This ransomware negotiator was paid to fight hackers, he was secretly working with them instead

Skye Jacobs

Posts: 2,013   +59
Staff
WTF?! Federal prosecutors say a ransomware negotiator exploited the very channels used to manage cyberattacks, turning sensitive breach data into leverage for the hackers he was supposed to fight. That negotiator, Angelo Martino, 41, was sentenced to 70 months in prison after pleading guilty to conspiring with affiliates of the BlackCat ransomware operation.

Martino worked for DigitalMint, a firm that helps companies navigate ransomware incidents, including negotiating payments with attackers. In that role, he worked on active breach cases and had access to detailed information about victims, including ransom demands, insurance coverage, and internal negotiation strategies. According to prosecutors, he used that access to quietly assist the attackers.

Court filings describe how Martino communicated with BlackCat operators through multiple channels tied to the group's infrastructure. Alongside standard negotiation chats, he used a separate "intermediary" function within BlackCat's panel and the encrypted messaging platform Tox. Those channels enabled direct exchanges with attackers outside the victims' view.

"The purpose of these intermediary chat communications was to maximize the ransom payments paid by those victims to the BlackCat actors," prosecutors wrote. "This information provided by the defendant without the victims' knowledge included the victims' insurance policy limits and internal negotiation positions. In exchange for providing confidential information, the defendant received a portion of the ransomware payments in digital currency."

Prosecutors said the information helped shape ransom demands during negotiations. Between April and September 2023, five affected clients paid more than $75 million to BlackCat affiliates. Some of those payments were likely higher than they otherwise would have been because of the information Martino provided.

The victims included organizations across financial services, healthcare, retail, hospitality, and the nonprofit sector. In addition to the ransom payments, the attacks disrupted operations and, in some cases, affected service delivery.

Martino later obtained affiliate access to BlackCat's ransomware platform in May 2023. That access, typically reserved for trusted partners who deploy the malware, was shared with two co-conspirators, Kevin Martin and Ryan Goldberg.

"After the defendant obtained affiliate access, the defendant, Co-conspirator 1, and Co-Conspirator 2 agreed to, and did use the BlackCat ransomware and platform to attack and extort victims and share the ransom proceeds amongst themselves and with the BlackCat admin," the filing states.

Using those credentials, the group launched additional attacks beyond the incidents tied to Martino's clients. One targeted a medical device company that paid $1.2 million. Other victims did not pay but still experienced operational and financial fallout.

Prosecutors said Martino received millions of dollars in cryptocurrency tied to the scheme. While some of those assets were seized by the FBI, a portion had already been converted into purchases, including two homes, a boat, and several vehicles. He has been ordered to forfeit property and pay 10% of his income after his release.

Martino had asked for a shorter 24-month sentence, citing his cooperation with authorities in the prosecution of his co-conspirators. Martin and Goldberg were each sentenced to four years in prison earlier this year.

Law enforcement officials emphasized the breach of trust at the center of the case. "Angelo Martino sold out the very victims he was hired to represent, handing their confidential negotiating positions to BlackCat actors to drive up ransoms and enrich himself," said FBI Cyber Division Assistant Director Brett Leatherman.

BlackCat, also known as ALPHV, operates as a ransomware-as-a-service platform, providing malware and infrastructure to affiliates who carry out attacks and share proceeds. The group has been linked to a range of high-profile incidents, including the 2024 disruption of Change Healthcare's payment systems. The FBI said in 2023 that it developed a decryption tool for the ransomware and seized parts of the group's infrastructure. Affiliates continued operating after those actions.

DigitalMint said it was unaware of Martino's conduct and described itself as "also an unknowing victim." The company said it terminated the employees involved after being contacted by the Department of Justice and cooperated with investigators.

According to DigitalMint, Martino bypassed internal safeguards by using unauthorized communication channels that were not visible within its systems. The company said its controls were consistent with industry standards but that his actions were deliberately concealed.

The case highlights a risk in ransomware response: negotiators often work within systems controlled by attackers while handling sensitive data. Prosecutors said that access was used to benefit the attackers, not the victims.

Permalink to story:

 
While this bad actor deserves the punishment, the companies aren't blameless either: they should not have paid those ransoms in the first place. CEO/CIOs who don't take adequate measures to backup their data in a way that can survive a successful malware intrusion are negligent. But, until crypto is banned wholesale (and the probable civil liberties violations that would come with making that ban successful), we will continue to see these stories.
 
While this bad actor deserves the punishment, the companies aren't blameless either: they should not have paid those ransoms in the first place. CEO/CIOs who don't take adequate measures to backup their data in a way that can survive a successful malware intrusion are negligent. But, until crypto is banned wholesale (and the probable civil liberties violations that would come with making that ban successful), we will continue to see these stories.

A proper done ransom attack includes the backup. All your data pretty much taken hostage with no way out other then either pay or bleed out.
 
A proper done ransom attack includes the backup. All your data pretty much taken hostage with no way out other then either pay or bleed out.
A proper backup solution includes a cold storage, ideally off premise, that is not kept online in case of total system failure.
While this bad actor deserves the punishment, the companies aren't blameless either: they should not have paid those ransoms in the first place. CEO/CIOs who don't take adequate measures to backup their data in a way that can survive a successful malware intrusion are negligent. But, until crypto is banned wholesale (and the probable civil liberties violations that would come with making that ban successful), we will continue to see these stories.
In the all digital dystopic future we better hope crypto is not banned, considering the massive civil liberties that could be stripped away with having a singular digital currency controlled by the government.
 
70 months is ridiculously low for what he did, but those to blame are the people responsible for IT security, and of course the id1iots who decided to negotiate.
Ransomware is around for years, who does not have backups is paying a stupidity tax.
 
My main interest in these stories comes to knowing where they make a mistake.
It is a high-stake game. If you know that you are risking spending years in prison,
you should probably dedicate some time to making it very hard to catch you.
 
70 months is ridiculously low for what he did, but those to blame are the people responsible for IT security, and of course the id1iots who decided to negotiate.
Ransomware is around for years, who does not have backups is paying a stupidity tax.
Police departments in various cities paid to these parasites more than once in the past to decrypt their data.
Which of course causes this industry to grow and strive.
 
Back