Former Ransomware Negotiator Sentenced to 70 Months for BlackCat Extortion Scheme
A former Florida ransomware negotiator has been sentenced to 70 months in federal prison for helping BlackCat/ALPHV ransomware actors extort victims and for joining separate ransomware attacks against U.S. organizations.
Angelo Martino, 41, of Land O’Lakes, Florida, previously worked for a U.S.-based cyber incident response company where he helped ransomware victims during negotiations. According to the Justice Department sentencing release, Martino instead shared confidential victim information with BlackCat actors so they could increase pressure and demand larger payments.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case turns a common ransomware response risk into a criminal prosecution: the person hired to help victims allegedly used inside knowledge to help the attackers. Prosecutors said Martino also worked with two other former cybersecurity professionals to deploy BlackCat ransomware against additional victims in 2023.
Who is Angelo Martino?
Martino was employed as a ransomware negotiator at a U.S. cyber incident response company. His job gave him access to sensitive information that victims often share during a crisis, including negotiation plans, internal strategy, payment limits, insurance details, and recovery considerations.
Federal prosecutors said Martino abused that position beginning in April 2023. He allegedly provided BlackCat actors with confidential details about five ransomware victims and their negotiating positions.
That information gave the attackers a clearer view of how much pressure to apply and how much money victims might be able or willing to pay.
| Person | Location | Cybersecurity role | Sentence |
|---|---|---|---|
| Angelo Martino | Florida | Former ransomware negotiator | 70 months in prison |
| Kevin Martin | Texas | Former cybersecurity professional and Martino coworker | 48 months in prison |
| Ryan Goldberg | Georgia | Former cybersecurity professional at a separate incident response company | 48 months in prison |
What prosecutors say Martino did
Martino pleaded guilty on April 14, 2026, to one count of conspiracy to interfere with interstate commerce through extortion. Prosecutors said he helped BlackCat ransomware actors extort multiple victims while he was supposed to help victims respond to attacks.
The Justice Department said Martino was paid by BlackCat attackers to provide confidential information about client strategy and negotiation positions. That gave criminals insight into victim decision-making during ransom talks.
Martino also conspired with Kevin Martin and Ryan Goldberg to deploy BlackCat ransomware against additional U.S. victims in 2023. After one victim paid approximately $1.2 million in Bitcoin, the three men split their share of the ransom and laundered the proceeds.
Co-defendants were also sentenced
Martin and Goldberg were sentenced on April 30, 2026, to four years each in federal prison. The Justice Department’s co-defendant sentencing release said the men used their cybersecurity skills to attack multiple U.S. victims with ALPHV BlackCat ransomware.
Prosecutors said the three men agreed to pay ALPHV BlackCat administrators a 20% cut of ransoms received in exchange for access to the ransomware and the group’s extortion platform.
The remaining 80% share from at least one ransom was split three ways among Martino, Martin, and Goldberg.
BlackCat’s ransomware-as-a-service model
BlackCat, also known as ALPHV or Noberus, operated as a ransomware-as-a-service group. In that model, developers maintain the malware, infrastructure, and extortion platform, while affiliates carry out intrusions and share a portion of ransom proceeds.
The FBI and CISA’s ALPHV BlackCat advisory describes the group’s activity and notes that BlackCat affiliates used extortion, stolen data, and encryption to pressure victims.
The group became one of the most disruptive ransomware operations globally before U.S. authorities disrupted part of its infrastructure in December 2023.
| BlackCat role | Function | Risk to victims |
|---|---|---|
| Developers | Build and update ransomware, maintain infrastructure, and run extortion platforms | Enable scalable attacks across many affiliates |
| Affiliates | Break into networks, steal data, encrypt systems, and demand payment | Directly compromise victim organizations |
| Insider enablers | Provide victim information, credentials, strategy, or access | Increase attacker leverage during negotiations |
| Money launderers | Move cryptocurrency proceeds through wallets and other channels | Help criminals hide ransom profits |
More than $10 million in assets seized
Law enforcement has seized more than $10 million in assets from Martino, according to DOJ. The seized property includes digital currency, vehicles, a food truck, and a luxury fishing boat.
