When a company gets hit with ransomware and calls in a negotiator, they are making an assumption: that the person across the table from the attackers is working for them. That assumption, it turns out, can be wrong.
On April 21, 2026, Angelo Martino β a 41-year-old from Land OβLakes, Florida, who worked as a ransomware negotiator β pleaded guilty in federal court to one count of conspiracy to commit extortion. The Department of Justiceβs charge against him is blunt: while presenting himself as an independent advocate helping ransomware victims navigate their situations, Martino was secretly collaborating with the BlackCat/ALPHV ransomware operation, helping the gang extract higher payments from the very clients he was supposedly representing.
He faces a maximum sentence of twenty years. Sentencing is scheduled for July 9, 2026.
What Ransomware Negotiators Do β and What Martino Did Instead
Ransomware negotiation is a legitimate professional field. When an organisation is hit with ransomware, the gap between the attackerβs initial demand and a settlement is often enormous β criminal groups routinely open at multiples of what they expect to receive. Professional negotiators serve a real purpose: they understand how ransomware operations price victims, what the actual settlement range looks like for a given group and victim profile, and how to communicate with criminal actors in a way that shortens the engagement and reduces the final payment.
Victims hire negotiators because they lack this expertise. The negotiatorβs value proposition is precisely that they are independent β they have no incentive to inflate the settlement because their fee is typically a percentage of the savings achieved or a flat retainer, not a percentage of the ransom paid.
Martinoβs alleged scheme inverted this arrangement entirely. Beginning in April 2023, he established a covert working relationship with operators of the BlackCat/ALPHV ransomware-as-a-service platform. BlackCat β also known as ALPHV β was at the time one of the most active and technically sophisticated ransomware operations in the world, responsible for attacks on healthcare systems, critical infrastructure, and hundreds of enterprises across every major industry.
According to the DOJβs charging documents, Martino used his position as a trusted intermediary to help the gang rather than the victims. The precise mechanics of his collaboration have not been fully disclosed in public court filings, but the structure of the scheme is clear: a negotiator with access to both the victimβs internal deliberations and the attackerβs demands was feeding information in one direction while claiming to serve the other.
The Structural Betrayal
The specific harm Martinoβs scheme caused extends beyond any individual payment inflated by his assistance. It represents a corruption of the entire trust model on which incident response depends.
When a ransomware victim engages a negotiator, they share information they would not share with the attackers directly: their actual financial position, their tolerance for downtime, whether their backups are viable, what the business impact of a given recovery timeline would be. This information is used to craft a negotiating strategy. In Martinoβs alleged arrangement, that information was flowing to the attackers.
A victim sharing that their backups are compromised, that they face a regulatory deadline, or that their cyber insurance policy has a specific sublimit for ransomware payments is providing the gang with everything they need to calibrate a final demand precisely at the limit of what the victim can bear. The negotiator becomes not a defender but a targeting asset.
The DOJβs press release notes that Martino worked with BlackCat/ALPHV beginning in April 2023 β placing his collaboration in the period when BlackCat was most actively targeting US healthcare organisations. The February 2024 attack on Change Healthcare, which disrupted medical billing and pharmacy operations for weeks and caused billions in losses, drew the most sustained public attention to the groupβs capabilities. Whether Martinoβs activities intersected with any specific high-profile attacks has not been confirmed in court filings.
BlackCat/ALPHV: A Gang That Was Already Gone
The timing of Martinoβs prosecution has an ironic dimension. BlackCat/ALPHV effectively ceased operations in March 2024, when its operators conducted an exit scam β seizing the $22 million ransom payment that their own affiliate had extracted from Change Healthcare and then taking down their infrastructure, leaving affiliates unpaid and victims without decryption keys they had been promised.
The FBI subsequently seized BlackCatβs infrastructure and published decryption tools. The gangβs leadership has not been publicly indicted.
Martino was thus working with a criminal operation that no longer exists as an active threat. His prosecution is in some sense a cleanup action β the DOJ pursuing accountability for conduct that occurred within an already-dismantled operation. But the guilty plea carries significance beyond the specific gang involved.
Related Guilty Pleas: Professionals Who Crossed the Line
Martinoβs plea was accompanied by a related DOJ action: two US cybersecurity professionals separately pleaded guilty to charges related to deploying ALPHV ransomware in attacks on US organisations. The details of those cases have not been fully disclosed, but the pattern is notable.
Professional cybersecurity practitioners β whether negotiators, consultants, or incident responders β occupy positions of extraordinary trust during ransomware incidents. They have access to victim networks, internal communications, legal and insurance strategy, and sometimes technical environments that are being actively recovered. The rare individual who abuses that position does structural damage to the profession beyond any individual harm they cause.
The DOJβs decision to prosecute both Martino and the professionals-turned-operators in related cases signals an awareness that the cybersecurity industryβs insider threat problem is not limited to corporate IT departments. The professionals called in to help are not immune to the financial incentives that drive criminal actors β and when they cross that line, they deserve the same prosecutorial attention.
What This Means for Incident Response
For organisations preparing their ransomware incident response plans, the Martino case adds a dimension to third-party vetting that most incident response frameworks do not explicitly address.
Standard guidance recommends engaging reputable negotiators with verifiable track records and clear fee structures. The Martino case suggests that verification needs to go further: understanding whether a proposed negotiator has affiliations with or histories involving known ransomware groups, examining whether their fee structure creates alignment or misalignment with victim interests, and establishing contractual confidentiality and conflict-of-interest representations.
This is not easy. The ransomware negotiation space is relatively small, largely unregulated, and operates without the licensing frameworks that govern, say, legal or financial advisors. There is no professional body that certifies ransomware negotiators, no disciplinary board that can sanction misconduct, and no public registry of practitioners.
Some established incident response firms have built negotiation practices with sufficient track record that their independence is credible. Solo practitioners or small operations with limited verifiable history carry higher uncertainty. In a $10 million ransomware situation, the cost of vetting the negotiator properly is trivial relative to the cost of employing one who is working for the other side.
A Maximum of Twenty Years
Martinoβs guilty plea to a single count of conspiracy to commit extortion is, legally speaking, the minimum necessary for a resolution. The maximum sentence is twenty years. Federal sentencing guidelines will consider the financial harm caused to victims, his cooperation with investigators, and any mitigating factors his counsel presents.
His attorney has not made public statements. The DOJ has not confirmed whether his cooperation provided information about BlackCat operations or other individuals involved in the scheme.
The July 9 sentencing date will establish the federal price for a ransomware negotiator who chose to work for the people they were hired to stop. Whatever that number is, it will matter β not as deterrence for the rare individual willing to cross this line, but as a signal about where the DOJ has placed the insider-threat category in its cybercrime enforcement priorities.
Angelo Martino, 41, of Land OβLakes, Florida, pleaded guilty on April 21, 2026 to one count of conspiracy to commit extortion for secretly collaborating with BlackCat/ALPHV ransomware operators while working as a ransomware negotiator. He faces a maximum of 20 years. Sentencing is July 9, 2026.
