Third US Security Professional Sentenced to 70 Months for Aiding BlackCat Ransomware
A pointed law-enforcement pattern — the third US security professional sentenced for aiding ransomware operations lands this week.
A pointed law-enforcement pattern lands this week: the third US security professional in a single BlackCat investigation is sentenced, this one to 70 months for turning a victim-response role into an inside line to the attackers.
WASHINGTON, D.C. — A former ransomware negotiator who was paid to help US companies survive extortion instead fed the attackers his clients' confidential positions, and on July 10, 2026 a federal court sentenced him to 70 months in prison. Angelo Martino, 41, of Land O'Lakes, Florida, is the third US security professional in the same investigation to be sentenced for aiding a ransomware operation. Reporting from TechCrunch and other outlets ties Martino to the BlackCat/ALPHV group and to his former employer, incident-response firm DigitalMint.
The framing that matters for defenders is not the crime's novelty but its position. Martino did not breach a firewall or write malware; he occupied the seat of trust that victim organizations lean on hardest during a ransomware crisis — the negotiator retained to represent them against the very group he was secretly helping. The Department of Justice says he supplied the operators with the negotiating strategy and internal positions of his employer's clients so the attackers could push ransoms higher, and that the arrangement touched at least five victims. Two other US security professionals charged in the same investigation were each sentenced to four years earlier this year, making Martino's term the longest of the three.
What Multi-Source Reporting Documented
Four independent outlets converged on the same core facts on July 10, 2026. SecurityWeek reported the sentence as the third US security expert imprisoned for helping a ransomware gang, The Hacker News framed it as a negotiator receiving 70 months for aiding BlackCat attacks, TechCrunch described a Florida negotiator convicted for helping a gang extort US companies, and CyberScoop named the defendant as a former DigitalMint negotiator who duped his own clients. The cross-confirmed elements are consistent: Angelo Martino, 41, of Florida; former employer DigitalMint; the BlackCat/ALPHV operation; and a 70-month sentence that makes him the third security professional in the case to be sentenced.
The Department of Justice's account is that Martino held a position of trust as a ransomware negotiator — a role in which a security firm is retained by a breached company to communicate with attackers and try to reduce or resolve an extortion demand. Rather than represent his employer's clients, prosecutors say, he was paid by the BlackCat operators to hand over confidential information about those clients' negotiating position and strategy, so the attackers could maximize the ransoms the victims ultimately paid. Investigators say the conduct began in April 2023 and touched at least five victim organizations.
Martino pleaded guilty in April 2026 to conspiring to interfere with interstate commerce through extortion, the same charge his two co-defendants entered. Reporting places the combined extortion linked to the scheme at roughly $75.3 million, and authorities seized about $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a fishing boat. A September hearing will set the restitution he owes. The specific victims have not been publicly named in the reporting reviewed here.
A Pattern of US Security Professionals Convicted for Aiding Ransomware
The word doing the heavy lifting in every headline is "third." Martino is the last of three US security professionals sentenced in the same investigation. The other two — Kevin Martin of Texas and Ryan Goldberg of Georgia — were each sentenced to four years in April 2026, and, like Martino, two of the three worked as ransomware negotiators tasked with helping victims. That a single case produced three convictions of the people organizations hire to defend them turns an anecdote into a pattern, and it lands amid a broader run of ransomware-adjacent prosecutions, including the 102-month sentence handed to Karakurt negotiator Deniss Zolotarjovs and a Ukrainian national's guilty plea in a Conti case.
The distinction worth holding onto is that these three defendants sat on the defender's side of the table by profession. Most ransomware prosecutions target affiliates, developers, or launderers on the attacker's side, as in the charges against a Russian national tied to the Void Blizzard cluster. The DigitalMint case is different in kind: it is about people who held a security firm's credentials, its client relationships, and its access to sensitive incident data, and who monetized that trusted position. For an industry that spent years arguing that negotiation and incident response are legitimate, insurable, defender-side services, three convictions of practitioners inside that trade is a reputational and regulatory event, not just a criminal one. It also sends buyers a message specific to the response market: the government will prosecute the trusted responder as readily as the attacker.
