- Key insight: The case of two convicted cybersecurity professionals brought to light the actions of a third co-conspirator who gave sensitive breach details — including cyber-insurance policy limits — to a ransomware group he secretly worked for.
- What’s at stake: Prosecutors said the cybersecurity professionals’ conduct erodes victims’ willingness to retain the very experts they rely on to defend against ransomware attacks.
- Supporting data: Five DigitalMint clients of Angelo Martino paid $75.25 million in ransoms while he allegedly leaked their negotiating positions to Alphv, including $25.66 million from a U.S. financial services firm.
Overview bullets generated by AI with editorial review.
Processing Content
On Thursday, a federal judge sentenced two former cybersecurity professionals to four years each in prison for using ransomware to attack U.S. companies.
Ryan Goldberg, 40, formerly of incident response firm Sygnia, and Kevin Martin, 36, formerly of ransomware negotiation firm DigitalMint, pleaded guilty in December to a federal extortion conspiracy, according to a
A third co-conspirator, Angelo Martino, 41, also formerly of DigitalMint, pleaded guilty on April 20.
Sygnia has publicly confirmed Goldberg as a former employee, and DigitalMint has publicly confirmed Martin and Martino as former employees. Both employers have said that they terminated the men upon learning about the federal investigations into wrongdoing.
The case raises a pointed question for any bank that retains an incident-response or ransomware-negotiation firm: What stops the vendors brought in to handle a breach from feeding the attackers the firm’s insurance limits?
A U.S. financial services company, whose name does not appear in court records, paid roughly $25.66 million in ransom to a ransomware group while Martino was negotiating on the firm’s behalf as a DigitalMint employee.
During that period, Martino secretly fed the attackers the firm’s confidential negotiating information, according to
That ransomware group Martino assisted under the table was Alphv (often stylized ALPHV), also known as BlackCat. The ransomware strain first appeared in late 2021 and went on to compromise more than 1,000 victims worldwide, including government facilities, defense industrial base companies and health care facilities, according to a December 2023 Justice Department
Alphv ran on a “ransomware-as-a-service” model: a small set of administrators built and maintained the malware while recruiting outside affiliates to break into victim networks and deploy it, splitting any ransoms paid.
Starting in 2023, Goldberg, Martin and Martino operated as Alphv affiliates, agreeing to give the ransomware’s administrator 20% of any ransoms in exchange for access to the malware and the extortion platform, according to
The three worked together: Goldberg gained initial access to victim networks. Martin stole data and encrypted networks. Martino handled negotiations and laundered the proceeds.
The negotiator who played both sides
While drawing a paycheck from DigitalMint as a negotiator hired by ransomware victims, Martino secretly fed the attackers his clients’ insurance limits and internal negotiating positions through a private chat channel inside the Alphv platform, according to the Martino proffer. The Alphv actors paid him for the information.
According to the same filing, in one September 2023 negotiation against a U.S. hospitality company, Martino told an Alphv actor in the private channel that “the [insurance] carrier is only approving small amounts — keep denying our offers and i will let you know once i find out the max the[y] want to pay.” The hospitality firm paid roughly $16.48 million.
Martino used the same tactic against four other DigitalMint clients, according to the filing. His five victims paid ransoms totaling about $75.25 million: a nonprofit ($26.79 million), the financial services firm ($25.66 million), the hospitality firm ($16.48 million), a retail company ($6.1 million), and a medical company ($213,000).
Authorities have seized roughly $10 million from Martino, including cryptocurrency, two Florida properties, vehicles, a food truck and a 29-foot fishing boat.
Prosecutors did not allege that DigitalMint had knowledge of Martino’s scheme, according to the government’s sentencing memo.
DigitalMint’s chief executive, Jonathan Solomon, and his team “strongly condemn” the conduct and fired Martino the day after the Justice Department informed the company about the investigation, according to a written statement Solomon gave to multiple news outlets.
What this means for banks that buy incident response
Banks routinely retain incident-response and ransomware-negotiation firms (the same kind of vendors all three men worked at) and share the most sensitive details of a breach with them, including cyber-insurance policy limits.
Prosecutors documented the systemic risk in the sentencing memo. Incident responders are “members of a small community of specialists whom victims, employers, and the broader public trust to stand between them and precisely the kind of attacks they chose to commit,” prosecutors wrote.
The trio’s conduct “erodes that willingness” to retain experts at all, prosecutors said in the memo.
The financial services industry paid roughly $365.6 million in ransoms from 2022 to 2024, according to
Alphv received the highest cumulative ransom payments of any variant identified in the report at about $395.3 million.
The threat actor shut down in early 2024 after a December 2023 disruption operation by the FBI and an exit scam in which the group’s operators took the Change Healthcare ransom and disappeared.
The affiliate model that helped attackers extract $75.25 million from Martino’s clients persists today across other ransomware variants.
Martino is set for sentencing July 9.
