Full Report
A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. Angelo Martino, 41, of Land O'Lakes, Florida, teamed up with the operators of the BlackCat ransomware starting in April 2023 to assist the e-crime gang in extracting higher amounts as ransoms. "Working as a negotiator on behalf of five different
Analysis Summary
# Incident Report: Insider Threat Conspiracy Aiding BlackCat Ransomware
## Executive Summary
Angelo Martino, a ransomware negotiator at DigitalMint, pleaded guilty to collaborating with the BlackCat ransomware gang and other incident responders to extort U.S. companies. Martino abused他的 role to provide confidential client data—including insurance limits and negotiation strategies—to attackers to maximize ransom payouts. The conspiracy resulted in millions of dollars in extorted funds and the compromise of at least five client organizations.
## Incident Details
- **Discovery Date:** Authorities charged the third individual in March 2026.
- **Incident Date:** April 2023 – November 2023.
- **Affected Organization:** DigitalMint (Employer), Sygnia (Partner organization), and at least five undisclosed victim companies.
- **Sector:** Incident Response / Cybersecurity / Cryptocurrency.
- **Geography:** United States (Florida-based perpetrator).
## Timeline of Events
### Initial Access
- **Date/Time:** April 2023.
- **Vector:** Insider Threat / Trusted Relationship.
- **Details:** Angelo Martino and Kevin Martin (DigitalMint) along with Ryan Goldberg (Sygnia) utilized their legitimate roles as incident responders to gain access to victim environments and sensitive negotiation data.
### Lateral Movement
- **Details:** The article focuses on the "lateral movement" of information rather than network packets; the perpetrators moved confidential negotiation strategy and insurance data from the secure client/employer environment to the BlackCat ransomware operators.
### Data Exfiltration/Impact
- **Details:** Martino exfiltrated victims' insurance policy limits and internal "walk-away" negotiation positions. In at least one instance, a victim was extorted for approximately $1.2 million in Bitcoin.
### Detection & Response
- **Detection:** Investigation by federal authorities (U.S. Department of Justice).
- **Response:** Criminal charges filed (March 2026); Guilty pleas entered by all three co-conspirators (December 2025 – April 2026); Forfeiture of $10 million in assets.
## Attack Methodology
- **Initial Access:** Abuse of legitimate credentials and trust as a third-party Incident Response (IR) provider.
- **Persistence:** Maintaining employment at reputable IR firms to access a stream of victims.
- **Privilege Escalation:** Not applicable (used existing high-level administrative/legal access to files).
- **Defense Evasion:** Conducted collusion outside of official company communication channels.
- **Collection:** Gathering insurance documents and legal briefs from victims.
- **Exfiltration:** Providing "insider intelligence" to BlackCat (ALPHV) operators.
- **Impact:** Financial extortion through ransomware deployment and "double-crossing" during the negotiation phase.
## Impact Assessment
- **Financial:** Over $10 million in assets seized from the perpetrator; specific payouts included a $1.2M individual ransom.
- **Data Breach:** Exposure of highly sensitive legal, financial, and insurance documents.
- **Operational:** Disruption of business operations via BlackCat ransomware deployment.
- **Reputational:** Massive loss of trust in the cyber insurance and incident response industry.
## Indicators of Compromise
- **Behavioral indicators:** Negotiator recommending higher-than-average settlements; presence of unauthorized communication with threat actor groups; internal IR managers accessing files for organizations they are not assigned to.
- **Financial indicators:** Unexplained wealth (luxury vehicles, food trucks, commercial fishing boats).
## Response Actions
- **Containment:** Removal of the individuals from their respective firms (DigitalMint and Sygnia).
- **Eradication:** Federal prosecution and asset seizure.
- **Recovery:** Forfeiture of $10M in digital currency and assets to potentially compensate victims.
## Lessons Learned
- **The "Quis Custodiet Ipsos Custodes" Problem:** Even the firms hired to fix a breach can be the source of a breach.
- **Information Asymmetry:** Attackers having access to a victim's insurance policy creates an insurmountable disadvantage for the victim.
- **Screening Gaps:** There were significant failures in the vetting or continuous monitoring of personnel in high-trust positions.
## Recommendations
- **Zero Trust for IR:** Limit IR team access strictly to the data required for technical remediation; sensitive financial/insurance data should be siloed.
- **Audit Logs:** Implement strict auditing on who accesses "Negotiation Folders" or "Insurance Policy" documents within IR and legal consulting firms.
- **Conflict of Interest Checks:** Require multi-person authorization for financial settlements in ransomware cases to ensure one individual cannot drive the price up unilaterally.