MIAMI – The ransomware negotiator’s job, as it is sold to panicked companies, is straightforward: sit between the victim and the criminal, talk the ransom down, and manage the crisis. Angelo Martino was doing the opposite.
A federal jury in Florida convicted Martino this week on charges that he conspired with the BlackCat/ALPHV ransomware operation throughout 2023, deploying attacks against American businesses and splitting the extortion proceeds with the gang he was supposedly negotiating against. Martino is the third person sentenced in a scheme that federal prosecutors say generated more than $1.2 million in a single attack and yielded over $10 million in assets seized by law enforcement.
His co-conspirators, Kevin Martin and Ryan Goldberg, were convicted earlier for their roles in the same operation. The three worked together to deploy BlackCat ransomware against targets in the United States, collect ransom payments from affected companies, and divide the proceeds. The Department of Justice said investigators recovered more than $10 million in cryptocurrency tied to the scheme, along with a food truck and a luxury fishing boat.
BlackCat, also known as ALPHV, is the ransomware group the FBI has linked to some of the most costly cyberattacks in recent US history. In February 2024, the gang breached Change Healthcare, a UnitedHealth Group subsidiary that processes roughly 40 percent of US medical claims. The attack disrupted hospital billing, delayed pharmacy prescriptions across the country, and exposed the personal data of approximately 192 million Americans. Martino’s conspiracy predates that attack, but it confirms that by 2023, BlackCat was already operating as a layered criminal enterprise with recruitable business-side enablers.
The insider threat that Martino represents is distinct from the technical operators who write and deploy ransomware code. He provided cover. A company facing an active ransomware attack that calls a negotiator trusts that negotiator to represent their interests exclusively. Martino had already sold that trust to the attackers before the call began. Every apparent effort to reduce the ransom, every reassurance to the client, was a performance designed to extract a payment he would then split with the people who caused the breach.
TechCrunch, which reported the conviction Thursday, noted that the case illustrates a dimension of ransomware’s profitability that law enforcement has had difficulty reaching. The analysis noted “the complex web of individuals who support ransomware operations.” Standard ransomware prosecutions target developers, network operators, and money launderers. Martino’s conviction extends that legal theory into the professional services layer – the consultants, intermediaries, and facilitators who lend ransomware operations legitimacy and deniability.
The FBI and the Department of Justice have broadened their prosecution approach in ransomware cases over the past three years, pursuing not only coders and operators but also hosting providers, cryptocurrency mixers, and now professional service brokers. Each conviction in this category establishes legal precedent that the ransomware ecosystem’s supporting cast can be held criminally liable for the harm caused by the gangs they served.
For the companies breached in the conspiracy, the conviction does not undo what happened. Ransom payments were made. Business operations were disrupted. Whether the seized $10 million in cryptocurrency will flow back to victims through restitution orders is a matter for the sentencing court to determine. Martino faces a sentence exceeding five years in federal prison; his formal sentencing date has not yet been set.
The victims’ position in a ransomware prosecution is structurally uncomfortable. They hired a negotiator they believed was working for them. They paid a ransom they hoped would end the attack. The man they trusted had already arranged to profit from both sides of the transaction. Whether companies can better identify trustworthy incident response professionals – and whether the FBI will develop clearer public guidance on vetting ransomware negotiators – were not addressed in the government’s post-verdict statements.
BlackCat/ALPHV ceased public operations in early 2024 after the Change Healthcare breach drew intense law enforcement focus. Its infrastructure went dark; former affiliates dispersed into successor criminal brands operating under different names and infrastructure. The network that supported BlackCat – the recruiters, the money handlers, the fixers like Martino – did not disappear with the brand. Convictions like Martino’s create individual accountability but do not resolve the systemic supply chain of ransomware support that makes attacks this sophisticated possible at scale.
What the Martino case makes concrete is an uncomfortable truth the cybersecurity industry has discussed abstractly for years: not everyone who arrives to help after a ransomware attack is on your side. The incentive structures of the ransomware ecosystem reward those who extend and complicate the crisis rather than end it. Martino found a way to get paid for doing exactly that.

