Angelo John Martino III Pleads Guilty to Helping BlackCat Ransomware Group Extract Ransoms

A former ransomware negotiator, Angelo John Martino III, pleaded guilty after federal prosecutors alleged that he abused his role at a cyber incident response firm to help the BlackCat (ALPHV) ransomware group while simultaneously advising victims on how to respond.

“A Florida man who allegedly worked as a ransomware negotiator has pleaded guilty to conspiring with cybercriminals to carry out ransomware attacks against U”

Bitdefender

The Justice Department said Martino “shared confidential information about victim organizations’ internal negotiating positions and insurance policy limits” he gained from his work as a ransomware negotiator, in order to “extract the maximum ransom payment for himself and other BlackCat affiliates,” according to his plea agreement.

Bitdefender

Prosecutors said Martino’s conduct allowed attackers to “fine-tune their demands and extract higher ransom payments,” and that “Authorities say the attackers paid Martino for this insider access.”

CNN reported that US companies in the retail, hospitality and medical sectors trusted Martino to negotiate with hackers trying to extort them, but that “he made the extortion worse, federal prosecutors allege.”

CNN also said Martino allegedly accumulated at least $10 million in assets, including “a luxury fishing boat and two properties,” as he worked as a ransomware negotiator.

In the same case, prosecutors said Martino gave a major cybercriminal gang information about his clients’ negotiating positions to “maximize” ransom payments and then take his own cut, according to federal prosecutors.

The case is tied to ransomware activity between April and November 2023, when Martino acted as a negotiator for multiple ransomware victims, and when prosecutors said he also helped deploy BlackCat ransomware against additional victims.

Prosecutors described Martino as exploiting a “rare position” in which DigitalMint assigned him to conduct ransomware negotiations for clients, while he allegedly used that access to “play both sides.”

CyberScoop said five US-based victims hired DigitalMint and “All five of those victims paid a ransom,” after they “unwittingly tapped Martino to allegedly conduct ransomware negotiations with himself and his co-conspirators.”

CNN

The Justice Department said Martino shared confidential negotiating details and insurance limits, and prosecutors said this intelligence let attackers “fine-tune their demands and extract higher ransom payments.”

CNN reported that Martino gave attackers information about his clients’ negotiating positions to “maximize” the ransom payments and then take his own cut of them, according to federal prosecutors.

In one documented incident described by CyberScoop, Martino told a BlackCat affiliate that the company’s insurance carrier “was only approving small accounts,” and he added, “Keep denying our offers and I will let you know once I find out the max the[y] want to pay.”

CyberScoop included a negotiation chat in which Martino said, “We are able to give you $1 million now, which is a very serious offer,” and the BlackCat accomplice responded, “Well, you can keep that for the penalties and lawsuits which are coming your way in case we expose you.”

CyberScoop said the victim company “ultimately paid a ransom worth nearly $16.5 million at the time to receive a decryptor and the BlackCat affiliate’s commitment to not publish stolen data,” and that two other victims paid $6.1 million and $213,000 ransoms for similar commitments.

Alongside the guilty plea, prosecutors and reporting described the financial and legal consequences of Martino’s alleged conduct.

“A South Florida man pleaded guilty to conspiring with multiple ransomware affiliates to commit attacks against and extort payments from the same U”

CyberScoop

CyberScoop said authorities seized $10 million in assets and cryptocurrency wallets controlled by Martino, and it described law enforcement seizing vehicles, a food truck and a 29-foot luxury fishing boat that he obtained using proceeds from his crimes.

CyberScoop also said officials seized two properties owned by Martino in Nokomis, Florida, including a bayfront home with an estimated value of $1.68 million and a second single-family home with an estimated value of $396,000.

Bitdefender reported that Martino pleaded guilty to one count of “conspiracy to obstruct, delay or affect commerce or the movement of any article or commodity in commerce by extortion,” and it said he is scheduled to be sentenced on July 9 and faces up to 20 years in prison.

Bitdefender also said Martin and Goldberg separately entered guilty pleas to the same charge in December 2025 and face the same penalty, and that “A judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.”

CyberScoop said Martino surrendered in March to the U.S. Marshals in Miami and was released on a $500,000 bond.

It also reported that Goldberg and Martin are scheduled for sentencing April 30, and that Martino’s alleged crimes took place in 2023.

The reporting also highlighted how DigitalMint and Justice Department officials framed the case.

CyberScoop said DigitalMint “is not accused of any knowledge or involvement in the crimes,” and it reported that DigitalMint “fired Martino the day after the Justice Department informed the company they were investigating him in April 2025.”

Bitdefender

CNN quoted a DigitalMint spokesperson saying, “As the government explicitly stated in writing and in court, and Martino admitted in a sworn statement, DigitalMint had no knowledge of Martino’s criminal actions,” and the spokesperson added that the actions were “in clear violation of the company’s values, ethical standards, and the law.”

CyberScoop quoted Justice Department officials describing the betrayal of clients, including A. Tysen Duva, assistant attorney general at the Justice Department’s Criminal Division, who said, “Instead, he betrayed them and began launching ransomware attacks himself by assisting cybercriminals and harming victims, his own employer, and the cyber incident response industry itself.”

CyberScoop also quoted Jason A. Reding Quiñones, U.S. attorney for the Southern District of Florida, saying, “Ransomware victims turned to this defendant for help, and he sold them out from the inside.”

CNN described the Justice Department official overseeing the case as saying the matter is “groundbreaking” because it raises tough questions for the cybersecurity industry about who is being paid to protect ransomware victims.

CNN also quoted that official saying, “In working on ransomware for many years, we were … hearing rumors [of misconduct], and I wasn’t shocked that we ended up with a case with these types of charged facts.”

The case is also being used to describe broader efforts to manage insider threats and to change how ransomware negotiations are handled.

“US companies in the retail, hospitality and medical sectors trusted Angelo Martino to negotiate with hackers who were trying to extort them”

CNN

CNN said the Justice Department official overseeing the case told CNN that US officials are considering holding “roundtables” or other events to discuss how cybersecurity firms can prevent insider threats, and it described a “reckoning among security firms” that have to deal with the “seedy underworld of ransom negotiations.”

CNN

CNN also quoted Coveware executive Magnus Jelen, saying, “In some cases, they have even developed mechanisms designed to allow unethical intermediaries to profit from ransom payments without full visibility for victims.”

CNN reported that Coveware says it “no longer charges any processing fee for clients that choose to pay ransoms,” and Jelen said, “Advice on ransom payments must be completely objective and free from incentive bias.”

Bitdefender added that the DOJ’s announcement followed prior actions to disrupt the BlackCat ransomware operation, including when the FBI seized several websites operated by the BlackCat ransomware actors and developed a decryption tool that allowed hundreds of victims to restore their systems, saving some $99 million in ransom payments.

CyberScoop described how Martino’s guilty plea is “an extreme, albeit rare, example of the dark underbelly of ransomware negotiation,” and it said officials shared “a series of chats Martino held with co-conspirators and his victims” that exemplify the alleged betrayal.

CyberScoop said Martino admitted to conspiring with Kevin Tyler Martin and Ryan Clifford Goldberg to deploy BlackCat ransomware against five additional U.S. companies between April and November 2023, and it said Goldberg and Martin are scheduled for sentencing April 30.