DigitalMint negotiator charged with running BlackCat attacks and corrupting negotiations to extort $75 million

Federal prosecutors have charged a former cyber incident response negotiator with running ransomware attacks and corrupting negotiations on behalf of clients who hired his firm, helping extort a combined $75.3 million in the process.

The charge was filed February 25 in the Southern District of Florida but not unsealed until Tuesday (March 10), when Angelo Martino surrendered to U.S. ​marshals in the Southern District of Florida.

Prosecutors allege Martino operated simultaneously as an ALPHV BlackCat affiliate and as the DigitalMint negotiator assigned to five victims of attacks he helped plan, passing confidential negotiation information to his co-conspirators to maximize ransom payments in exchange for a cut of ‌the proceeds, and he now faces up to 20 years in prison.

Cyber Risk Insurer was first to report, in July of last year, that the U.S. Department of Justice was investigating Martino and to identify him by name, months before prosecutors unsealed the charge.

The charge identifies Martino as the individual previously referenced as the unnamed co-conspirator in the October indictment of Kevin Martin, a ransomware negotiator at DigitalMint, and Ryan Goldberg, an incident response manager at Sygnia, both of whom pleaded guilty in December and are scheduled for sentencing on April 30.

The filing came after Martino waived his right to prosecution by grand jury indictment and consented to prosecution by information, a procedural step that typically signals a cooperation agreement or negotiated plea with prosecutors. Cyber Risk Insurer first reported that indictment when it was ​filed.

Cybersecurity news outlet CyberScoop reported that a plea hearing had been scheduled for March 19, though the U.S. Attorney's Office for the Southern District of Florida told The Insurer there is currently no hearing set for a change of plea.

The government has said it will seek restitution as required by federal statute, ​which in extortion cases is intended to compensate victims for losses traceable to the offense.

The alleged conspiracy ran from approximately April 2023 through April 2025, meaning it continued for more than a year after the DOJ's December 2023 disruption campaign against ⁠BlackCat. That broader law enforcement action first surfaced the alleged collusion involving Martino, according to sources who spoke to Cyber Risk Insurer last July.

Prosecutors say BlackCat attacked hundreds of institutions worldwide, caused tens of millions of dollars in ransom payments and claimed at least 20 victims in the Southern District of Florida alone.

According to the charging document, ​Martino, who resided in Land O' Lakes, Florida, obtained an affiliate account on the ALPHV BlackCat platform and conspired with Martin, Goldberg and others to break into victims' networks, steal and encrypt data, and extort ransom payments in cryptocurrency.

Five of those victims hired DigitalMint to handle their ransomware negotiations and were assigned Martino as their negotiator, a position prosecutors ​allege he used to pass confidential information about each victim's negotiating stance to his co-conspirators in order to maximize the ransom payment, taking a portion of each payment in return.

The charging document does not disclose what ransoms were originally demanded from those five victims, meaning the payments reflect what Martino allegedly helped extract after steering the negotiations, with no ceiling on the original demands visible in the court record.

The largest single payment among the five victims came from a nonprofit, which prosecutors say surrendered $26.8 million in cryptocurrency, followed by a financial services company that paid $25.7 million and a hospitality company that paid $16.5 million.

A retail company paid $6.1 million and a medical company paid $213,000, bringing the combined total across all five victims to $75.3 million, according to the charging document. It could not be ​confirmed to what extent those payments were covered by cyber insurance policies held by the affected victims, though cyber insurers routinely fund ransom payments as part of claims settlements.

Separately, prosecutors allege Martino and his co-conspirators carried out at least five direct ransomware attacks between May and November 2023, targeting a medical device company in Tampa, a Virginia-based ​manufacturer of unmanned aerial systems, a California engineering firm, a Maryland pharmaceutical company and a California doctor's office.

Initial demands across those attacks ranged from $300,000 to $10 million, though only the Tampa medical device company is confirmed to have paid, surrendering approximately $1.3 million in cryptocurrency, according to the charging document.

