Ransomware Negotiator Pleads Guilty to BlackCat Scheme

INSIDER THREATS CYBER RISK CYBERATTACKS & DATA BREACHES THREAT INTELLIGENCE NEWS Ransomware Negotiator Pleads Guilty to BlackCat Scheme A cautionary tale illustrates why the person negotiating should never be involved with any part of the ransom payment process, experts noted. Alexander Culafi,Senior News Writer,Dark Reading April 21, 2026 3 Min Read SOURCE: CAGKAN SAYIN VIA ALAMY STOCK PHOTO A former ransomware negotiator pleaded guilty this week to conspiring with the ransomware actor BlackCat/ALPHV to commit ransomware attacks against US companies in 2023. The Department of Justice revealed the plea yesterday as part of its continuing campaign to take down BlackCat, a prolific ransomware actor that was previously responsible for attacks against hospitals and universities, as well as big name targets. For example, an affiliate was reportedly responsible for the now-infamous attack against Change Healthcare in 2024. As of now, the entity known as BlackCat has largely disappeared, but law enforcement action continues.  Angelo Martino, 41, of Land O'Lakes, Florida, collaborated with BlackCat/ALPHV actors to extort organizations beginning in April 2023. According to a statement from the Department of Justice, Martino abused his role at a US-based cyber incident response firm to assist the cybercriminals. While working on behalf of five victims, he "provided BlackCat attackers with confidential information about the negotiating position and strategy of his company's clients without the clients' or his employer's knowledge or permission." Related:Inside the Data on Insider Threats: What 1,000 Real Cases Reveal About Hidden Risk That confidential information included victim insurance policy limits and internal negotiation positions, provided so BlackCat could maximize payouts from their victims. BlackCat paid Martino for his collaboration.  Three Cybersecurity Professionals Turned Rogue Martino additionally admitted to conspiring with two other cybersecurity professionals, Ryan Goldberg of Georgia and Kevin Martin of Texas. They successfully deployed BlackCat ransomware between April and November of 2023 against multiple US-based victims. "After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their share of the ransom three ways and laundered the funds through various means," DOJ noted.  LOADING... Law enforcement has seized approximately $10 million in assets from Martino to date, including multiple vehicles (such as a food truck and a luxury boat) as well as digital currency obtained as part of this ransomware activity.  Martino pleaded guilty to one count of extortion. Goldberg and Martin entered guilty pleas for the same charge in December. Martino will be sentenced July 9 and the others will be sentenced on April 30. All three face a maximum sentence of 20 years in prison.  Martino and Martin were employed by DigitalMint, while Goldberg was a Sygnia employee. Both firms said they cooperated fully with law enforcement. DigitalMint previously told Dark Reading that both guilty employees had been terminated, and that the actions of Martin and Martino violated its ethical standards. Meanwhile, Sygnia said Goldberg acted on his own and Sygnia clients were not affected by his actions.   Martino's plea comes three days after the UK's Tyler Buchanan pleaded guilty to wire fraud and aggravated identity theft, according to the DOJ. He conspired with others to breach at least a dozen companies via text-based phishing attacks while also stealing at least $8 million of virtual currency. The 24-year-old reportedly was affiliated with Scattered Spider.  "Clear Separation" Between Negotiation, Payment Daniel Tobok, CEO of incident response firm Cypfer and longtime ransomware negotiator, tells Dark Reading that based on available information, Martino almost certainly had too much access to financial data and payment processes, allowing him to pass specific information to BlackCat. "I am a true believer that there should be separation between the person doing the negotiations and the process of payment," Tobok says. "When you have a clear separation, you have different people doing the negotiations, doing the strategy, and coming up with a number, they don't have anything to monetize or benefit from," he says, Those kinds of firewalls help reduce conflicts of interest and self-dealing. Morey Haber, chief security advisor at BeyondTrust, says in an email that an uncomfortable takeaway from this incident is that trust, even for one's protectors, should not be absolute. "For ransomware victims, trust must always be verified, not implied by a company name, title, or even simply a website advertising negotiation services," Haber writes. "Ransomware victims should separate negotiation (if legal), response (recovery), and forensic (remediation) roles while enforcing least privilege even for third parties consuming sensitive data about the incident." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications 2026 CISO AI Risk Report QKS AI Maturity Matrix Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Microsoft Exchange 'Under Imminent Threat,' Act Now by Arielle Waldman NOV 12, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE