The negotiator closed a file, smiled, and then sent a secret that would cost a company millions. I read the court filing and felt that spike of disbelief you get when someone you trust becomes the problem. You can almost hear the quiet click when a safeguard becomes a tool for harm.
I’ve followed cybercrime cases long enough to know the choreography: phones, encrypted chats, and insurance numbers traded like chips at a table. This one felt worse because the man in the middle was supposed to be protecting victims.
A negotiator who worked for victims shared their negotiating positions and insurance limits.
I saw the Department of Justice notice and the line that changes everything: Angelo Martino, 41, a Florida-based former ransomware negotiator, pleaded guilty to conspiring to deploy ransomware and to feeding BlackCat/ALPHV operators inside information about his clients. That single sentence flips the moral ledger — a professional becoming, in effect, an accomplice.
Martino was negotiating for at least five victims while quietly passing details like insurance policy caps and internal bargaining stances to the attackers. He was paid for those tips. The betrayal here isn’t abstract; it meant attackers could set ransom demands knowing exactly how high a victim might pay.
Two co-workers and a plan turned negotiation skills into an attack playbook.
From April to November 2023, Martino and two other cybersecurity workers helped deploy BlackCat ransomware against multiple U.S. targets.
The DOJ says the trio extorted one victim for roughly $1.2 million (€1.1 million) in Bitcoin and split the proceeds. Law enforcement later seized over $10 million (€9.2 million) in assets tied to Martino — including digital currency, vehicles, a food truck, and a luxury fishing boat bought with the gains. The money trail is a reminder that cybercrime still follows the same instincts as other organized schemes: identify a weak point, monetize it, cash out, then try to disappear.
What does a ransomware negotiator do?
A negotiator traditionally mediates between a victim and criminals to minimize damage, advise on communications, and try to recover data or reduce ransom. When that role is corrupted, trust evaporates and the whole incident-response market takes reputational damage. DigitalMint — Martino’s former employer, according to TechCrunch and reporting from Gizmodo — said it had no knowledge of the scheme and fired the employees involved while cooperating with investigators.
Confidential data became leverage and then currency.
The DOJ’s narrative shows a familiar, painful sequence: privileged information about insurance and bargaining positions was weaponized for profit.
I want you to picture how simple that swap is: an attacker with a negotiation script, a negotiator with inside knowledge, and victims who never knew their defender was selling them out. The result: ransom demands calibrated to squeeze just under insurance limits or to force maximum payout. It’s a betrayal that worked like a Trojan horse.
How are negotiators held accountable when they break the law?
Criminal charges, asset seizures, and public naming by the DOJ are part of the response. Martino pleaded guilty and faces sentencing in July with a possible maximum sentence of 20 years. Beyond prison time, prosecutors and incident-response firms now have to ask tougher questions about vetting, monitoring, and the channels used to share sensitive client data — from encrypted messengers to war-room documents.
Companies and the cyber-incident response industry are left to repair trust.
Digital forensics and negotiation are services you hire because you need someone capable and discreet. When one practitioner betrays that, the vendor-client contract gets recast as a risk factor.
Industry names matter here: BlackCat/ALPHV is already a known operator on watch lists; Bitcoin was the payout vehicle in reported extortion; firms like Chainalysis and law enforcement units trace flows, leading to seizures. The DOJ framed Martino’s conduct as a direct injury to victims, his employer, and the wider incident-response ecosystem — damage that’s harder to measure than the dollar signs in a ledger. The betrayal cut both profits and reputations like a double-edged scalpel.
There are immediate takeaways you can act on: tighten access to negotiation files, require multi-party signoffs for settlement details, and re-evaluate who is allowed to see insurance limits and internal strategies. If you manage incident response, ask how often your vendor’s access is audited and where those audit logs live.
Cases like this will push regulators, insurers, and clients to demand stronger transparency from cyber incident firms. The question becomes not just how to stop a specific ring, but how to stop professionals from becoming the crime’s amplifier.
Is the industry ready to police its own without outside pressure, or will the next headline reveal another trusted helper who was actually working for the other side?