The forfeiture allegations in the charging document include cryptocurrency across more than a dozen wallet ‌addresses spanning Bitcoin, Monero, ⁠Ripple, Solana and Stellar, along with two properties in Nokomis, Florida, a 1999 Nissan Skyline, a 2024 Polar RZR-24 Pro, a 2023 trailer and a vessel measuring just under 29 feet. CyberScoop reported that authorities seized approximately $12 million in assets and set a $500,000 bond.

DIGITALMINT 'HAS FULLY COOPERATED WITH LAW ENFORCEMENT'

DigitalMint said it suspended Martino's system access on April 3, 2025 after the Justice Department notified the company it was investigating him and terminated him the following day. The DOJ separately notified DigitalMint on June 17, 2025 that it was investigating Martin, and the company terminated him the same day, though DigitalMint said there was no indication at that point that the Martin investigation was connected to the firm or its clients.

"As we previously said, we strongly condemn these former employees' criminal behavior, which violated our values, ethical standards, and the law," DigitalMint CEO Jonathan Solomon said in a statement to The Insurer. "When we learned about the conduct, we immediately terminated both individuals."

The newly unsealed charges name Martino as the individual previously referenced as co-conspirator 1 in the October ​indictment, Solomon said, adding that the new filing, like the prior case, does ​not allege that DigitalMint had any knowledge of or involvement in the criminal ⁠activity.

"DigitalMint has fully cooperated with law enforcement from the outset and does not expect further charges," Solomon continued. "While no organization can completely eliminate insider risk, we take incidents like this extremely seriously and have strengthened safeguards and internal controls to further reduce the likelihood of similar conduct."

DigitalMint said its internal controls did not detect any anomalous behavior in Martino's negotiations prior to being contacted by law enforcement, with the company saying his conduct was concealed from the firm and likely carried out on personal devices in ​violation of company policies and ethical standards.

The company also said Martino did not refer those clients to DigitalMint, noting that the majority of its engagements come through referrals from insurance carriers, other digital forensics and incident response firms, or breach counsel.

Asked ​whether it had compensated clients whose ransom payments ⁠were allegedly inflated by their own negotiator, the company declined to answer directly.

"We are not able to discuss specific client relationships or fee arrangements due to confidentiality obligations," DigitalMint said, adding that it remains committed to its clients and has addressed any commercial matters directly with those parties.

On the question of carrier relationships, DigitalMint said the vast majority have remained supportive as the company has kept them informed of developments throughout the investigation.

The company outlined a series of controls it said were in place before the incident, including a requirement that all negotiator communications receive approval from the client, counsel and carrier, and that case activity and chat logins be made available to management, carriers and counsel as oversight.

Its cryptocurrency payment business and ⁠threat actor communications business ​were kept rigorously compartmentalized, with only three executive founders authorized to initiate wire transfers or cryptocurrency transactions.

Since the incident, DigitalMint said it has mandated that all negotiation activity be conducted over a cloud-based platform ​with full audit logging and that founder Don Wyper personally oversee every negotiation engagement.

The company also said it is working with the Department of Homeland Security's cyber team to establish a threat actor negotiator registry, with the stated goal of increasing transparency and setting industry standards for oversight of ransom payment facilitation.

For cyber insurers and the brokers who place their business, the case raises questions about how ransomware claims are handled. ​Digital forensics and incident response firms are appointed by carriers and operate with privileged access during negotiations, giving them visibility into what victims can pay, where pressure points lie and how talks are progressing in real time.

Sygnia did not immediately respond to a request for comment. A representative for Martino did not respond to a request for comment.

Editor's note: This story has been updated to correct the headline and opening paragraph, which initially described Martino as having carried out ransomware attacks against his own clients. The direct ransomware attacks alleged in the charge targeted separate victims who were not DigitalMint clients. The story has been corrected to reflect that distinction.