Monday 06 July 2026 17:35:10 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Ransomware & Extortion

Betrayal Within: Ransomware Negotiators Turned BlackCat Accomplices

Published: 21 April 2026 13:08Category: Ransomware & ExtortionGeo: North AmericaAuthor: SECPULSE

Insider threat exposed as former cyber defenders admit to aiding notorious ransomware gang in multimillion-dollar U.S. extortion spree.

When U.S. companies fell victim to the fearsome BlackCat ransomware, they turned to trusted negotiators for help. Little did they know, some of those experts were secretly feeding their most sensitive secrets straight to their attackers. The recent guilty pleas of three former ransomware negotiators have rocked the cybersecurity world, revealing a shocking tale of insider betrayal and criminal collusion.

Angelo Martino, a 41-year-old former incident responder at DigitalMint, along with Ryan Clifford Goldberg and Kevin Tyler Martin, were supposed to be the last line of defense for ransomware victims. Instead, federal prosecutors say these men crossed the line from negotiators to conspirators, exploiting their positions to help BlackCat ransomware operators squeeze the maximum cash out of desperate victims.

According to court documents, while officially negotiating on behalf of five organizations hit by BlackCat in 2023, Martino covertly provided the cybercriminals with inside knowledge. This included the victims’ negotiation strategies and the limits of their insurance policies-critical information that allowed the attackers to demand higher ransoms with chilling precision. The trio didn’t just act as informants; between April 2023 and April 2025, they actively participated as BlackCat affiliates, carrying out attacks, threatening data leaks, and demanding payment.

As part of their operation, the defendants paid BlackCat administrators a 20% cut of all ransom proceeds in exchange for access to the gang’s ransomware and extortion platform. Their victims were not limited to faceless corporations: the list included a financial services firm and a nonprofit, both forced to pay ransoms exceeding $25 million, as well as law firms, school districts, and healthcare facilities.

The breach of trust has sent shockwaves through the cybersecurity and incident response community. DigitalMint CEO Jonathan Solomon condemned the actions, emphasizing that Martino and Martin were fired as soon as their duplicity came to light. The case highlights a growing concern: not just about outside attackers, but about insiders who weaponize their privileged access and knowledge.

BlackCat, also known as ALPHV, is among the world’s most prolific ransomware groups, with the FBI linking them to over 60 breaches in just five months and estimating over $300 million extorted from more than 1,000 victims by late 2023. This case is a chilling reminder that the fight against cybercrime is not just about technology, but about trust-and what happens when that trust is broken from within.

As the court prepares to sentence the disgraced negotiators, the cybersecurity world is left grappling with the fallout. The line between defender and attacker has never been thinner, and the need for vigilance-both technical and ethical-has never been greater.

WIKICROOK

  • Ransomware: Ransomware is malicious software that encrypts or locks data, demanding payment from victims to restore access to their files or systems.
  • Incident Response: Incident response is the structured process organizations use to detect, contain, and recover from cyberattacks or security breaches, minimizing damage and downtime.
  • Affiliate: An affiliate is an independent criminal or group that uses tools from a larger cybercrime organization to launch attacks, sharing profits with the provider.
  • Extortion Portal: An extortion portal is a website used by cybercriminals to publish stolen data, pressuring victims to pay ransom by threatening public exposure.
  • Insider Threat: An insider threat is when someone within an organization misuses their access to systems or data, intentionally or accidentally causing harm.