When a ransomware attack hits, the instinct is to call in the experts. You're locked out of your systems, the clock is ticking, and a criminal gang is demanding millions. Bringing in a professional ransomware negotiator seems like the obvious move — someone who knows the terrain, speaks the language of cybercriminals, and can fight for your organisation's interests.
But what if that trusted expert is the enemy?
That's not a hypothetical. It's exactly what happened in one of the most alarming cybersecurity cases of 2025–2026, and the lessons it leaves behind are ones that every CISO, risk officer, and business leader needs to internalise right now.
The Angelo Martino Case: A Double Agent at the Negotiating Table
A former ransomware negotiator employed by incident-response firm DigitalMint was sentenced on July 10, 2026, to 70 months in federal prison after pleading guilty to conspiring with the BlackCat ransomware group — the same threat actors he was retained to negotiate against on behalf of victims.
Starting in April 2023, Martino started to live a double life. Unknown to his employer or clients, he was feeding information to the BlackCat (also known as ALPHV) ransomware group through a hidden tab within the same BlackCat negotiation panel he used for his legitimate work.
In exchange for a cut of the ransom payment, Martino fed the criminals everything they wanted: victims' insurance policy limits, their internal negotiating positions, and their financial circumstances.
The results were devastating.
In total, five of Martino's clients collectively made more than US $75.3 million in ransom payments between April and September 2023. This included a non-profit organisation that paid nearly US $26.8 million, and a financial services company that paid nearly US $25.7 million — each payment likely inflated due to the information Martino shared with the extortionists.
Federal prosecutors didn't mince words in their assessment.
In a sentencing memorandum, prosecutors described Martino as "a double agent working to maximize the harm to his clients and the financial gain to cybercriminals." They added: "This was not a crime of opportunity or momentary weakness; it was a sustained abuse of a fiduciary-like relationship driven by a single purpose: greed."
How the Scheme Actually Worked
Understanding the mechanics of this betrayal is essential — because it reveals how frighteningly invisible it was.
On one occasion, Martino secretly tipped off a BlackCat affiliate that the victim's insurance company had only approved a limited payout. In the official negotiation chat — visible to both DigitalMint and the victim — he acted the role of concerned intermediary with aplomb.
The response from the attackers in the official chat made chilling sense in hindsight:
"We know how much you can pay. Contact your insurance. We know about them also." The ransomware victim, a hospitality company, ultimately paid out nearly US $16.5 million.
The conspiracy didn't stop there.
Martino was also accused of colluding with Ryan Goldberg, 41, of Georgia, and Kevin Martin, 36, of Texas, to successfully deploy BlackCat ransomware between April 2023 and November 2023 against multiple victims located throughout the U.S. Martino and Martin were employed at DigitalMint, while Goldberg was working as an incident response manager at cybersecurity firm Sygnia.
The three worked together: Goldberg gained initial access to victim networks. Martin stole data and encrypted networks. Martino handled negotiations and laundered the proceeds.
Why This Threat Is Bigger Than One Rogue Negotiator
It would be comforting to dismiss the Martino case as a rare, isolated betrayal. The evidence suggests otherwise.
"Ransomware threat actors have a long and well documented history of attempting to build direct relationships with negotiation firms," said Magnus Jelen, an executive at incident response firm Coveware. "In some cases, they have even developed mechanisms designed to allow unethical intermediaries to profit from ransom payments without full visibility for victims."
This case is striking, but it is not unique. Some ransomware groups have previously indicated that corruption of negotiators is not uncommon. In some circles, it has allegedly become a standard operational "practice": a way to ensure negotiations succeed with shared loot.
The Justice Department itself has indicated the problem extends further.
The Justice Department has looked at least one other, unrelated instance of alleged fraud in the cybersecurity industry and could bring charges in the coming months. "What I think is out there is what I would call more the explicit fraud scenario, where the so-called incident response firm is really not adding any value at all and just defrauding the victim," a Justice Department official said.
This case illustrates a systemic weakness in the way we handle ransomware incident response. By embedding trust in individual negotiators without robust oversight or auditing, we create a single point of failure that attackers can exploit.
The Unregulated World of Ransomware Negotiation
A core reason this threat persists is that the ransomware negotiation industry operates in a regulatory vacuum.
The rise of ransomware attacks has created an increasing demand for professional ransomware negotiators, who are often hired by cybersecurity firms to communicate with attackers and help victims recover their encrypted data. These negotiators are expected to act ethically and protect the interests of their clients.
But there is currently no licensing body, no mandatory certification, and no standardised oversight mechanism to enforce that expectation.
The systemic problem is the lack of supervision and total opacity in ransomware negotiation processes, making these illicit acts difficult to detect.
