On July 10, 2026, a federal judge in the Southern District of Florida sentenced Angelo Martino, 41, of Land O’Lakes, Florida, to 70 months in prison. Martino’s job title, until the Justice Department came calling, was one of the most trust-loaded in the entire security industry: professional ransomware negotiator. Companies in the worst week of their corporate lives hired his employer — the Chicago-based incident response and ransom-settlement firm DigitalMint, according to press reporting; the DOJ describes it only as “a US-based cyber incident response company” — to sit between them and the criminals encrypting their networks, to manage the conversation, to get the demand down.
Beginning in April 2023, Martino was being paid by the criminals on the other side of that conversation. According to the Department of Justice, he conspired with operators of the BlackCat/ALPHV ransomware variant across five separate victim extortions, feeding the attackers his employer’s clients’ confidential negotiating positions, insurance policy limits, and internal assessments — precisely the information a threat actor needs to price a ransom at the victim’s maximum, not their minimum. The negotiator’s entire value proposition, inverted and sold.
It gets worse. Martino also conspired with two other cybersecurity professionals — Kevin Martin, 36, of Texas, hired as Martino’s coworker at the same firm after the conspiracy was already running, and Ryan Goldberg, 41, of Georgia, an incident response manager at a separate IR firm, reported to be Sygnia — to stop merely assisting BlackCat and start being BlackCat, deploying the ransomware against additional US victims between April and November 2023. One medical company paid approximately $1.2 million in Bitcoin; the three men split their share and laundered it. Martin and Goldberg were each sentenced to 48 months on May 1, 2026, by US District Judge K. Michael Moore. From Martino, law enforcement has seized roughly $10 million in assets: digital currency, vehicles, a food truck, and a luxury fishing boat. A restitution hearing is set for September 17, 2026.
“He was hired to help victims in a moment of crisis,” said US Attorney Jason A. Reding Quiñones. “Instead, Martino betrayed them, fed their confidential negotiating positions to ransomware criminals, and helped squeeze them for more money.”
This article is not really about Martino. It is about the structural hole his case exposes: the incident-response supply chain runs on unverified trust at exactly the moment when the client has the least capacity to verify anything. What follows is the compliance analysis — why a corrupted negotiator breaks every assumption in an IR retainer, what due diligence on IR vendors actually has to look like now, the contractual controls worth demanding, the privilege and OFAC implications most programs have never modeled, and what regulators will expect from organizations whose negotiation channel itself was compromised.
What Happened: A Double Agent at the Negotiating Table
Strip the case to its mechanics and it is an insider-trading scheme grafted onto extortion.
A ransomware negotiation is an information game. The victim’s side holds facts the attacker desperately wants: how much the victim can actually pay, whether cyber insurance exists and at what policy limit, how badly operations are hurting, whether backups are viable, how scared leadership is, and what the negotiator’s walk-away and target numbers are. A competent negotiator converts the attacker’s uncertainty about those facts into a lower ransom. Industry practitioners routinely report negotiated reductions of 50 percent or more from opening demands — that delta is the product the client is buying.
Martino sold the answer key. Per the DOJ, BlackCat actors paid him to disclose the negotiating position and strategy of his employer’s clients so the actors could “maximize the ransoms paid by the victims.” Insurance policy limits are the most valuable single datum in that set: once an attacker knows a victim carries a $10 million cyber policy, the demand anchors to the policy, not to the victim’s protestations. Reporting on the court record indicates the five extortions Martino assisted generated ransoms totaling approximately $75.3 million, including roughly $26.8 million from a nonprofit, $25.7 million from a financial services firm, and $16.5 million from a hospitality company. Those victims paid what they believed was a hard-fought negotiated figure. The negotiation was theater; the outcome was fixed.
The second phase — Martino, Martin, and Goldberg operating as BlackCat affiliates in their own right — is in some ways less novel (criminals deploy ransomware; that is the job description) but more damning as an industry indictment. All three men were employed inside the incident-response ecosystem while attacking the class of companies that ecosystem exists to protect. Goldberg worked at an entirely different IR firm than the other two. This was not one bad hire at one firm. It was a three-node insider network spanning two competing vendors in the same trust-critical niche.
