Full Report
41-year-old Angelo Martino, a former employee of cybersecurity incident response company DigitalMint, has pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023. [...]
Analysis Summary
# Incident Report: Insider Exploitation and BlackCat Ransomware Affiliation
## Executive Summary
Three U.S.-based cybersecurity professionals, including a former ransomware negotiator for DigitalMint, abused their positions to facilitate BlackCat (ALPHV) ransomware attacks. The individuals acted as affiliates, encrypting victim networks and stealing data, while concurrently sharing confidential victim negotiation strategies and insurance limits with the ransomware operators to maximize extortion payouts. The scheme resulted in over $50 million in ransom payments from just two victims.
## Incident Details
- **Discovery Date:** Actions were discovered leading to termination and subsequent indictment (October 2025).
- **Incident Date:** April 2023 – April 2025.
- **Affected Organizations:** At least five U.S. organizations (including a financial services firm and a large nonprofit).
- **Sector:** Financial Services, Legal, Education, Healthcare, and Nonprofits.
- **Geography:** United States.
## Timeline of Events
### Initial Access
- **Date/Time:** Commencing April 2023.
- **Vector:** BlackCat (ALPHV) Ransomware-as-a-Service (RaaS) affiliate access.
- **Details:** The defendants operated as affiliates, utilizing BlackCat’s infrastructure to gain entry into U.S.-based organizations.
### Lateral Movement
- Details not explicitly specified in the legal summary, but followed standard ransomware affiliate patterns of network traversal to identify high-value data and domain controllers.
### Data Exfiltration/Impact
- **Exfiltration:** Sensitive organizational data was stolen prior to encryption.
- **Extortion:** Victims were threatened with public data leaks via the BlackCat extortion portal.
- **Encryption:** Systems were encrypted using BlackCat ransomware.
### Detection & Response
- **Discovery:** DigitalMint and other stakeholders identified the malicious conduct; internal investigations led to the termination of the employees.
- **Law Enforcement:** The FBI and DOJ investigated the conspiracy, leading to indictments in late 2025 and guilty pleas in early 2026.
## Attack Methodology
- **Initial Access:** BlackCat RaaS affiliate toolkit.
- **Persistence:** Not specified, but typical of ALPHV deployments.
- **Privilege Escalation:** Exploitation of administrative credentials.
- **Defense Evasion:** Use of legitimate cybersecurity tools and knowledge of IR tactics to mask activity.
- **Credential Access:** Not specified.
- **Discovery:** Internal reconnaissance of financial documents and insurance policies.
- **Lateral Movement:** Standard RaaS techniques.
- **Collection:** Staging sensitive data for exfiltration.
- **Exfiltration:** Uploaded to BlackCat-controlled infrastructure.
- **Impact:** Intentional damage to protected computers; data encryption; secondary extortion using leaked "negotiation positions."
## Impact Assessment
- **Financial:** Extremely high. One financial services firm paid $25,660,000; one nonprofit paid $26,793,000. Total ransoms likely exceed $60M+.
- **Data Breach:** Theft of confidential corporate data, insurance policies, and legal documents.
- **Operational:** Significant disruption to school districts, medical facilities, and financial firms.
- **Reputational:** Severe impact on the incident response industry due to the breach of trust by professional negotiators.
## Indicators of Compromise
- **Network Indicators:** Communication with BlackCat (ALPHV) onion sites (e.g., [hxxp://]extortion-portal[.]onion).
- **File Indicators:** BlackCat/ALPHV ransomware variants; custom encryption extensions.
- **Behavioral Indicators:** Accessing sensitive insurance policy files or internal negotiation strategy documents by unauthorized IR personnel.
## Response Actions
- **Containment:** Removal of access for the identified malicious insiders.
- **Eradication:** Termination of the co-conspirators (Angelo Martino, Kevin Martin, Ryan Goldberg).
- **Recovery:** Legal prosecution and federal indictments by the U.S. Department of Justice.
## Lessons Learned
- **Insider Threat in IR:** Even trusted "defenders" and negotiators can be motivated by financial gain to flip and work with threat actors.
- **Conflict of Interest:** Negotiators having access to both the victim's insurance limits and the attacker's portal creates a catastrophic moral hazard.
- **The "Double Agent" Risk:** Threat actors are actively recruiting or infiltrating the very companies hired to remediate attacks.
## Recommendations
- **Strict Role Separation:** Ensure that personnel negotiating ransoms do not have administrative access to the victim's production environments and vice versa.
- **Zero Trust Monitoring:** Implement rigorous auditing of IR personnel’s access to victim insurance documents and sensitive financial files.
- **Vetting and Bonding:** Enhance background checks and continuous monitoring for employees in high-trust cybersecurity roles.
- **Transparency in Negotiation:** Organizations should use multi-person "clean teams" for negotiations to ensure one individual cannot secretly collude with the attacker.