🤚 The Open-Palm Indictment
Angelo John Martino III, a 41-year-old from Land O’Lakes, Florida, has been sentenced to 70 months in federal prison for doing exactly what you hope your ransomware negotiator is not doing: working for the other side.
Martino was employed by DigitalMint, a cybersecurity incident response firm hired by companies to negotiate with ransomware gangs on their behalf. Instead of negotiating against the BlackCat/ALPHV ransomware group, Martino was simultaneously advising them on how to extract the maximum possible payment from his own clients. He shared confidential information including insurance policy limits and negotiation positions — the two pieces of data that turn a ransomware demand from “we’d like some money” into “we know exactly how much money you have.”
The result: five U.S. companies paid a combined $75.3 million in ransom between April and September 2023.
👐 The Two-Handed Shakedown
The breakdown of that $75.3 million reads like a menu at a restaurant where the prices make you quietly close the menu and pretend you weren’t hungry:
- A nonprofit organization: $26.8 million
- A financial services firm: $25.7 million
- A hospitality company: $16.5 million
- Two additional victims: $6.1 million and $213,000
In one documented exchange, Martino told a BlackCat affiliate: “Keep denying our offers and I will let you know once I find out the max the[y] want to pay.” Which is the ransomware equivalent of a poker player texting the other table their own hand, except the stakes were corporate survival and the poker player was being paid to represent you.
Martino was not alone. His co-conspirators include Kevin Tyler Martin, another DigitalMint negotiator, and Ryan Clifford Goldberg, a former incident response manager at cybersecurity firm Sygnia. Martin and Goldberg attacked five additional companies between April and November 2023, split approximately $1.3 million from a medical company ransom, pleaded guilty in December, and were each sentenced to four years in prison in May.
Three ransomware negotiators from two different incident response firms, all working for the same ransomware gang. The cybersecurity industry’s quality assurance process would like a moment of quiet reflection.
🌿 The Gentle Awakening
When authorities finally caught up with Martino, they seized $10 million in assets, which is how you learn what a ransomware negotiator does with his side income. The shopping list:
- A $1.68 million bayfront home
- Cryptocurrency (naturally)
- Multiple vehicles
- A food truck
- A 29-foot luxury fishing boat
The food truck is the detail that elevates this from cybercrime to performance art. A man who secretly collected millions by betraying companies in crisis also, apparently, had a passion for mobile cuisine. The fishing boat at least has thematic consistency — the man was, after all, professionally skilled at reeling people in.
DigitalMint, for its part, stated that it maintained “controls consistent with industry standards” and that Martino “intentionally hid his conduct” through separate communication channels. Which is both probably true and not the reassuring statement the company thinks it is, because “industry standards” just produced three insider threats across two firms.
👑 The Gold-Leaf Reckoning
The ransomware negotiation industry exists because ransomware payments are, for many companies, a rational economic decision. You hire a specialist. The specialist talks to the criminals. The criminals lower their price. Everyone pretends this is professional services and not a protection racket with invoices.
What the Martino case reveals is the structural flaw in that arrangement: the negotiator has access to both sides. They know what you’ll pay. They know what the attacker will accept. And the only thing preventing them from playing both ends is their professional ethics and the hope that nobody is offering them a percentage of a $26.8 million payout to simply share a number.
The cybersecurity industry now faces an uncomfortable question. If three negotiators from two firms were compromised by a single ransomware operation, how many more are currently holding open a side channel? The answer is probably not zero, and the industry’s response — better vetting, stricter controls, enhanced monitoring — is exactly what these firms were already selling to their clients as a service.
The call, as they say, was coming from inside the incident response retainer.
“He negotiated down the ransom demands, forwarded the victims’ maximum budget to the attackers, and used the proceeds to buy a food truck. The triple threat.” — The Slap of Wisdom Incident Response Team, currently negotiating its own trust issues