A note on the criminal-side context: BlackCat/ALPHV was, at the time, one of the most prolific ransomware-as-a-service operations in the world. The FBI seized its leak site in December 2023, and the group infamously exit-scammed its own affiliates after the Change Healthcare payment in early 2024. Its affiliate model — recruiting outside “talent” for a revenue share — is exactly the structure that makes industry insiders monetizable. A RaaS operator does not need to breach your IR firm. It just needs to make one of its employees an offer, as we noted when examining the affiliate economics behind the Q2 2026 Qilin and ShinyHunters extortion wave.
Why a Corrupted Negotiator Breaks Every Assumption in the IR Retainer
Organizations buy IR retainers to pre-solve the worst day. The retainer’s implicit promise is that when the incident comes, a vetted, competent, loyal team parachutes in. The Martino case falsifies each load-bearing assumption in turn:
The confidentiality assumption. Everything the client tells the negotiator — financials, insurance, board sentiment, operational pain — is presumed to stay inside the engagement. Here it flowed to the adversary in near-real time. Worse, the information disclosed during an extortion negotiation is more sensitive than most of what was stolen in the breach itself: it is a live map of the victim’s desperation.
The adversarial assumption. The entire economic logic of hiring a negotiator is that they bargain against the attacker. When the negotiator is compensated by the attacker, the client is paying professional fees to be represented by opposing counsel. There is no partial version of this failure; the service is not degraded, it is inverted.
The verification assumption. Clients assume the IR firm has vetted its people, and the IR firm assumes its people are what their background checks said. Martin was hired into the conspiracy — DigitalMint onboarded him after Martino was already working with BlackCat — which means standard pre-hire screening ran and passed on at least one active co-conspirator. DigitalMint, for its part, stated that the men’s actions were “deliberately concealed from DigitalMint and were in clear violation of the company’s values, ethical standards and the law,” and terminated Martino when the DOJ notified it. Take that at face value and the lesson is still uncomfortable: the firm was, by its own account, blind to a multi-victim insider scheme running through its negotiation desk for months.
The concentration assumption. The ransomware-negotiation market is tiny — a handful of specialist firms handle a large share of US ransom negotiations and payments. That concentration means a single corrupted negotiator touches many victims’ most sensitive crisis data, the same transitive-trust problem we analyzed in vendor concentration as a counterintelligence problem. The IR niche adds a cruel twist: unlike a software vendor, this vendor is selected and onboarded mid-crisis, often in hours, when due diligence is at its weakest and information sharing is at its most complete.
Due Diligence on IR Firms and Negotiators: What “Vetted” Has to Mean Now
Most third-party risk programs treat the IR retainer like any other professional-services contract: a questionnaire, a SOC 2, a certificate of insurance, done. After Martino, that is not defensible. IR and negotiation vendors belong in the highest criticality tier of your vendor inventory — they receive crown-jewel crisis data, they interface directly with criminal counterparties, and they act as your agent in transactions with sanctions exposure. Due diligence should be interrogating, at minimum:
Personnel screening depth and cadence. Pre-hire background checks are table stakes and, as Martin’s hiring shows, insufficient. Ask whether the firm performs recurring screening on negotiation and IR staff — periodic criminal and financial re-checks, since sudden unexplained wealth is the classic insider indicator (Martino accumulated a food truck, a boat, vehicles, and millions in crypto on a negotiator’s salary). Ask whether financial-disclosure or conflict-of-interest attestations are signed annually by client-facing staff, and whether the firm has any insider-threat program covering its own employees, not just its clients’.
Segregation and monitoring inside the engagement. Who at the vendor can see your negotiation file? Is access to victim case data logged, least-privileged, and reviewed? Is there two-person integrity on negotiations — a second negotiator or supervisor with visibility into every attacker communication — or does a single employee run the channel end to end? A lone negotiator with unmonitored access to the chat and the client’s insurance limits is a single point of catastrophic failure. Martino was exactly that.
