companies may need to treat incident response as both a technical and governance problem.. Stronger controls—like tighter access restrictions for insurance and negotiation data. documented communication pathways. and clearer compliance requirements for vendor staff—could reduce the chance that confidential information leaks to the wrong party.. The broader lesson is that cybersecurity readiness depends not just on defenses against attacks. but on resilience against manipulation inside the response process itself.
Military flu shots become optional: What changes—and why it sparks backlash
9 Practical Loyalty Program Fixes That Actually Work
Extra turns Gmail into a task-based inbox—why it could change email