Ransomware Negotiator Turned Attacker Gets Nearly Six Years for BlackCat Extortion Scheme

Angelo Martino, a former DigitalMint employee, was paid to help victims recover from ransomware. Instead he ran the attacks himself, leaking insurance details to squeeze bigger payouts.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial shot of an empty modern negotiation room with a single laptop open on a long dark table, a lock icon glowing faintly on the screen, harsh ov
Share

Key points

  • Angelo Martino, 41, a former employee of incident response firm DigitalMint, was sentenced to 70 months in prison for running BlackCat ransomware attacks against US companies between April 2023 and April 2025.
  • Two co-conspirators, Kevin Tyler Martin, 28, and Ryan Clifford Goldberg, 33, each received four-year sentences in May after pleading guilty in December to conspiracy to obstruct commerce by extortion.
  • The trio paid BlackCat's operators a 20% cut of ransoms in exchange for access to the gang's malware and extortion site.
  • Victims include a financial services firm that paid $25.66 million and a nonprofit that paid $26.79 million, alongside school districts, medical facilities, and law firms.
  • The FBI has linked BlackCat, also known as ALPHV, to more than 1,000 victims and at least $300 million in ransom payments through September 2023.

A man hired to help American companies survive ransomware attacks has been sentenced to nearly six years in federal prison for running the attacks himself.

Angelo Martino, 41, worked at DigitalMint, a firm that negotiates with ransomware gangs on behalf of victim companies. Between April 2023 and April 2025 he was on the other side of the table too, operating as an affiliate of the BlackCat ransomware gang. Ransomware is malicious software that locks up a company's files, with the criminals demanding payment to unlock them.

He pleaded guilty. On sentencing, he received 70 months.

Martino did not act alone. Kevin Tyler Martin, 28, and Ryan Clifford Goldberg, 33, both former negotiators at DigitalMint and incident response firm Sygnia, pleaded guilty in December to conspiracy to obstruct commerce by extortion. They were each sentenced to four years in May.

How did insiders pull this off?

They rented the crime kit. The three paid BlackCat's operators a 20% cut of every ransom in exchange for access to the gang's malware and its extortion portal, the site where stolen data is leaked to pressure victims into paying. That model, called ransomware-as-a-service, lets affiliates run attacks without writing any code themselves.

The insider angle is what makes this case unusual, and worse.

Prosecutors say Martino also worked as the official negotiator for five of the victim companies. In that role he saw confidential material: how much cyber insurance each company carried, and how far each was willing to go in negotiations. He shared it with the BlackCat crew. Armed with those numbers, the gang knew exactly how much to demand.

One financial services firm paid $25,660,000. A nonprofit paid $26,793,000. Other victims included school districts, medical facilities, and law firms.

The FBI has tied BlackCat, also tracked as ALPHV, to more than 60 breaches between November 2021 and March 2022, and to over 1,000 victims and at least $300 million in ransom payments by September 2023. The gang's infrastructure was disrupted by law enforcement in late 2023, but affiliates including Martino's group continued attacks after that.

What has DigitalMint said?

DigitalMint chief executive Jonathan Solomon told BleepingComputer that the company fired both Martin and Martino as soon as it found out. "We strongly condemn these former employees' criminal behavior, which violated our values, ethical standards, and the law," Solomon said.

Martino was originally listed only as "Co-Conspirator 1" in an October 2025 indictment. His name appeared when court documents were unsealed in March.

What should victim companies do now?

If your organisation used DigitalMint or Sygnia for ransomware negotiation between 2023 and 2025, review the case files. Assume the attackers may have retained sensitive information shared during those negotiations, including insurance limits, executive contact details, and internal financial data. Cyber insurance policies renewed since the incident should be reviewed with your broker, because policy limits disclosed to criminals do not stop being useful to them.

Affected companies should also expect follow-on contact from prosecutors as the case progresses to restitution.

© 2026 Threat Vectr