Communications custody. Insist that all attacker communications occur on firm-controlled, logged infrastructure, with the client entitled to a complete, contemporaneous transcript. Side-channel contact between vendor personnel and threat actors — the thing Martino monetized — is only detectable if the sanctioned channel is fully recorded and anything outside it is anomalous by definition.
The firm’s own security and incident history. Would this vendor tell you if one of its employees were under investigation? What contractual duty does it have to? (See below — usually none, unless you wrote one.)
Sanctions-compliance machinery. For any vendor that facilitates payments: documented OFAC screening procedures, blockchain-analytics tooling, licensing posture (money transmission), and a written policy on when it will refuse to transact.
This is the same posture shift we urged when a consultancy became the breach vector in the Accenture “888” claim: the question is not “is this vendor reputable,” it is “what can this vendor’s people see and do, and what happens when one of them goes bad.”
Contractual Controls: Rewriting the IR Retainer and MSA
Because IR vendors are onboarded pre-incident via retainer, the contract is negotiated when you have leverage and performed when you have none. Use the leverage. Provisions the Martino case argues for directly:
- Insider-incident notification. A clause requiring the vendor to notify you promptly if it learns — from law enforcement or otherwise — that any personnel who touched your engagement are under investigation for, or suspected of, misconduct involving client data or threat-actor collusion. DigitalMint learned of the DOJ investigation in April 2025; absent such a clause, its clients’ right to learn anything was a matter of the firm’s discretion and the government’s timing.
- Named-personnel and screening warranties. The vendor warrants that all personnel assigned to your matters have passed defined background screening, are subject to recurring re-screening and annual conflict-of-interest attestations, and that no assigned person has been the subject of a substantiated integrity finding. Require notice when assigned personnel change.
- Two-person integrity and full transcript rights. Contractually mandate dual control over threat-actor communications and delivery of the complete communications record to the client and its counsel, in near-real time, not as a post-engagement summary.
- Audit and cooperation rights that survive the incident. Including the right to have your counsel or a third party review engagement records if you later have reason to question the negotiation’s integrity — as every one of Martino’s five extortion victims now does.
- Anti-kickback and no-contact representations. An express representation that neither the firm nor its personnel have received or will receive anything of value from any threat actor, directly or indirectly, and that all actor contact occurs through the sanctioned channel. This sounds absurd to write down. Martino is why you write it down.
- Fee-structure transparency. Understand exactly how the vendor is compensated, and reject structures that percentage-fee the ransom amount — a vendor paid more when you pay more has a soft version of Martino’s conflict built into its business model.
- Fraud carve-outs from liability caps. Professional-services MSAs routinely cap liability at fees paid. Insist that fraud, willful misconduct, and breach of confidentiality by vendor personnel sit outside the cap. Martino’s victims overpaid by tens of millions; a cap at retainer fees would be insulting.
Privilege and Confidentiality: The Channel You Thought Was Protected
Most sophisticated victims engage IR firms and negotiators through outside counsel, precisely to wrap the engagement in attorney-client privilege and work-product protection. The Martino case stresses that architecture in two ways.
First, privilege protects against compelled disclosure, not against betrayal. No privilege doctrine stops a criminal insider from simply telling the adversary what he learned. The practical control is therefore data minimization inside the privileged engagement: the negotiator needs your target number and your constraints; they do not need your full insurance tower, your board minutes, or your unredacted financials. Treat the negotiation vendor like any other third party on a need-to-know basis — a discipline that feels unnatural mid-crisis and must therefore be pre-scripted in the IR plan.
Second, litigation risk now runs in a new direction. Martino’s victims paid ransoms inflated by their own agent’s treachery; restitution proceedings are scheduled, and civil claims against vendors in this position — for fraud, breach of fiduciary duty, negligent supervision, negligent hiring — are the predictable next act. Organizations should also expect the reverse discovery problem: in breach litigation brought against a victim company, plaintiffs will ask whether the ransom was inflated by negotiator misconduct and whether the victim’s vendor diligence was adequate. Documented, dated due diligence on your IR vendor is the difference between a footnote and a count, the same dynamic we traced in the Oncology Institute third-party breach fallout.