Prosecutors said the assets were obtained through the extortion scheme. A restitution hearing is scheduled for September 17, 2026, to determine how much Martino must repay.
The DOJ release also said the FBI Miami Field Office led the investigation with support from the U.S. Secret Service.
Why the insider angle matters
Ransomware negotiators and incident response providers can receive highly sensitive information during a crisis. That information may include board-level discussions, legal strategy, insurance coverage, backup status, restoration timelines, and the maximum payment a victim might consider.
If an insider leaks those details, attackers gain a direct advantage. They can reject lower offers, time public pressure, threaten data leaks more effectively, and tailor demands to what the victim may be able to pay.
This case shows that ransomware response is not only a technical process. It also depends on trust, access controls, supervision, and clear separation between negotiators, forensic teams, legal counsel, insurers, and payment facilitators.
What companies should review after the case
Organizations should review how they select and manage ransomware response vendors. Incident response firms should also assess whether their own controls can detect abuse by staff with access to client negotiation data.
The goal is not to slow emergency response. The goal is to make sure sensitive victim information does not become a tool for attackers.
Recommended controls include:
- Limit access to ransom negotiation strategy to staff who need it.
- Require logging for access to client negotiation files, chat records, and payment discussions.
- Use role-based access controls across incident response platforms.
- Separate negotiation roles from payment handling and forensic investigation when possible.
- Review vendor staff conflicts, side communications, and suspicious cryptocurrency exposure.
- Use legal counsel to define information-sharing rules during ransomware response.
- Audit communications with threat actors and preserve records for law enforcement.
BlackCat disruption remains part of the wider case
The sentencing follows earlier Justice Department action against BlackCat. In December 2023, DOJ announced that the FBI had developed a decryption tool and seized several websites operated by BlackCat actors.
The BlackCat disruption announcement said the FBI offered a decryption tool to hundreds of victims and saved victims from ransom demands totaling approximately $68 million at the time. The July 2026 Martino sentencing release later said the tool helped save approximately $99 million in ransom payments.
BlackCat still matters in ransomware history because its affiliate model, leak site pressure, and high-value targeting shaped many later extortion campaigns.
Operation Riptide targets cybercrime networks
DOJ said the Martino prosecution is part of Operation Riptide, an FBI campaign targeting cybercrime actors, infrastructure, financial networks, and fraud operations.
The operation reflects a broader law enforcement strategy: arrest individuals, seize infrastructure, recover funds, disrupt payment channels, and help victims restore systems where possible.
The BlackCat takedown and the sentences for Martino, Martin, and Goldberg show how prosecutors are targeting both ransomware operators and trusted professionals who help them.
Lessons for incident response teams
Incident response firms should treat ransomware negotiation data like highly sensitive financial and legal material. Access should be limited, monitored, and reviewed during and after each engagement.
Firms should also watch for employees accessing client files without a case need, exporting negotiation records, communicating through unapproved channels, or showing unexplained cryptocurrency activity.
The Goldberg and Martin sentencing release shows that the conspiracy involved people with cybersecurity backgrounds, not only external hackers. The FBI and CISA advisory remains useful for understanding BlackCat tactics, but the Martino case adds a separate warning about insider trust during crisis response.
FAQ
Angelo Martino is a former Florida ransomware negotiator who worked for a U.S.-based cyber incident response company. He was sentenced to 70 months in federal prison for conspiring with BlackCat ransomware actors and other former cybersecurity professionals.
Prosecutors said Martino shared confidential victim negotiation information with BlackCat actors and helped them maximize ransom demands. He also conspired with Kevin Martin and Ryan Goldberg to deploy BlackCat ransomware against additional U.S. victims.
The Justice Department said the conspirators successfully extorted one victim for approximately $1.2 million in Bitcoin. They split their share of the payment three ways and laundered the proceeds.
Kevin Martin of Texas and Ryan Goldberg of Georgia were sentenced on April 30, 2026, to 48 months each in federal prison for their role in BlackCat ransomware attacks against multiple U.S. victims.
The case shows that ransomware response can include insider risk. Negotiators and incident response providers may access sensitive victim strategy, insurance, and payment information, so companies need strict access controls, logging, and oversight during ransomware incidents.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages