The Justice Department is accusing an incident responder of conducting cyberattacks and helping ransomware gangs negotiate higher payouts from the same victims he was working for. 

Angelo Martino surrendered to the U.S. Marshals on Tuesday and bonded out the same day, agreeing to perform no cyber industry work as part of his release. 

In court documents, prosecutors said Martino worked with two other cybersecurity professionals to launch ransomware attacks on behalf of the now-defunct ALPHV/BlackCat cybercrime group.

The two other men, Ryan Goldberg and Kevin Martin, each pleaded guilty in December to one count of conspiracy to obstruct commerce by extortion and are facing up to 20 years in prison. Their sentencing will take place on April 30. 

Martino, Goldberg and Martin earned about $1.2 million from an attack on a Florida medical company but were unsuccessful in extorting the other nine victims. 

Goldberg worked for incident response firm Sygnia, and Martin and Martino were ransomware negotiators for DigitalMint. Prosecutors had hinted during the prosecution of Goldberg and Martin that there was a third person they were pursuing. 

The court documents unsealed this week accuse Martino of not only conducting at least 10 ransomware attacks alongside the other two men but going as far as helping the ALPHV/BlackCat cybercrime group extort victims he was assigned to assist as an employee of DigitalMint. 

Starting in April 2023, Martino provided confidential information about ransomware negotiations to ALPHV/BlackCat actors while working as a negotiator. 

Prosecutors listed five instances in 2023 where Martino was working as a ransomware negotiator but “provided direction and confidential information to co-conspirators in order to maximize the ransom payment in exchange for a portion of the ransom payment.”

The ransoms Martino helped negotiate were large, including ones that reached $26 million, $25 million, $16 million, and $6 million. 

Prosecutors did not say how much of the ransom Martino received in exchange for the information he provided. 

Martino was charged with one count of conspiracy to interfere with interstate commerce by extortion. The DOJ did not respond to requests for comment about the case.

DigitalMint said in a statement that Martino’s actions were concealed from the company and were in violation of both company policy and ethical standards. The company terminated Martino and Martin when they learned of their behavior. DigitalMint also assisted the Justice Department in its investigation of the incidents. 

“DigitalMint condemns these individuals’ criminal behavior, which is a clear violation of our values, our ethical standards, and the law,” the company said in a statement on Thursday. “Our firm and industry both exist to support organizations suffering from the impacts of a cyberattack, and this runs completely counter to what we stand for.”

The company claimed the men had “preexisting relationships relating to their involvement in ransomware-related schemes before joining DigitalMint.”

DigitalMint said it was first informed of the DOJ’s investigation into Martino in April 2025. They suspended his access to company systems the same day and fired him in June.

The company added that since the incident, it has instituted several new controls that mandate all negotiations be conducted over cloud-based platforms that can be audited and logged. One of the company’s founders will now personally oversee all negotiations. All employees of DigitalMint will have their information given to the Department of Homeland Security (DHS) for oversight. 

The company said it is also working with DHS to create a registry for threat actor negotiators in an effort to increase the transparency around ransom negotiators and set up standards for ransom payments. 

The incident has caused outrage within the cybersecurity community, though many experts have long expressed quiet concern about the thorny role of ransom negotiators.

Allan Liska, a ransomware expert and threat analyst with Recorded Future, the parent company of The Record, said the incident is “not a good look for our industry” but that DigitalMint appears to have responded appropriately. 

“Just as threat actors have access to all the red teaming tools we use in security, many in security have access to the tools threat actors use,” Liska said. “For a small number of people in this industry that is going to be a huge temptation, especially seeing how much money some cybercriminals make.”