Former Ransomware Negotiator Pleads Guilty to BlackCat Attacks
Apr 22, 2026
Key Takeaways
A former ransomware negotiator has admitted to collaborating with the BlackCat (ALPHV) ransomware gang
Insider access was abused to leak sensitive negotiation data to attackers
Two additional cybersecurity professionals were also involved and have pleaded guilty
The case highlights a dangerous insider threat within incident response workflows
Overview
In a striking case of insider betrayal, a former ransomware negotiator has pleaded guilty to participating in ransomware attacks he was supposed to help mitigate.
The individual, Angelo Martino, previously worked at DigitalMint, a company specializing in ransomware negotiation and incident response. Instead of protecting victims, Martino secretly collaborated with the BlackCat (ALPHV) ransomware group, using privileged access to aid cybercriminal operations.
This incident underscores a growing risk in cybersecurity: trusted insiders turning into threat actors.
How the Attack Scheme Worked
Martino exploited his role as a negotiator — a position designed to help organizations recover from ransomware — to actively assist attackers.
According to prosecutors:
He shared confidential negotiation strategies with BlackCat operators
He disclosed insurance coverage details and ransom limits
This intelligence helped attackers optimize ransom demands and pressure tactics
In some cases, Martino was directly involved in facilitating ransomware attacks while simultaneously acting as a negotiator for victims — effectively playing both sides.
Others Involved in the Conspiracy
Martino was not acting alone. Two other cybersecurity professionals were also implicated:
Ryan Clifford Goldberg – Incident response manager
Kevin Tyler Martin – Ransomware negotiator
Both individuals have already pleaded guilty and face up to 20 years in prison.
The trio leveraged their deep understanding of incident response workflows to maximize the effectiveness of attacks.
About BlackCat (ALPHV)
BlackCat (also known as ALPHV) is one of the most notorious ransomware-as-a-service (RaaS) operations in recent years.
Key characteristics:
Written in Rust for speed and evasion
Operates via an affiliate model, taking a share of ransom payments
Known for double extortion tactics (encrypting + leaking data)
Has targeted hundreds of organizations globally
Its success largely depends on insider knowledge and initial access, making cases like this especially dangerous.
Legal Charges and Penalties
Martino has pleaded guilty to charges including:
Conspiracy to commit extortion
Interfering with interstate commerce
Damaging protected computer systems
He now faces:
Up to 20 years in prison
Sentencing scheduled for mid-2026
Why This Matters
This case represents a critical shift in ransomware risk dynamics:
1. Insider Threats Are Escalating
Security professionals with privileged access can become high-impact threat actors.
2. Negotiation Processes Are Vulnerable
Attackers gaining visibility into negotiation strategies can:
Increase ransom demands
Prolong attacks
Reduce chances of successful mitigation
3. Trust in Incident Response Is at Risk
Organizations rely heavily on third-party negotiators. Incidents like this may:
Force stricter vetting processes
Increase demand for transparency and monitoring
Technical & Strategic Implications
Category | Details |
|---|---|
Threat Type | Insider-assisted ransomware |
Ransomware Family | BlackCat (ALPHV) |
Attack Vector | Abuse of negotiation access |
Data Exposed | Negotiation strategies, insurance data |
Impact | Higher ransom success rates, prolonged attacks |
Actors Involved | 3 cybersecurity professionals |
Legal Outcome | Guilty pleas, up to 20 years imprisonment |
ClearPhish Insight
This isn’t just a ransomware story — it’s a trust failure within the cybersecurity ecosystem.
When defenders become attackers:
Traditional security models break down
Detection becomes harder due to legitimate access
Damage becomes significantly more severe
For organizations, the takeaway is clear:
Zero trust must extend beyond systems — to people, processes, and partners.
Final Thoughts
The BlackCat case highlights a dangerous evolution in cybercrime — where insiders weaponize trust to amplify attacks.
As ransomware operations grow more sophisticated, defending against them will require:
Stronger internal controls
Behavioral monitoring
Continuous validation of trusted roles
Because sometimes, the biggest threat isn’t outside your network —
it’s already inside.
Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.
