Former Ransomware Negotiator Sentenced to 70 Months for BlackCat Extortion Scheme


A former Florida ransomware negotiator has been sentenced to 70 months in federal prison for helping BlackCat/ALPHV ransomware actors extort victims and for joining separate ransomware attacks against U.S. organizations.

Angelo Martino, 41, of Land O’Lakes, Florida, previously worked for a U.S.-based cyber incident response company where he helped ransomware victims during negotiations. According to the Justice Department sentencing release, Martino instead shared confidential victim information with BlackCat actors so they could increase pressure and demand larger payments.

The case turns a common ransomware response risk into a criminal prosecution: the person hired to help victims allegedly used inside knowledge to help the attackers. Prosecutors said Martino also worked with two other former cybersecurity professionals to deploy BlackCat ransomware against additional victims in 2023.

Who is Angelo Martino?

Martino was employed as a ransomware negotiator at a U.S. cyber incident response company. His job gave him access to sensitive information that victims often share during a crisis, including negotiation plans, internal strategy, payment limits, insurance details, and recovery considerations.

Federal prosecutors said Martino abused that position beginning in April 2023. He allegedly provided BlackCat actors with confidential details about five ransomware victims and their negotiating positions.

That information gave the attackers a clearer view of how much pressure to apply and how much money victims might be able or willing to pay.

PersonLocationCybersecurity roleSentence
Angelo MartinoFloridaFormer ransomware negotiator70 months in prison
Kevin MartinTexasFormer cybersecurity professional and Martino coworker48 months in prison
Ryan GoldbergGeorgiaFormer cybersecurity professional at a separate incident response company48 months in prison

What prosecutors say Martino did

Martino pleaded guilty on April 14, 2026, to one count of conspiracy to interfere with interstate commerce through extortion. Prosecutors said he helped BlackCat ransomware actors extort multiple victims while he was supposed to help victims respond to attacks.

The Justice Department said Martino was paid by BlackCat attackers to provide confidential information about client strategy and negotiation positions. That gave criminals insight into victim decision-making during ransom talks.

Martino also conspired with Kevin Martin and Ryan Goldberg to deploy BlackCat ransomware against additional U.S. victims in 2023. After one victim paid approximately $1.2 million in Bitcoin, the three men split their share of the ransom and laundered the proceeds.

Co-defendants were also sentenced

Martin and Goldberg were sentenced on April 30, 2026, to four years each in federal prison. The Justice Department’s co-defendant sentencing release said the men used their cybersecurity skills to attack multiple U.S. victims with ALPHV BlackCat ransomware.

Prosecutors said the three men agreed to pay ALPHV BlackCat administrators a 20% cut of ransoms received in exchange for access to the ransomware and the group’s extortion platform.

The remaining 80% share from at least one ransom was split three ways among Martino, Martin, and Goldberg.

BlackCat’s ransomware-as-a-service model

BlackCat, also known as ALPHV or Noberus, operated as a ransomware-as-a-service group. In that model, developers maintain the malware, infrastructure, and extortion platform, while affiliates carry out intrusions and share a portion of ransom proceeds.

The FBI and CISA’s ALPHV BlackCat advisory describes the group’s activity and notes that BlackCat affiliates used extortion, stolen data, and encryption to pressure victims.

The group became one of the most disruptive ransomware operations globally before U.S. authorities disrupted part of its infrastructure in December 2023.

BlackCat roleFunctionRisk to victims
DevelopersBuild and update ransomware, maintain infrastructure, and run extortion platformsEnable scalable attacks across many affiliates
AffiliatesBreak into networks, steal data, encrypt systems, and demand paymentDirectly compromise victim organizations
Insider enablersProvide victim information, credentials, strategy, or accessIncrease attacker leverage during negotiations
Money launderersMove cryptocurrency proceeds through wallets and other channelsHelp criminals hide ransom profits

More than $10 million in assets seized

Law enforcement has seized more than $10 million in assets from Martino, according to DOJ. The seized property includes digital currency, vehicles, a food truck, and a luxury fishing boat.

Prosecutors said the assets were obtained through the extortion scheme. A restitution hearing is scheduled for September 17, 2026, to determine how much Martino must repay.

The DOJ release also said the FBI Miami Field Office led the investigation with support from the U.S. Secret Service.

