[{"data":1,"prerenderedAt":102},["ShallowReactive",2],{"article-slug-former-ransomware-negotiator-pleads-guilty-to-aiding-blackcat-gang":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":45,"mitre_techniques":46,"mitre_mitigations":58,"d3fend_countermeasures":69,"iocs":81,"cyber_observables":82,"tags":83,"extract_datetime":88,"article_type":89,"impact_scope":90,"pub_date":36,"reading_time_minutes":101,"createdAt":88,"updatedAt":88},"01ba7af0-12e0-42d4-bd9b-459c7ac0cca1","former-ransomware-negotiator-pleads-guilty-to-aiding-blackcat-gang","Ransomware Negotiator Admits to Conspiring with BlackCat Gang","Former Ransomware Negotiator Pleads Guilty to Aiding BlackCat, Betraying Clients","Angelo Martino, a former ransomware negotiator, has pleaded guilty to conspiring with the notorious BlackCat (ALPHV) ransomware gang. Martino abused his position at a crypto brokerage firm, using his insider knowledge of his clients' negotiating strategies and insurance limits to help BlackCat maximize their extortion demands. He also conspired to deploy ransomware against victims, leading to multi-million dollar ransom payments. Law enforcement has seized $10 million in illicit proceeds.","## Executive Summary\n\nIn a stark example of a malicious insider threat, Angelo Martino, a 41-year-old former ransomware negotiator, has pleaded guilty to federal charges of conspiring with the **[BlackCat (ALPHV)](https://attack.mitre.org/groups/G1016/)** ransomware gang. While employed at **DigitalMint**, a crypto broker that helps victims pay ransoms, Martino secretly fed the attackers sensitive information about his own clients. This included details about their insurance coverage and internal negotiation limits, allowing **BlackCat** to extort higher payments. Martino also admitted to actively conspiring in ransomware attacks, betraying the trust of the companies he was hired to help. Authorities have seized approximately $10 million in assets from Martino.\n\n## Threat Overview\n\nThis case highlights a dangerous evolution of the insider threat, where a trusted security professional actively colludes with a major ransomware group. Martino's role was twofold:\n\n1.  **Aiding Extortion**: While negotiating on behalf of victims, he acted as an informant for **BlackCat**. By revealing a company's true ability to pay (e.g., their cyber insurance limit), he ensured the gang would not settle for a lower amount, thus maximizing the criminals' profit.\n2.  **Conspiring in Attacks**: Beyond just passing information, Martino admitted to actively conspiring with others to deploy ransomware against U.S. victims, effectively becoming part of the criminal enterprise himself.\n\nThe scheme resulted in massive payouts from victims in hospitality, financial services, and non-profit sectors, with some ransoms reaching over $25 million.\n\n## Technical Analysis\n\nWhile this is primarily a story of human betrayal, it intersects with the ransomware TTPs of the **BlackCat** group.\n\n*   **Insider Knowledge**: Martino's contribution maps to the reconnaissance and resource development phases of an attack. His intel allowed **BlackCat** to bypass much of the uncertainty in the negotiation process.\n*   **Ransomware Deployment**: As a conspirator, Martino was involved in attacks that used standard **BlackCat** methods, which typically involve gaining access via compromised credentials or vulnerabilities, lateral movement, data exfiltration ([`T1048 - Exfiltration Over Alternative Protocol`](https://attack.mitre.org/techniques/T1048/)), and finally, data encryption ([`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)).\n*   **Money Laundering**: After a victim paid a $1.2 million ransom in Bitcoin, the group, including Martino, laundered the funds through a series of transactions ([`T1136 - Create Account`](https://attack.mitre.org/techniques/T1136/)), a common tactic to obscure the flow of illicit cryptocurrency.\n\n> This case demonstrates that the 'human element' in cybersecurity is not just about user error; it can also be about malicious intent from those in positions of trust. It fundamentally changes the threat model for incident response.\n\n## Impact Assessment\n\n*   **For Victims**: The companies betrayed by Martino suffered greater financial losses than they might have otherwise. They were negotiating against an opponent who held all the cards.\n*   **For the IR Industry**: The case damages the trust between victim organizations and third-party incident response and negotiation firms. Companies will now need to apply greater scrutiny to the partners they hire in a crisis.\n*   **Legal Precedent**: The successful prosecution and significant asset seizure send a strong message to any other individuals considering colluding with cybercriminals.\n\n## IOCs — Directly from Articles\n\nNo technical Indicators of Compromise were provided in the source articles.\n\n## Cyber Observables — Hunting Hints\n\nDetecting this type of insider threat is extremely difficult and relies more on behavioral and procedural controls than technical indicators. However, some patterns might be observable:\n\n| Type | Value | Description |\n| :--- | :--- | :--- |\n| Other | Unusually short or efficient ransom negotiations. | If a negotiator consistently settles at or near the top of a known insurance limit, it could be a red flag. |\n| Other | Communication with known threat actor infrastructure. | An IR team member communicating with non-sanctioned C2s or dark web forums would be a major indicator. |\n| Financial | Unexplained wealth or financial transactions. | Law enforcement likely used financial analysis to track Martino's illicit gains. |\n\n## Detection & Response\n\n*   **Detection**: Detection is less about logs and more about process. Organizations should use multiple, independent parties for different aspects of incident response (e.g., separate firms for forensics, negotiation, and legal counsel) to create checks and balances. Conduct thorough background checks on all third-party IR personnel.