
A Florida man hired to negotiate with ransomware criminals has been sentenced to more than five years in prison after prosecutors proved he was secretly working with those same criminals. Angelo Martino, who worked as a ransomware negotiator for a U.S. cybersecurity company, conspired with hackers to deploy ransomware against American businesses while appearing to help victims respond to attacks.
The U.S. Department of Justice confirmed the sentence Thursday, according to TechCrunch. Federal investigators also seized more than $10 million in cryptocurrency and assets tied to the scheme, including a food truck and a luxury fishing boat that Martino allegedly bought with stolen money.
Martino is the third person convicted in this case. Kevin Martin and Ryan Goldberg, both cybersecurity professionals, were jailed earlier for their roles in the same operation. Prosecutors say all three worked together throughout 2023, using the BlackCat ransomware to hit companies across the United States. In one attack, the group extorted a target for roughly $1.2 million, then split the money three ways after laundering it.
What makes this case unusual is how the scheme was structured. Martino was not a rogue outsider. He was inside a legitimate cybersecurity firm, in a role specifically meant to protect companies from ransomware. That position likely gave him insight into how victims respond to attacks, what they are willing to pay, and how negotiations typically unfold, information that would be valuable to any ransomware operation.
The broader ransomware industry has created a whole ecosystem around extortion. Companies buy insurance policies that cover ransom payments. Firms hire negotiators to reduce those payments. Some of that money flows back to criminal gangs regardless of how much the ransom gets cut down. Governments in the U.S. and elsewhere have repeatedly warned companies not to pay ransoms at all, arguing that payments fuel further attacks. Many companies pay anyway, worried about customer data being published or leaked.
BlackCat, also known as ALPHV, is a ransomware-as-a-service operation. It works by renting its file-encrypting malware to independent hackers, called affiliates, who carry out the actual attacks and share profits with the gang. This model has made BlackCat one of the more active ransomware groups in recent years. Its affiliates were responsible for the 2024 hack on Change Healthcare, a U.S. health technology company, which exposed the medical and billing data of more than 192 million Americans. The affiliates behind that particular attack were never identified.
The Martino case is a reminder that insider threats in cybersecurity are not just about disgruntled employees leaking data. In this instance, the people hired to limit the damage from ransomware were actively creating it. For companies that rely on third-party negotiators and incident response firms, that raises an uncomfortable question about how much trust those relationships actually deserve.