OFAC: A Corrupted Negotiator Amplifies Sanctions Exposure You Already Had
Ransom payments carry sanctions risk in the best of circumstances. OFAC’s advisories on ransomware payments (2020, updated 2021) state the position plainly: paying a sanctioned actor — or one in a sanctioned jurisdiction — can violate US sanctions law on a strict-liability basis, and the exposure attaches not only to the victim but to every facilitator in the chain: the IR firm, the negotiator, the payment processor, the insurer. Mitigation credit flows to organizations with a documented sanctions-compliance program, prompt law-enforcement reporting, and cooperation.
Now insert a negotiator who is secretly a co-conspirator of the ransomware operation. Three things happen to your OFAC posture:
- Your diligence was performed by the counterparty. Victims and their insurers typically rely on the negotiation firm’s attribution work and sanctions screening — “we assessed the actor and found no OFAC nexus” — as the core of their pre-payment file. If the person running that assessment is on the attacker’s payroll, the file is worthless, and the victim’s claimed good faith rests on representations made by a criminal. Strict liability means the violation analysis does not care that you were duped; your penalty analysis does, which is why independent, second-source sanctions diligence (insurer-side, counsel-side, or a second analytics vendor) on any payment above a defined threshold is now a justifiable control.
- Facilitation exposure becomes literal. Martino did not merely fail to screen; he was a participant in the extortion. Any payment he facilitated was, unknown to the victim, a transaction structured in part by the recipient’s confederate. Regulators drafting the next advisory have their case study.
- The reporting calculus tightens. OFAC and FinCEN both weight voluntary self-disclosure and law-enforcement engagement heavily. A victim who involved the FBI early in each of Martino’s negotiations would today hold a far stronger position — in penalty mitigation and in restitution — than one who ran the payment quietly through the vendor. Early FBI involvement is also, not incidentally, how schemes like this get detected at all.
Add the incoming reporting architecture: CIRCIA’s ransomware-payment reporting requirement will give covered critical-infrastructure entities 24 hours to report payments to CISA, and NYDFS-regulated financial entities already face extortion-payment notification and a written explanation of the payment decision, including sanctions diligence, under Part 500. Payment decisions are becoming regulator-visible artifacts. The file supporting them cannot rest on a single vendor’s say-so.
What Regulators Will Expect When the Negotiation Itself Was Compromised
For the five extortion victims — and for any organization that discovers its IR vendor had a Martino problem — the regulatory analysis reopens along several seams:
FTC Safeguards Rule and service-provider oversight. For entities under the Safeguards Rule (and analogously under GLBA banking guidance and state safeguards statutes), 16 CFR 314.4(f) requires selecting service providers capable of maintaining appropriate safeguards, contractually requiring those safeguards, and periodically assessing the providers. An IR/negotiation vendor that receives your most sensitive incident data is unambiguously in scope. “We hired a name-brand IR firm” is a fact; it is not an oversight program. Expect regulators to ask what assessment was performed, what contract terms governed personnel integrity, and what monitoring existed.
SEC disclosure. For public companies, a compromised negotiation is potentially material on top of the underlying incident: if your ransom was inflated by tens of millions through your own agent’s fraud, both the loss figure and the integrity of your incident response are facts a reasonable investor may care about. Materiality determinations made at the time of the original incident were premised on a negotiation conducted in good faith; learning otherwise re-runs the analysis, and Item 1.05’s continuing-obligation logic applies. Victims should also revisit prior statements — public or regulatory — that characterized the ransom as the product of arms-length negotiation.
State attorneys general and breach-notification regimes. The information Martino leaked to BlackCat — negotiating positions, insurance limits, internal assessments — was itself confidential business information disclosed to unauthorized parties, and in some engagements such files include personal data. Victims must assess whether the vendor-side disclosure constitutes a reportable event independent of the original breach, and several state AGs have shown appetite for treating vendor-oversight failures as independent unfair-practice theories.
