A former US ransomware negotiator has been jailed for feeding victim data to the very BlackCat (ALPHV) gang he was hired to fight — a case that should make every UK backup and disaster recovery team re-examine who really has visibility into their incident response chain, via ransomware protection planning.
View the data behind this chart
| Financial | Nonprofit | |
|---|---|---|
| Ransom Paid | $m25.66 | $m26.793 |
What the court documents show
Angelo Martino, 41, a former employee of US incident response firm DigitalMint, has been sentenced to 70 months in prison for his role in BlackCat ransomware attacks carried out between April 2023 and April 2025, according to BleepingComputer. Martino worked alongside two other former Sygnia and DigitalMint negotiators, Kevin Tyler Martin and Ryan Clifford Goldberg, who were each sentenced to four years in May after pleading guilty to conspiracy to obstruct commerce by extortion.
Rather than simply negotiating on behalf of victims, the trio operated as BlackCat affiliates — demanding ransoms, threatening to leak stolen data, and paying the BlackCat administrators a 20% cut of proceeds in exchange for access to the ransomware and extortion portal. Prosecutors said Martino went further still, sharing victims' confidential insurance policy limits and negotiation positions with BlackCat operators so they could extract the maximum possible payment while he was formally acting as their negotiator for five separate victims.
Why a negotiator can do more damage than a hacker
This case is not about a network being breached from outside — it is about the exact people trusted to reduce ransom demands instead engineering them upward. Martino and his co-conspirators' victims included a financial services firm that paid $25,660,000 and a nonprofit that paid $26,793,000, alongside school districts, medical facilities, law firms and other financial companies, per the court records cited by BleepingComputer.
For a UK IT leader, the lesson isn't just about vetting negotiators specifically — it's about recognising that anyone with privileged visibility into breach scope, cyber insurance limits, or recovery timelines can materially worsen an incident from the inside. That includes internal staff, managed service partners, and any third party engaged during a live managed detection and response engagement.
Where insider risk meets backup infrastructure
BlackCat itself is a serious threat on the numbers alone. The FBI has linked the gang to more than 60 breaches between November 2021 and March 2022, and estimated it collected at least $300 million in ransom payments from over 1,000 victims through September 2023, according to the FBI advisory referenced by BleepingComputer.
The insider angle matters most where backup and recovery data intersects with negotiation leverage. If someone with inside knowledge understands how quickly (or slowly) a victim can restore operations from backup, that knowledge becomes a pricing lever for the attacker. This is exactly why immutable, isolated recovery capability — not just fast recovery — needs to be treated as sensitive infrastructure, reviewed under the same zero trust principles applied to production systems.

An audit checklist for UK backup and DR teams
Servnet's view is that this case should trigger a practical, near-term review rather than a policy rewrite. UK buyers should treat it as a prompt to check specific gaps:
- •Confirm which internal staff and external partners can see backup topology, recovery point objectives, or cyber insurance limits, and whether that access is logged and time-limited
- •Review contracts with incident response and negotiation providers for termination-for-cause clauses, background-check requirements, and audit rights over individual staff conduct
- •Test whether backup and recovery systems remain fully isolated from the same identity and access layer as production, so a single compromised credential — internal or external — cannot touch both
- •Run a tabletop exercise assuming the attacker already has insider knowledge of your recovery capability, not just your perimeter defences
- •Feed any anomalous access to sensitive incident data into existing managed detection and response alerting rather than relying on trust alone
Recovery infrastructure has to assume the worst
Independent guidance from Everpure Blog on FlashArray backup best practices reinforces the same principle from the storage layer: immutable snapshots, SafeMode-style protections, and a proper 3-2-1 backup strategy are designed precisely so that recovery does not depend on any single person, internal or external, behaving honestly under pressure.
DigitalMint's chief executive, Jonathan Solomon, told BleepingComputer the firm "strongly condemn[s] these former employees' criminal behaviour, which violated our values, ethical standards, and the law," adding that both were terminated immediately once the conduct was discovered. That response is reasonable after the fact — but UK buyers should be asking their own cyber security and incident response partners what controls exist before the fact, and factoring the cost of that assurance into ongoing IT finance planning alongside broader resilience spend such as any pending VMware alternatives migration.
