$75.3 million in extortion attempts
Angelo Martino, a 41-year-old former ransomware negotiator, has been sentenced to 70 months in federal prison for conspiring with the BlackCat (also known as Alphv) ransomware gang. The U.S. Department of Justice revealed that Martino, while working as a security professional, acted as a 'double agent' in 2023. He abused his trusted position by providing confidential information from his own clients to the BlackCat operators, helping them to refine their extortion tactics and demand higher ransoms. Martino was implicated in conspiracies to extort a total of $75.3 million from five U.S. companies. His sentencing marks a significant law enforcement victory against insiders who facilitate cybercrime and underscores the complex ethical challenges within the incident response ecosystem.
In 2023, Angelo Martino, a security professional associated with DigitalMint, engaged in a criminal conspiracy with the BlackCat/Alphv ransomware group, one of the most prolific ransomware-as-a-service (RaaS) operations at the time. Instead of helping his clients recover from attacks, Martino secretly worked against them.
According to federal prosecutors, his betrayal included:
His actions directly contributed to the extortion of five U.S.-based organizations, with total ransom demands reaching $75.3 million. The conviction and lengthy prison sentence send a clear message to the cybersecurity industry about the severe legal consequences of collaborating with criminal threat actors.
The primary victims were the five U.S. companies who were not only hit by ransomware but were also betrayed by the very person they hired to help them. They faced higher financial losses and a more arduous recovery process due to Martino's actions. The broader impact is on the trust between victim organizations and the incident response industry. This case creates suspicion and doubt at a time when trust is most needed. It may cause victim companies to be more hesitant to engage third-party negotiators, potentially leading to poorer outcomes. For the cybersecurity profession, this incident is a significant ethical stain and highlights the potential for corruption when large sums of money are involved.
While this incident is about human betrayal rather than technical failure, standard cybersecurity mitigations are still the best defense, as they prevent the ransomware attack from succeeding in the first place.
M1032 - Multi-factor Authentication), timely patching (M1051 - Update Software), and network security to prevent the initial breach that necessitates a negotiator.M1053 - Data Backup) is the ultimate leverage against ransomware actors, reducing the need to pay a ransom and engage with negotiators, corrupt or otherwise.While this is an insider case, training all employees to spot and report suspicious activity is a foundational control.
Effective backups are the best defense against ransomware, reducing the need to pay or negotiate.
Angelo Martino conspires with the BlackCat/Alphv ransomware gang to extort his own clients.
Angelo Martino is sentenced to 70 months in federal prison.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.