The HIPAA Security Rule requires covered entities and business associates to manage vendor risk through written agreements and reasonable safeguards, but those requirements were designed primarily around data access and storage, not around the integrity of crisis-response personnel given real-time operational intelligence during an active attack.
Encouragingly, some change is beginning.
DigitalMint has since changed the way its negotiators communicate with ransomware gangs, and is working with the Department of Homeland Security to establish a registry for the currently highly-unregulated world of ransomware negotiation.
The Financial Motivation Behind Insider Betrayal
To protect against this threat, it helps to understand exactly why trusted professionals cross the line.
The primary motivation appears to be financial. Ransomware groups generate millions of dollars through extortion and can afford to offer substantial incentives to insiders. Employees with access to sensitive information, negotiation strategies, or direct communication channels with victims may be tempted by promises of quick and substantial profits.
In Martino's case, the personal enrichment was staggering.
Law enforcement has seized $10 million in assets from Martino to date, including digital currency, vehicles, a food truck, and a luxury fishing boat obtained through the scheme.
Another factor is the mistaken belief that cryptocurrency transactions guarantee anonymity. Although blockchain-based payments can provide a degree of privacy, they are not completely invisible. Modern blockchain analysis tools enable investigators to trace transactions, identify suspicious financial flows, and connect digital wallets to individuals.
While these offers may seem attractive in the short term, the long-term consequences can be severe, including criminal prosecution, financial penalties, loss of professional reputation, and lengthy prison sentences.
Practical Tips: How to Protect Your Organisation Right Now
The Martino case is a wake-up call for every organisation that might one day — or is already — dealing with ransomware. Here's what you can do to reduce your exposure:
1. Never disclose your full insurance coverage to a negotiator without independent verification.
The most damaging intelligence Martino passed on was confidential details about his clients' insurance policies and negotiation limits.
Compartmentalise this information and only share what is strictly necessary at each stage.
2. Establish independent oversight of all negotiation communications.
Martino leveraged insider access — knowledge of insurance limits, negotiation strategies, and victim vulnerabilities — to maximise payouts for the attackers, effectively turning the negotiation process into another attack vector. Organisations should design multi-party controls, enforce strict separation of duties, and verify negotiator activity through independent auditing.
3. Appoint a single internal coordinator to track all information flows.
Establish an internal point of contact who tracks all information flows during an active incident. During a ransomware event, organisations often share sensitive details quickly and under pressure; a single designated coordinator reduces the risk of over-disclosure to third parties.
4. Vet your incident response vendors as rigorously as you vet employees.
Similar to other supply chain breaches, this case highlights how trusted service providers can become the weakest link. Organisations that hire incident response firms effectively give those firms the keys to the kingdom — a privilege that requires ironclad integrity.
Demand references, review track records, and ask pointed questions about their compliance and communication protocols.
5. Review your cyber-insurance policy for negotiator-conduct clauses.
Review cyber-insurance policies for coverage tied to negotiator conduct. Some policies include conditions or exclusions that may be triggered if a retained negotiator is later found to have acted against the insured's interests; understanding those terms before an incident prevents coverage disputes after one.
6. Invest in ransomware resilience before an attack happens.
According to Verizon's 2025 Data Breach Investigations Report, 64% of ransomware victims refused to pay in 2024, reflecting improved backup and recovery strategies. Recovery from backups tends to be the primary driver here, as organisations usually do not pay for data exposure if recovery can occur within acceptable timeframes.
The less you need a negotiator, the less you are exposed to this risk.
7. Screen any potential payments for sanctions compliance.
The Office of Foreign Assets Control (OFAC) of the US Department of the Treasury imposes strict liability, and therefore, organisations may incur civil penalties for negotiating with a sanctioned entity. Threat actors must be vetted against OFAC's Specially Designated Nationals list prior to any payment.
Conclusion: Trust Is Now an Attack Surface
The Martino case permanently changes how we should think about ransomware response. The threat doesn't end with the attacker who encrypts your files — it can extend to the very person you hire to get them back.
Prosecutors warned that the cybersecurity professionals' conduct erodes victims' willingness to retain the very experts they rely on to defend against ransomware attacks.
That's a systemic damage that goes far beyond any individual organisation's losses.
The lesson is clear: in the modern threat landscape, trust is an attack surface. Verify everyone who touches your incident response process, protect sensitive financial information with the same rigour you apply to your data assets, and ensure that no single individual — however expert — has unchecked access to both sides of a ransomware negotiation.
Is your organisation prepared for a ransomware event, including the risks posed by the people you'd bring in to help? Don't wait for a crisis to find out. Review your incident response plan, audit your vendor relationships, and ensure your cyber-insurance coverage accounts for third-party conduct — today. Contact a qualified, independently vetted cybersecurity advisor to assess your readiness before the attackers make that decision for you.