What the Case Means for Incident-Response and Ransomware-Negotiation Vendors
For firms that sell incident-response and ransomware-negotiation services, the DigitalMint case is a direct advisory. A negotiation engagement concentrates exactly the assets an attacker would most like to have: the victim's true willingness to pay, the ceiling set by its cyber-insurance policy, the internal urgency created by downtime, and the timeline driving the decision. A negotiator who leaks that picture hands the other side a complete map of the client's position. The defensive lesson is that this information must be treated as crown-jewel data inside the responding firm — access-controlled, logged, and compartmentalized — rather than as working notes visible to any assigned analyst.
That implies concrete controls. Engagement data should be segregated per-client under least privilege, so no single negotiator holds unmonitored, end-to-end visibility into a live matter; second-person review of communications with attacker infrastructure reduces the room for a lone insider to run both sides; and egress and financial monitoring on responders' own accounts can surface the anomalies a purely outward-facing program will miss. Buyers have their own list — named, background-vetted personnel, auditable access logs, retained independent visibility into the negotiation channel, and conflict-of-interest and segregation-of-duties commitments. The same trust-boundary reasoning applies across the response supply chain, and it echoes the exposure seen when attackers target the professional-services layer, as in the FBI's warning about the Silent Ransom Group's in-person and USB attacks on law firms.
Trust, Access, and the Insider Problem in Crisis Response
Strip the case to its mechanics and it is a textbook insider-threat scenario, distinguished only by the setting. The classic insider risk is an employee with legitimate access who abuses it; here that access happened to be to other companies' worst days. The setting amplifies the damage twice over. The trust is externalized — a breached organization extends extraordinary confidence to an outside negotiator precisely because it is in crisis and lacks the in-house expertise to go it alone, lowering its guard when the stakes are highest. And the access is time-boxed and high-intensity, so the abuse can occur and conclude inside a short engagement window, before ordinary trust-but-verify rhythms would catch it.
The frame that fits is zero trust applied to people and partners, not just networks. The premise that no actor should be implicitly trusted by virtue of position maps cleanly onto a negotiator: their seat at the table is a grant of privilege that should be continuously verified, logged, and bounded, not a blanket of confidence extended for the duration. None of this argues against using professional negotiators, who resolve incidents most in-house teams cannot handle. It argues for structuring those relationships so a single individual cannot quietly become a double agent. The convictions do not indict the practice of negotiation; they indict the assumption that a defender-side title is proof of defender-side loyalty.
Scope and Impact
The confirmed scope is bounded but serious. Prosecutors tie Martino's conduct to at least five victim organizations, and reporting cites roughly $75.3 million in extortion for the scheme in aggregate. His cooperation with the BlackCat operators began in April 2023, and the 70-month sentence — the longest of the three defendants — reflects the court's assessment of that role. The $10 million in assets seized, spanning cryptocurrency, vehicles, a food truck, and a fishing boat, gives a rough measure of the personal proceeds, though the final restitution figure will not be set until the September hearing.
The second-order impact falls on trust in the response market. Every organization that has retained a negotiation firm now has reason to ask what its provider knew, how it controls access to engagement data, and whether the same failure could occur elsewhere. That question will likely reshape procurement language and insurance requirements for these services, and it sharpens the risk calculus for cyber insurers, who frequently steer policyholders toward specific response vendors; an insider failure at a preferred provider is now a court-tested scenario rather than a hypothetical. For BlackCat's victims, the case is a coda to an operation already dismantled in a US-led action in late 2023 before a subsequent exit scam — but the broader ransomware market is undiminished, and the pattern of three convicted insiders is the part with forward-looking weight.
Response and Attribution
Attribution here is a matter of court record rather than threat-intelligence inference. The defendant is named, has pleaded guilty, and has been sentenced; the operation he aided, BlackCat/ALPHV, is identified by the Department of Justice; and the co-defendants, Kevin Martin and Ryan Goldberg, are likewise named and sentenced. That clarity distinguishes this from a fresh breach disclosure, where actor and vector are usually provisional. The action sits within a wider pattern of law-enforcement pressure on ransomware ecosystems, from Europol's Operation Endgame 2.0 takedown of ransomware-supply-chain servers and operators to multinational arrest campaigns such as Interpol's Operation Ramz across the MENA region.
The response also underscores that enforcement is increasingly reaching the people and services around ransomware, not only affiliates and infrastructure. Recent examples on this beat include a guilty plea from an alleged Scattered Spider member in the Transport for London case and Microsoft's action against a code-signing-as-a-service operation whose customers were ransomware crews. The DigitalMint sentencing extends that reach one step further inward, into the defender-branded services layer, and signals that a professional's security-industry standing offers no shield when it is used to help the attackers. For organizations, the practical response is not to abandon outside negotiators but to harden how those relationships are structured — vetting named personnel, insisting on access logging and segregation of duties, and treating every crisis partner as an actor to be verified.
Open Questions
Several details remain outside the confirmed record. The specific victim organizations have not been publicly named in the reporting reviewed here, so the sector composition and geographic spread of the five-plus victims is unknown. The final restitution figure is unresolved and will be set at the September hearing; the roughly $75.3 million cited in reporting describes the extortion associated with the scheme rather than a settled restitution amount. And while two co-defendants are named and sentenced, the full division of roles among the three — who negotiated which incidents, and how the arrangements overlapped — is not fully laid out in the public reporting. Equally open is the institutional aftermath: what internal controls failed to catch a negotiator running both sides of engagements over a multi-year period, and what changes the incident-response sector adopts in response. As with any active enforcement matter, specifics may be refined as court filings and further reporting develop.
The CyberSignal Analysis
The reported facts above are drawn from the Department of Justice's case and multi-source reporting; what follows is The CyberSignal's editorial reading of what defenders should take from them. None of the judgments below are new reported facts.
Signal 01 — The Trusted Responder Sits Inside the Blast Radius
The most durable lesson is not that a negotiator went bad but where he sat when he did. A ransomware negotiator is retained precisely because a breached organization is at its most exposed, and the role concentrates the client's willingness to pay, insurance ceiling, downtime pressure, and decision timeline into a single set of hands. That is not a peripheral advisory function; it is privileged access to the victim's weakest moment. Our reading is that organizations should model outside responders as part of the attack surface, not as a trusted extension of the internal team.
Reframing the negotiator as a high-privilege insider changes what oversight the engagement warrants. The controls that matter are the ones that apply to any privileged actor — vetting, least-privilege access to engagement data, logging, and independent review of the communication channel — rather than the implicit trust a security-industry title tends to earn. The seat at the table is a grant of privilege, and it should be verified continuously rather than extended as a blanket for the duration of the crisis.
Signal 02 — Three Convictions Make This a Pattern, Not an Outlier
One corrupt negotiator is an anecdote; three convicted in a single investigation is a pattern, and the pattern is the part defenders should internalize. The DigitalMint case establishes, on the court record, that the incident-response and negotiation trade has a demonstrated insider-risk problem, and that law enforcement will pursue it. Our assessment is that this shifts insider risk in the response supply chain from a theoretical concern to a documented one that procurement, security, and insurance functions now have to price in.
The forward-looking implication is that buyers will — and should — start demanding evidence of insider-risk controls from their response vendors, the way they already do from software and cloud suppliers. Expect contract language on named personnel, access logging, and segregation of duties to migrate from nice-to-have to baseline. The firms that can show a real internal control program around engagement data will have a defensible advantage; the ones that cannot are now carrying a risk their clients have every reason to scrutinize.
Signal 03 — Vet the Responder as Rigorously as the Vendor
The actionable takeaway is to extend third-party risk discipline to the human services pulled in during a crisis. Organizations have learned to scrutinize the security posture of their software and cloud vendors; the same rigor rarely reaches the negotiation, forensic, and legal partners retained under time pressure mid-incident — exactly when scrutiny is hardest to apply and matters most. Our view is that the crisis-response roster deserves the same vetting, access controls, and monitoring as any privileged third party.
In practice that means named and background-checked personnel, auditable access to engagement data, segregation of duties so no single individual holds end-to-end control of a negotiation, and retained independent visibility into the attacker-facing channel. None of this eliminates insider risk, but it compresses the window in which a lone trusted responder can operate unobserved. That window is what this case exploited, and closing it is the concrete thing organizations can do with the DigitalMint convictions beyond noting them.