Sector regulators. Healthcare victims (one of the affiliate-attack victims was a medical company) face OCR’s now-familiar position that ransomware events trigger presumptive breach analysis and that business-associate-adjacent vendors demand documented diligence. Financial-sector victims face NYDFS’s explicit third-party and extortion-payment provisions.
The common thread: regulators will not treat “our trusted vendor betrayed us” as an absolution. They will treat it as the opening question — what made you entitled to trust them? — and the answer must be a documented program, not a brand name.
Checklist: Vetting and Governing IR and Ransom-Negotiation Vendors
Run this against your current retainer, ideally this quarter and at every renewal:
- Tier the vendor correctly. Classify IR, DFIR, and negotiation firms as maximum-criticality vendors in your third-party risk program, with diligence depth to match — not as generic professional services.
- Interrogate personnel integrity controls. Recurring background and financial re-screening of client-facing staff; annual conflict-of-interest and anti-kickback attestations; an internal insider-threat program. Get the answers in writing.
- Demand two-person integrity on negotiations. No single employee should control the threat-actor channel. Require dual visibility and full, contemporaneous transcripts delivered to you and your counsel.
- Contract for insider-incident notification. The vendor must tell you if engagement personnel come under investigation for client-data misconduct or actor collusion.
- Reject ransom-linked compensation. Flat or hourly fees only; no structure where the vendor earns more when you pay more.
- Carve fraud and willful misconduct out of liability caps, and confirm the vendor carries fidelity/crime coverage in addition to E&O.
- Independently verify sanctions diligence. Second-source OFAC/attribution analysis on payments above a defined threshold; never rely solely on the negotiating firm’s screening.
- Minimize what the negotiator sees. Pre-script in your IR plan exactly which data (insurance limits, financials, board deliberations) is shared with the negotiation vendor, by whom, and on what need-to-know basis.
- Involve the FBI early and document it. It strengthens OFAC mitigation, restitution posture, and — as this case shows — it is how corrupted intermediaries get caught.
- Prepare the reopening playbook. Decide now who re-runs materiality, notification, and litigation-hold analysis if you ever learn your negotiation was compromised. The five victims here are running that playbook without a script.
Conclusion
The security industry has spent a decade telling clients that insider risk is their most underweighted threat category. The Martino case is the industry failing its own exam. Three insiders, two competing IR firms, five betrayed extortion victims, additional victims attacked outright, roughly $75 million in ransoms shaped by leaked strategy, and $10 million in seized toys — a food truck and a fishing boat purchased with the crisis data of companies who thought they were buying an advocate.
The sentences — 70 months for Martino, 48 each for Martin and Goldberg — establish the deterrence baseline, and the DOJ’s asset seizures make the economics less attractive. But deterrence is the government’s control, not yours. Yours is the recognition that the IR supply chain is a vendor category like any other, subject to the same failure modes — and one aggravating feature: it is the only vendor you onboard while the building is on fire, and the only one to whom you hand, in a single week, a complete map of exactly how much you can be hurt. Organizations that pre-negotiate the retainer, minimize the data flow, mandate dual control, and independently verify the payment file have a defensible answer for the day a negotiator turns out to be working for the other side. Everyone else is trusting that their Martino hasn’t been hired yet.
Sources: US Department of Justice — Florida Ransomware Negotiator Who Extorted and Attacked Multiple U.S. Victims Sentenced to Prison, US Department of Justice — Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prison, TechCrunch — Florida ransomware negotiator convicted for helping ransomware gang extort US companies, Help Net Security — Ransomware negotiator who betrayed clients sentenced to 70 months in prison, CyberScoop — Former DigitalMint ransomware negotiator who duped clients sentenced to 70 months in jail, The Hacker News — Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks, Chicago Sun-Times — Ex-Chicago ransomware negotiator gets nearly 6 years in prison for aiding hackers
This article is provided for informational purposes only and does not constitute legal advice.