\n*   **Response**: In a negotiation, never reveal your upper limit or insurance coverage to your negotiator. Treat it as privileged information shared only with legal counsel. If collusion is suspected, immediately engage law enforcement and a new, vetted IR partner.\n\n## Mitigation\n\n1.  **Due Diligence**: Conduct extreme due diligence when selecting a third-party incident response or negotiation firm. Check references, a history of successful engagements, and their standing in the security community.\n2.  **Compartmentalize Information**: During an incident, strictly compartmentalize information. The negotiation team does not need to know the full technical details from the forensics team, and vice versa. Your maximum payment authority should be known only to executive leadership and legal counsel.\n3.  **Involve Law Enforcement**: Engage law enforcement (such as the FBI) early in a major ransomware incident. They have resources and intelligence that can help identify and pursue the actors, as demonstrated in this case.\n4.  **Internal Controls**: For IR firms, implement strict internal controls, codes of conduct, and regular audits to prevent this type of malicious activity. This includes monitoring employee communications and financial activities where legally permissible.","Insider threat shock: A former ransomware negotiator, Angelo Martino, pleads guilty to conspiring with the BlackCat gang, feeding them client data to maximize ransoms. ⚖️ #BlackCat #Ransomware #InsiderThreat #CyberCrime","Former ransomware negotiator Angelo Martino has pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware gang, using his insider access to help them extort his own clients.",[13,14,15],"Threat Actor","Ransomware","Policy and Compliance","high",[18,22,25,28],{"name":19,"type":20,"url":21},"BlackCat","threat_actor","https://attack.mitre.org/groups/G1016/",{"name":23,"type":24},"Angelo Martino","person",{"name":26,"type":27},"DigitalMint","company",{"name":29,"type":30},"United States","other",[],[33,39],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.infosecurity-magazine.com/news/former-ransomware-negotiator-guilty/","Former Ransomware Negotiator Pleads Guilty to Working For BlackCat Cyber Gang","2026-04-22","Infosecurity Magazine","infosecurity-magazine.com",{"url":40,"title":41,"date":42,"friendly_name":43,"website":44},"https://www.helpnetsecurity.com/2026/04/21/ransomware-negotiator-blackcat/","Ransomware negotiator admits role in attacks he was hired to resolve","2026-04-21","Help Net Security","helpnetsecurity.com",[],[47,51,54],{"id":48,"name":49,"tactic":50},"T1486","Data Encrypted for Impact","Impact",{"id":52,"name":53,"tactic":50},"T1657","Financial Theft",{"id":55,"name":56,"tactic":57},"T1048","Exfiltration Over Alternative Protocol","Exfiltration",[59,64],{"id":60,"name":61,"description":62,"domain":63},"M1017","User Training","While Martino was a malicious actor, this case highlights the need for strong ethics and insider threat awareness programs within the cybersecurity industry.","enterprise",{"id":65,"name":66,"d3fend_techniques":67,"description":68,"domain":63},"M1047","Audit",[],"Organizations engaging IR firms should have their own legal counsel audit the negotiation process and communications to ensure proper conduct.",[70,76],{"technique_id":71,"technique_name":72,"url":73,"recommendation":74,"mitre_mitigation_id":75},"D3-VDRM","Vendor/Partner Due Diligence and Risk Management","https://d3fend.mitre.org/technique/d3f:DecoyObject","The Angelo Martino case is a stark reminder that third-party risk extends to incident response partners. Organizations must implement a stringent due diligence process when selecting a ransomware negotiator or IR firm. This includes conducting background checks, verifying industry reputation through trusted channels (like InfraGard or local ISACs), and checking for a history of successful, ethical resolutions. Contracts should include clear codes of conduct, confidentiality clauses, and the right to audit communications. Furthermore, to create checks and balances, companies should consider using separate firms for technical forensics, legal counsel, and ransom negotiation, preventing any single entity from controlling all information in a high-stakes incident.","M1016",{"technique_id":77,"technique_name":78,"url":73,"recommendation":79,"mitre_mitigation_id":80},"D3-II","Information Isolation","To defend against a compromised negotiator, victim organizations must practice strict information isolation. The ransomware negotiator does not need to know, and should never be told, the company's cyber insurance limit or the absolute maximum payment authorized by the board. This critical information should be confined to a small circle of executive leadership and the company's external legal counsel. The negotiator should be given a target payment amount and a smaller, incremental negotiation ceiling. By compartmentalizing this sensitive financial information, the company removes the key leverage that a malicious insider like Martino could provide to the threat actors, forcing the negotiation to proceed based on the attacker's perceived risk rather than their knowledge of the victim's ability to pay.","M1035",[],[],[84,19,85,14,86,87],"Insider Threat","ALPHV","Cybercrime","DOJ","2026-04-22T15:00:00.000Z","NewsArticle",{"geographic_scope":91,"countries_affected":92,"industries_affected":93,"other_affected":99},"national",[29],[94,95,96,97,98],"Finance","Hospitality","Retail","Manufacturing","Other",[100],"Non-profit organizations",5,1776923389792]