Full Report
Angelo Martino is accused of playing both sides — committing attacks and conducting ransomware negotiations on some of the same cases on behalf of his former employer. The post Feds say another DigitalMint negotiator ran ransomware attacks and extorted $75 million appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Exploitation and Ransomware Extortion by Angelo Martino
## Executive Summary
Angelo Martino, a former ransomware negotiator for the firm DigitalMint, is accused of operating as an ALPHV/BlackCat affiliate to attack ten organizations. In a significant conflict of interest, Martino allegedly served as the lead negotiator for five of his own victims, using insider information to maximize extortion payments totaling $75 million. The scheme was dismantled following a federal investigation into a broader conspiracy involving multiple cybersecurity professionals.
## Incident Details
- **Discovery Date:** April 3, 2026 (Notification of investigation to employer)
- **Incident Date:** Six-month period in 2023
- **Affected Organization(s):** Five U.S.-based victims including a nonprofit, hospitality, financial services, retail, and medical companies (plus five others not represented by DigitalMint).
- **Sector:** Multi-sector (Nonprofit, Hospitality, Finance, Retail, Healthcare)
- **Geography:** United States / South Florida
## Timeline of Events
### Initial Access
- **Date/Time:** 2023
- **Vector:** Exploitation of credentials and network vulnerabilities.
- **Details:** Martino, acting as an ALPHV (BlackCat) affiliate, conspired with other former cybersecurity professionals to gain unauthorized access to victim networks.
### Lateral Movement
- Details not explicitly stated, but involved multi-stage intrusion by "cybersecurity professionals" using standard ALPHV affiliate tactics to traverse corporate environments.
### Data Exfiltration/Impact
- Sensitive corporate data was stolen and encrypted. Five specific victims were extorted for millions, ultimately contributing to a total of $75.25 million across all alleged attacks.
### Detection & Response
- **Detection:** Result of an ongoing federal investigation into co-conspirators Kevin Tyler Martin and Ryan Clifford Goldberg.
- **Response Actions:** DigitalMint suspended Martino's access on April 3 and terminated his employment on April 4, 2026, upon notification by the Department of Justice.
## Attack Methodology
- **Initial Access:** Affiliate account on ALPHV/BlackCat ransomware-as-a-service (RaaS) platform.
- **Persistence:** Coordinated breach efforts with other former IR (Incident Response) professionals.
- **Privilege Escalation:** Not specified (standard ALPHV playbook).
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Not specified.
- **Collection:** Stealing data for "double extortion" (encryption and leak threats).
- **Exfiltration:** Exfiltration of data to ALPHV-controlled infrastructure.
- **Impact:** Encryption of files and extortion. Specifically, the attacker acted as the "negotiator" for the victim, providing confidential negotiation strategies to his criminal co-conspirators to ensure higher payouts.
## Impact Assessment
- **Financial:** Total extortion amount of $75.25 million. Federal authorities have seized approximately $9.2 million in cryptocurrency from 21 wallets.
- **Data Breach:** Compromise of medical, financial, and corporate retail data.
- **Operational:** Significant disruption due to ransomware encryption for 10 organizations.
- **Reputational:** Massive reputational damage to the incident response and ransomware negotiation industry; specific damage to DigitalMint's "trusted partner" status.
## Indicators of Compromise
- **Network indicators:** ALPHV/BlackCat infrastructure (Standard ALPHV domains/IPs - defanged: hxxp[://]alphv[.]onion).
- **File indicators:** BlackCat ransomware variants.
- **Behavioral indicators:** Conflict of interest in negotiation communications; leaked confidential negotiation ceilings to external parties.
## Response Actions
- **Containment:** DigitalMint revoked all system and physical access for the suspect.
- **Eradication:** Federal seizure of 21 cryptocurrency wallets.
- **Recovery:** Legal prosecution of the primary actors (Martino, Martin, and Goldberg).
## Lessons Learned
- **Insider Threat:** Even "trusted" third-party security professionals can be malicious actors.
- **Vetting:** Standard background checks failed to identify the criminal involvement of cybersecurity experts already active in the RaaS ecosystem.
- **Negotiation Integrity:** The ransomware negotiation industry lacks sufficient oversight, allowing practitioners to potentially profit from "both sides" of an incident.
## Recommendations
- **Vendor Risk Management:** Organizations should implement strict conflict-of-interest audits when hiring ransomware negotiators.
- **Dual-Control Communications:** Ensure that negotiation communications are monitored by more than one representative to prevent back-channel collusion.
- **Enhanced Background Screening:** Continuous monitoring and more rigorous vetting for personnel in "high-trust" incident response roles.
- **Zero Trust Architecture:** Implement internal controls to limit even specialized contractors' access to only the data necessary for the engagement.