US Charges Former DigitalMint Negotiator for Allegedly Partnering With BlackCat in Ransomware Extortion
Former DigitalMint ransomware negotiator Angelo Martino pleaded guilty to conspiring with ALPHV/BlackCat operators and U.S.-based accomplices to attack and extort American organizations while simultaneously serving in a trusted incident-response role. Prosecutors said Martino used insider access to share confidential victim information — including negotiation positions, strategies, and insurance policy limits — with BlackCat actors, helping drive up ransom demands. He was previously charged with conspiracy to interfere with interstate commerce by extortion after surrendering to U.S. Marshals, and he now faces up to 20 years in prison.
Court filings allege Martino worked with former DigitalMint negotiator Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg in at least 10 attacks, including cases where five victims hired DigitalMint and were assigned Martino as their negotiator. Authorities said the group acted as BlackCat affiliates, paid the gang a 20% share for use of its ransomware and extortion portal, and extracted more than $75.25 million across multiple incidents, including payments exceeding $25 million and one Florida medical-sector extortion that yielded about $1.2 million in Bitcoin. Law enforcement has seized roughly $10 million or more in Martino’s assets, while DigitalMint said it was unaware of the scheme, fired the implicated employees, cooperated with investigators, and added stronger oversight, auditing, and logging controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Martino sentencing scheduled for July 9
Following his April 21, 2026 guilty plea in the BlackCat insider-extortion case, Angelo Martino's sentencing was scheduled for July 9, 2026. The new reference identifies this court date as the next major procedural step in the case.
Goldberg and Martin sentenced in BlackCat extortion case
On April 30, 2026, Ryan Goldberg and Kevin Martin were each sentenced to four years in prison for deploying ALPHV/BlackCat ransomware against multiple U.S. victims in 2023. The Justice Department said they acted as BlackCat affiliates in a ransomware-as-a-service scheme and had previously pleaded guilty in December 2025.
Martino pleads guilty in BlackCat ransomware conspiracy case
On April 21, 2026, Angelo Martino pleaded guilty to conspiring with BlackCat/ALPHV operators and U.S.-based accomplices to deploy ransomware and extort U.S. victims. He admitted abusing his negotiator role to provide confidential client information, including insurance limits and negotiation strategies, to maximize ransom payments.
U.S. charges Martino in BlackCat insider-extortion scheme
Federal prosecutors unsealed charges against Angelo Martino in March 2026, accusing him of conspiracy to interfere with interstate commerce by extortion and of sharing confidential negotiation information with ALPHV/BlackCat while participating in attacks. Authorities also seized millions of dollars in cryptocurrency and other assets tied to him.
Martino surrenders to U.S. Marshals
Angelo Martino surrendered to the U.S. Marshals on March 10, 2026, in connection with allegations that he aided BlackCat attacks and abused his role as a ransomware negotiator. He was later released under bond and employment restrictions.
Federal complaint filed against Angelo Martino
A federal criminal complaint and supporting affidavit against Angelo Martino were filed on February 25, 2026, outlining allegations that he conspired with ALPHV/BlackCat affiliates and misused confidential ransomware negotiation information. The filing preceded his March 10 surrender and the later public unsealing of charges in March 2026.
Martin and Goldberg plead guilty in BlackCat extortion case
In December 2025, Kevin Tyler Martin and Ryan Goldberg pleaded guilty to conspiracy to obstruct commerce by extortion for their roles in the BlackCat-linked insider scheme. Their sentencings were later set for April 30, 2026.
DigitalMint terminates Martino after DOJ notification
DigitalMint said it fired Angelo Martino the day after suspending his access following DOJ notification. The company also said it later strengthened oversight, auditing, and logging controls around negotiations.
DOJ alerts DigitalMint about Martino's alleged conduct
DigitalMint said the Justice Department notified the company about Angelo Martino's alleged criminal activity on April 3, 2025. The company then suspended his access and began cooperating with law enforcement.
FBI disrupts BlackCat infrastructure and offers decryptor to victims
In December 2023, the Justice Department and FBI disrupted BlackCat/ALPHV by seizing its websites and deploying an FBI-developed decryptor. Authorities said the action helped victims avoid roughly $99 million in ransom payments.
Martino, Martin, and Goldberg conduct BlackCat-linked attacks
Between April and November 2023, Angelo Martino, Kevin Tyler Martin, and Ryan Goldberg allegedly deployed ALPHV/BlackCat ransomware against multiple U.S. victims while also using insider knowledge from incident response and negotiation work. Prosecutors say the broader scheme ultimately involved at least 10 attacks in 2023 and more than $75.25 million in ransom payments.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
DOJ Sentences Two Americans to Prison for ALPHV BlackCat Attacks on U.S. Victims
cybersecuritynews.com
Open sourceTwo US cybersecurity experts sentenced in ransomware case, third awaits July ruling
securityaffairs.com
Open sourceA Ransomware Negotiator Was Working for a Ransomware Gang - Schneier on Security
schneier.com
Open sourceTwo Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks
thehackernews.com
Open sourceFeds say another DigitalMint negotiator ran ransomware attacks and extorted $75 million | CyberScoop
cyberscoop.com
Open sourceUS charges another ransomware negotiator linked to BlackCat attacks
bleepingcomputer.com
Open sourceOffice of Public Affairs | Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware | United States Department of Justice
justice.gov
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted. The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
Mar 21, 2026
Cybersecurity Professionals Plead Guilty to ALPHV/BlackCat Ransomware Attacks
Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy charges after using their positions as a ransomware negotiator and incident response manager to conduct ransomware attacks with the ALPHV/BlackCat group. The pair, along with an unnamed co-conspirator, leveraged their infosec expertise to compromise five organizations—including a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer—between May and December 2023. They agreed to pay ALPHV administrators 20% of any ransom collected in exchange for access to the ransomware platform. The only successful extortion resulted in a $1.2 million bitcoin payment from the medical device company, which was split among the perpetrators, with a portion sent to ALPHV. Patient photos stolen from the doctor's office were published on the gang’s leak site. Goldberg and Martin face up to 20 years in prison, with sentencing scheduled for March. Authorities highlighted the betrayal of trust, as both men used their cybersecurity training and privileged access to facilitate the very crimes they were supposed to prevent.
Mar 21, 2026
ALPHV/BlackCat Takedown Disrupted Ransomware Network Before Suspected Exit Scam
The FBI and international partners disrupted the infrastructure of **ALPHV/BlackCat**, a major ransomware-as-a-service operation linked to more than 1,000 victims and attacks across U.S. critical infrastructure sectors including healthcare, manufacturing, government, emergency services, schools, and defense-related organizations. U.S. authorities seized multiple ALPHV-operated sites and said an FBI-developed decryptor was provided to more than 500 victims worldwide, helping dozens restore systems and avoid an estimated **$68 million** in ransom payments. Officials described ALPHV as one of the world’s most prolific ransomware groups, and said the investigation remained active even though no arrests were announced. Months later, ALPHV appeared to collapse amid allegations that its operators staged an **exit scam** after receiving a reported **$22 million** ransom tied to the Change Healthcare attack. A new seizure notice posted on the group’s leak site was disavowed by the U.S. Justice Department, Europol, and the U.K. National Crime Agency, while researchers said it reused elements from the legitimate law-enforcement takedown page. Reporting and affiliate claims indicated the group’s leaders kept the payment, cut off an affiliate, and then announced on a cybercrime forum that they were shutting down and planned to sell the malware source code, reinforcing assessments that affiliates may migrate and the operators could reappear under a new brand.
May 26, 2026