Why the insider angle matters

Ransomware negotiators and incident response providers can receive highly sensitive information during a crisis. That information may include board-level discussions, legal strategy, insurance coverage, backup status, restoration timelines, and the maximum payment a victim might consider.

If an insider leaks those details, attackers gain a direct advantage. They can reject lower offers, time public pressure, threaten data leaks more effectively, and tailor demands to what the victim may be able to pay.

This case shows that ransomware response is not only a technical process. It also depends on trust, access controls, supervision, and clear separation between negotiators, forensic teams, legal counsel, insurers, and payment facilitators.

What companies should review after the case

Organizations should review how they select and manage ransomware response vendors. Incident response firms should also assess whether their own controls can detect abuse by staff with access to client negotiation data.

The goal is not to slow emergency response. The goal is to make sure sensitive victim information does not become a tool for attackers.

Recommended controls include:

  1. Limit access to ransom negotiation strategy to staff who need it.
  2. Require logging for access to client negotiation files, chat records, and payment discussions.
  3. Use role-based access controls across incident response platforms.
  4. Separate negotiation roles from payment handling and forensic investigation when possible.
  5. Review vendor staff conflicts, side communications, and suspicious cryptocurrency exposure.
  6. Use legal counsel to define information-sharing rules during ransomware response.
  7. Audit communications with threat actors and preserve records for law enforcement.

BlackCat disruption remains part of the wider case

The sentencing follows earlier Justice Department action against BlackCat. In December 2023, DOJ announced that the FBI had developed a decryption tool and seized several websites operated by BlackCat actors.

The BlackCat disruption announcement said the FBI offered a decryption tool to hundreds of victims and saved victims from ransom demands totaling approximately $68 million at the time. The July 2026 Martino sentencing release later said the tool helped save approximately $99 million in ransom payments.

BlackCat still matters in ransomware history because its affiliate model, leak site pressure, and high-value targeting shaped many later extortion campaigns.

Operation Riptide targets cybercrime networks

DOJ said the Martino prosecution is part of Operation Riptide, an FBI campaign targeting cybercrime actors, infrastructure, financial networks, and fraud operations.

The operation reflects a broader law enforcement strategy: arrest individuals, seize infrastructure, recover funds, disrupt payment channels, and help victims restore systems where possible.

The BlackCat takedown and the sentences for Martino, Martin, and Goldberg show how prosecutors are targeting both ransomware operators and trusted professionals who help them.

Lessons for incident response teams

Incident response firms should treat ransomware negotiation data like highly sensitive financial and legal material. Access should be limited, monitored, and reviewed during and after each engagement.

Firms should also watch for employees accessing client files without a case need, exporting negotiation records, communicating through unapproved channels, or showing unexplained cryptocurrency activity.

The Goldberg and Martin sentencing release shows that the conspiracy involved people with cybersecurity backgrounds, not only external hackers. The FBI and CISA advisory remains useful for understanding BlackCat tactics, but the Martino case adds a separate warning about insider trust during crisis response.

FAQ

Who is Angelo Martino?

Angelo Martino is a former Florida ransomware negotiator who worked for a U.S.-based cyber incident response company. He was sentenced to 70 months in federal prison for conspiring with BlackCat ransomware actors and other former cybersecurity professionals.

What did Martino do in the BlackCat case?

Prosecutors said Martino shared confidential victim negotiation information with BlackCat actors and helped them maximize ransom demands. He also conspired with Kevin Martin and Ryan Goldberg to deploy BlackCat ransomware against additional U.S. victims.

How much ransom did the conspirators receive?

The Justice Department said the conspirators successfully extorted one victim for approximately $1.2 million in Bitcoin. They split their share of the payment three ways and laundered the proceeds.

What happened to Kevin Martin and Ryan Goldberg?

Kevin Martin of Texas and Ryan Goldberg of Georgia were sentenced on April 30, 2026, to 48 months each in federal prison for their role in BlackCat ransomware attacks against multiple U.S. victims.

Why does this case matter for ransomware response?

The case shows that ransomware response can include insider risk. Negotiators and incident response providers may access sensitive victim strategy, insurance, and payment information, so companies need strict access controls, logging, and oversight during ransomware incidents.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages