The case that has spurred the incident response industry and the rescue negotiation business reveals an uncomfortable dimension: people with privileged access to sensitive information that, instead of protecting the victims, use it to maximize the booty of the attackers. According to judicial documents, Angelo Martino - a former employee of the Digital Mint incident response firm - pleaded guilty for his role in a series of Ransomware attacks linked to the BlackCat operation (also known as ALPHV) between 2023 and 2025. The file is available in the documents published by the court in DocumentCloud.
The prosecution does not stay in an isolated story: Martino acted together with two other negotiators working for incident response signatures - identified as Kevin Tyler Martin and Ryan Clifford Goldberg - and all three face charges of conspiracy to extort and intentional damage to protected computer systems. According to the prosecution, while carrying out victim bargaining tasks, they leaked key information on negotiating positions and the limits of insurance policies, which allowed BlackCat operators to demand close amounts. The documents further indicate that, as BlackCat affiliates, these individuals paid group administrators a 20% commission for access to malware and the extortion portal.
The economic impact described in the indictment is strong: the victims include legal offices and schools, medical centres and financial services companies. In some cases, extraordinary-figure rescue payments were recorded, with examples reaching more than $25 million per victim. These magnities highlight the high professionalism and profitability - for criminals - of the Ransomware operations in recent years.
The disclosure that professional negotiators have collaborated with a criminal group raises questions about the confidence that organizations place in those who help them manage cyber crises. The traditional role of the negotiator is to reduce the damage: to assess the situation, to advise on options and, where appropriate, to negotiate the release of data or keys. When that role is corrupted, the victim is twice exposed: first by initial intrusion and then because the information that should be protected helps inflate extortion.
From an organizational perspective, DigitalMint's response was quick and sharp: the company reported that it had fired the employees involved after discovering the reported conduct and condemning the facts. The reaction of the firm, collected in news reports, points to the need for more rigorous internal controls in companies that handle critical information during security incidents. To read the coverage of the company's reaction and other details, see the BleepingComputer.
Beyond this particular case, BlackCat / ALPHV has been identified by security agencies as one of the most active and monetizing-capable Ransomware groups. The FBI and other security entities have documented dozens of group-related gaps and estimated that operators and affiliates raised hundreds of millions of dollars in rescue payments during recent periods. To understand the broader context in which these bands operate and the recommendations on how to prepare and respond, the pages of agencies such as the CISA and the FBI offer guides and alerts that can be consulted at CISA - Ransomware and in the cyber research section of the FBI.
This episode leaves clear lessons for companies, insurers and response service providers: access controls, segregation of functions, internal activity monitoring and integrity verification of those involved in incident management are not optional. Response signatures must audit their processes and demonstrate that they act with transparency, because the most important value in an attack is not only the technical capacity to recover systems, but the confidence they maintain with the victim.
There is also a regulatory and market dimension. As the bailouts exceed huge numbers, scrutiny on cyber insurance purchases and on how incidents are reported and managed is growing. Regulators, insurers and final customers will increasingly require guarantees on the ethics and traceability of negotiations and decisions made on behalf of an affected organisation. If industry does not incorporate effective safeguards, trust, a pillar of the cybersecurity business, can be eroded.
Finally, for those working in security or leading organizations, the case is a warning: it is not enough to hire specialists; it is necessary to check their conduct, to limit privileges and to establish mechanisms that detect and prevent abuse. The ecosystem of the Ransomware is rapidly evolving, both in techniques and economic models, and events like that involving Martino, Martin and Goldberg remember that threats can also come from the interior.
For further information on the evidence submitted by the prosecution and on the formal charges, please consult the file at: DocumentCloud. For context on BlackCat / ALPHV and mitigation resources, CISA maintains useful materials in your page about ransomware and the FBI publishes investigations and alerts in your cyberresearch portal.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...