Cybercrime
Every ransomware incident runs on one uncomfortable assumption: that the people you bring in to help are actually on your side. A case that concluded in a Florida federal court this month blew a hole straight through that assumption. Three cyber professionals — two of them ransomware negotiators whose day job was to defend victims — have been sentenced for working as an affiliate crew of the ALPHV/BlackCat operation. One of them didn’t just moonlight as an attacker; he sold out the very clients who were paying him to protect them.
This is not another “big scary ransomware gang” story. It’s an insider-threat story, and it lands right in the middle of the incident-response industry itself. If you run an IR practice, negotiate on behalf of victims, broker cyber insurance, or you’re a CISO who will one day have to trust one of these firms on the worst day of your career — this one is worth your time.
What actually happened
Between April 2023 and April 2025, three US-based practitioners — Angelo Martino (Florida), Ryan Clifford Goldberg (Georgia) and Kevin Tyler Martin (Texas) — operated as an affiliate crew for ALPHV/BlackCat. Two of them held roles at firms whose entire reason for existing is to defend ransomware victims: Martino and Martin were ransomware negotiators at a Chicago-based incident-response company (reported as DigitalMint), and Goldberg was an incident-response manager at Sygnia. These weren’t outsiders who breached the industry. They were the industry.
They ran the scheme on two tracks, and it’s the second one that should keep you up at night.
Track one: they became the attackers
The crew signed up as a BlackCat affiliate the way any criminal does — paying the ransomware administrators a flat 20% cut of every ransom in exchange for the malware build and access to the group’s leak-and-extortion platform. They then deployed it against at least five US organisations, encrypting systems and stealing data for double-extortion leverage, and split the remaining 80% three ways before laundering it. Straightforward affiliate crime — just carried out by people with above-average tradecraft because it was, quite literally, their profession.
Track two: the negotiator sold the game
Here’s the part that breaks the trust model. When a victim engages a ransomware negotiator, that negotiator becomes one of the very few people who holds the whole hand: the organisation’s true budget, its internal red lines, its urgency — and, crucially, its cyber-insurance policy limits. In a normal negotiation, the attacker doesn’t know any of that. That information asymmetry is the single biggest lever a victim has.
Martino handed it to the other side. While retained to negotiate ransoms down on behalf of clients, he secretly fed BlackCat operators those clients’ internal negotiating positions and insurance limits — and BlackCat paid him for the feed. Once an attacker knows exactly what a victim can pay and where they’ll break, the “negotiation” isn’t a negotiation any more. It’s a fixed transaction with a pre-agreed number.
The compromise here wasn’t of a network. It was of the trust model that incident response depends on. That’s a much harder thing to patch.
The scale is bigger than the headlines suggested
Most of the press coverage led with a roughly $1.2–1.3M ransom paid by a Tampa medical-device company. But the publicly filed charging document (S.D. Fla., docket 26‑CR‑20065‑KMM) tells a much larger story: ten victims across two patterns of conduct. The five victims where Martino was the inside man paid ransoms that, added together, run to roughly $75 million. The quiet insider betrayal had, by some distance, the larger financial footprint.
| Victim (sector / location) | Role | ~Date | Outcome |
|---|---|---|---|
| Non-profit | Insider brokering | Apr 2023 | ~$26.79M paid |
| Financial services | Insider brokering | Oct 2023 | ~$25.66M paid |
| Hospitality | Insider brokering | Sep 2023 | ~$16.48M paid |
| Retail | Insider brokering | Oct 2023 | ~$6.10M paid |
| Medical | Insider brokering | Oct 2023 | ~$213K paid |
| Medical device — Tampa, FL | Direct attack | May 2023 | ~$1.27M paid ($10M demanded) |
| Drone (UAV) maker — Virginia | Direct attack | May 2023 | Refused |
| Engineering — California | Direct attack | Jul 2023 | Refused ($5M demanded) |
| Pharmaceutical — Maryland | Direct attack | Oct 2023 | Refused ($1M demanded) |
| Doctor’s office — California | Direct attack | Nov 2023 | Refused; patient data leaked |
All three pleaded guilty to Hobbs Act extortion conspiracy. Martino got 70 months — the longest sentence, despite pleading to a single count, which tells you how the court weighed the negotiator betrayal. Goldberg and Martin got 48 months each. Law enforcement seized over $10 million in assets: a stack of cryptocurrency (including a notably large Monero holding), a Nissan Skyline R34, an off-road vehicle, two Florida properties and a 28-foot boat. The FBI tracked Goldberg across ten countries when he tried to run.
Why this matters — and what to actually do about it
It’s tempting to file this under “rare, extreme, won’t happen to me.” Don’t. The specifics are extreme; the underlying risk is completely ordinary. Any organisation that concentrates sensitive leverage — financial limits, breach details, negotiating strategy — in the hands of a small number of trusted people has this exposure. The IR and negotiation industry just happens to concentrate it in a particularly juicy form.
If you run or buy incident-response and negotiation services, here’s where I’d focus:
- Treat insurance limits and negotiating positions as crown-jewel data. They are the target here, not the network. Compartmentalise them on strict need-to-know within an engagement — a single negotiator shouldn’t silently hold and be able to exfiltrate the entire leverage picture.
- Instrument your own people. DLP and egress monitoring on case-management systems, access logging, and alerting on out-of-band contact with actor infrastructure. If you defend clients but can’t see what your own responders are doing with client data, that’s the gap.
- Segregation of duties and dual control over key negotiation decisions and any handling of victim financial or insurance detail. One person should not be able to quietly alter or leak the position.
- Personnel assurance that assumes crossover risk. These are people with exactly the skills to pivot to the offensive side of the market. Vetting, clear outside-activity and conflict-of-interest policies, and awareness of financial stress all matter more here than in most sectors.
- Client and insurer side: limit how widely policy limits circulate during an incident, and treat the negotiation channel as potentially compromised. Assume the number you’d walk away at could reach the attacker, and plan accordingly.
The reassuring part is that the system worked in the end — the firms cooperated, the individuals were terminated, and the prosecutions were swift. But “we caught them afterwards” is not a control. The lesson for the rest of us is to make the trust verifiable rather than assumed, with auditable controls around the most sensitive data we handle on our clients’ behalf.
[post generated by Claude Opus 4.8] (don’t hate me, It’s early on a Friday morning!)
Sources: US Department of Justice — Florida ransomware negotiator sentenced and Two Americans sentenced (ALPHV/BlackCat); the publicly filed charging document (26‑CR‑20065‑KMM); CyberScoop; The Hacker News; BleepingComputer. Figures — particularly per-victim ransom amounts — are as extracted from these sources and should be confirmed against the official S.D. Fla. court record before use in any formal context.
