The story that broke this week should make every business leader think twice about who they call when a cyberattack hits.

Angelo Martino was a ransomware negotiator — someone companies hire after hackers lock their systems and demand payment. His job was to sit across the table from cybercriminals and fight for his clients. Instead, he was sitting at the same table as the criminals the entire time.

This week, Martino pleaded guilty to conspiring with the BlackCat/ALPHV ransomware gang to extort the very companies that had hired him to protect them. While working as a negotiator for five victims, he fed the attackers confidential information in real time: the clients’ insurance policy limits, their internal negotiation strategies, how much they were willing to pay, and how the negotiations were unfolding. The criminals used that information to hold out for the maximum possible ransom.

He took a cut of every dollar he helped squeeze from his own clients.

How Big Was This

The numbers are staggering. Across more than 10 ransomware attacks, Martino and his co-conspirators helped extort a total of $75.25 million in ransom payments, according to federal prosecutors.

Among the five victims Martino personally represented through DigitalMint — the same companies paying him to negotiate on their behalf — the ransoms were catastrophic:

A nonprofit paid $26.8 million
A financial services firm paid $25.7 million
A hospitality company paid $16.5 million
A retail company paid $6.1 million
A medical company paid $213,000

All five paid. All five trusted the person running the attack to negotiate their release.

To understand the betrayal in real terms: while Martino sat in negotiation chats with one hospitality company, he was simultaneously texting the BlackCat gang with inside information. “Keep denying our offers and I will let you know once I find out the max they want to pay,” he told the attackers — while telling his client to hold firm. The company ultimately paid $16.5 million.

Law enforcement has seized $10 million in assets from Martino alone — a luxury fishing boat, two Florida properties, vehicles, and cryptocurrency. He faces up to 20 years in federal prison.

He Was Not Working Alone

Martino’s two co-conspirators were also cybersecurity professionals. Kevin Martin worked alongside Martino at DigitalMint as a ransomware negotiator. Ryan Goldberg was an incident response manager at Sygnia, a separate cybersecurity firm. All three pleaded guilty. Martin and Goldberg are scheduled for sentencing April 30.

Each played a specific role: Goldberg identified weaknesses and gained access to victims’ networks. Martin extracted data and encrypted systems. Martino negotiated — on behalf of both the criminals and the victims simultaneously.

DigitalMint, which is not accused of any wrongdoing, fired both employees the day after the Justice Department notified the company of the investigation. The company has said it had no prior knowledge of the scheme and found no evidence of criminal conduct beyond what is documented in the charges.

This Case Is Not a Surprise to the FBI

The Justice Department official who oversaw the case told CNN the investigation confirmed what the FBI had been hearing for years: that some corners of the ransomware negotiation industry had been compromised. “In working on ransomware for many years, we were hearing rumors [of misconduct], and I wasn’t shocked that we ended up with a case with these types of charged facts,” the official said.

The department is already looking at other unrelated instances of alleged fraud in the cybersecurity industry and could bring additional charges in the coming months. The specific pattern they’re watching: incident response firms that aren’t adding value for victims — just collecting fees while the hackers get paid anyway.

This case is “groundbreaking,” the DOJ official told CNN, because it forces hard questions about who is actually being paid to protect ransomware victims — and whether that protection is real.

Why the Ransomware Industry Created This Problem

Ransomware attacks have become so common and so costly that they’ve spawned an entire shadow industry: negotiators, recovery specialists, cryptocurrency brokers, and incident response firms. Many are legitimate. But the business structure — where negotiators operate between victims and criminals in largely unregulated backchannel deals — creates exactly the conditions for this kind of betrayal.

Magnus Jelen, an executive at Coveware, one of the more reputable firms in this space, explained it plainly: ransomware threat actors have a documented history of building direct relationships with negotiation firms, and some have developed mechanisms that let unethical intermediaries profit from ransom payments without the victim ever knowing.

“When these incentive structures operate out of sight, it is the victims who bear the consequences,” Jelen said. “Organizations end up paying ransoms that might otherwise have been avoided, further fueling the cyber extortion economy and reinforcing a cycle that puts more businesses at risk.”

In response, Coveware has already updated its own practices — the firm no longer charges any processing fee for clients that choose to pay ransoms, precisely to remove any incentive bias from the advice they give.

What This Means for Your Business

If you’re a business leader, the Martino case raises a question most companies have never thought to ask: if ransomware hit your organization tomorrow, who would you call? And how much do you actually know about them?

The five companies Martino victimized weren’t careless. They hired a professional firm with a known reputation. They paid for expert help. They still ended up paying tens of millions of dollars to the person who attacked them.

Here’s what having an actual plan looks like:

Know your IT partner before you need them. An incident is not the time to vet a vendor. Your managed IT provider, your incident response contacts, and your cyber insurance carrier should all be known, trusted relationships established in advance — not cold calls made at 2 AM when the network is down.

Understand your cyber insurance policy in detail. Martino exploited the fact that he knew his clients’ insurance limits before the negotiations began. Your IT team and insurance broker should review your policy together. Know your coverage, your exclusions, your notification requirements, and your ransom payment policies before you ever need to file a claim.

Have an incident response plan that doesn’t start with a Google search. The businesses that ended up in this scheme had no established response process that would have flagged a conflict of interest. When you’re scrambling, you make bad decisions under pressure. A written, practiced plan with pre-vetted contacts changes that.

Ask hard questions about compensation. If you ever engage an outside firm for incident response or ransomware negotiation, ask specifically how they are compensated. Ask if they receive any payment tied to the ransom amount. Ask what their conflict of interest policy is. Any legitimate firm should welcome those questions without hesitation.

The Relationship Is the Protection

The reason centrexIT clients don’t face this problem is straightforward: we are not strangers who show up after something goes wrong. We are embedded in your environment, we know your systems, and we’ve built a relationship with your team long before any incident occurs.

When something does go wrong, you’re not making a cold call under pressure to someone you found in a search result. You’re calling a team that already knows your network, your risk profile, your insurance situation, and your business — people whose interests are entirely aligned with yours.

That’s what it means to put people first. Not just in the good times, but especially when things go sideways.

That’s exactly the kind of conversation we have with businesses every day.

Ready to talk through your incident response plan?

Start with our free 2-minute cybersecurity assessment →

Or reach out directly — talk to our team.

Sources: