Insider Turned Attacker
In a case that highlights the risk of insider threats in the cybersecurity industry, Angelo Martino, 41, a former employee of ransomware negotiation and incident response company DigitalMint, has pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks against U.S. companies in 2023.
Martino, who held a position that gave him access to sensitive victim information and negotiation channels, allegedly leveraged that insider knowledge to facilitate attacks rather than defend against them — a stark betrayal of the trust placed in incident response professionals.
The Case Against Martino
According to court documents, Martino conspired with BlackCat (ALPHV) ransomware affiliates to attack U.S. organizations during 2023. The charges reflect a pattern where Martino allegedly:
- Used his access to information about victim organizations to assist ransomware actors
- Leveraged insider knowledge of incident response processes to maximize extortion leverage
- Participated in the financial chain of the BlackCat ransomware operation
The Department of Justice has not disclosed the full list of victim organizations or the total amount of ransom paid as a direct result of Martino's activities, but the BlackCat ransomware group was responsible for attacks against hundreds of organizations globally, including critical infrastructure, healthcare systems, and large enterprises.
BlackCat (ALPHV): Background
BlackCat, also known as ALPHV, was one of the most prolific and sophisticated ransomware-as-a-service (RaaS) operations of the 2022–2024 period. Operating as a RaaS platform, BlackCat provided ransomware tooling and infrastructure to affiliates who carried out attacks in exchange for a share of the ransom proceeds.
Key characteristics of BlackCat operations:
| Attribute | Detail |
|---|---|
| Platform | Ransomware-as-a-Service (RaaS) |
| Language | Rust (cross-platform capability) |
| Extortion Model | Triple extortion (encrypt, exfiltrate, DDoS) |
| Notable Victims | Change Healthcare, MGM Resorts, Caesars Entertainment |
| Law Enforcement Action | FBI disruption operation December 2023 |
| Current Status | Operationally disbanded after FBI action |
The Insider Threat Dimension
The Martino case raises serious concerns about the insider threat risk within cybersecurity incident response firms. These organizations routinely handle some of the most sensitive information available:
- Victim organization's network architecture — acquired during remediation engagements
- Negotiation strategy and ransom payment capacity — determined through financial discussions with victims
- Existing security gaps — identified during post-breach forensic analysis
- Law enforcement coordination details — including whether victims have engaged the FBI
An employee with access to this information who is also in contact with ransomware threat actors represents an exceptionally high risk. Martino's case is a rare public example of a confirmed insider-threat scenario within the incident response industry.
Industry Implications
The cybersecurity incident response and ransomware negotiation industry is a critical component of the broader defense ecosystem, but it operates with limited formal regulation and varying standards for employee vetting. Martino's case has prompted discussion about:
- Background screening for individuals with access to victim data during incident response
- Separation of duties between negotiation teams and technical responders
- Insider threat monitoring within incident response firms themselves
- Regulatory oversight of ransomware negotiation and payment facilitation services
Sentencing and DOJ Context
Martino pleaded guilty to conspiracy charges and faces a federal prison sentence. The exact sentencing date has not been publicly announced at time of writing. The Department of Justice has increasingly prioritized prosecuting not just ransomware operators but also those who facilitate, enable, or benefit from ransomware operations — including negotiators, affiliates, and infrastructure providers.
This case follows a broader pattern of DOJ enforcement actions targeting the ransomware ecosystem from multiple angles, including disrupting infrastructure, sanctioning cryptocurrency addresses, and now prosecuting individuals within the legitimate cybersecurity sector who crossed legal lines.