When Your Ransomware Negotiator Works for the Attackers: Insider Threat Lessons from the BlackCat Case

A Florida-based ransomware negotiator hired to protect victims was secretly sharing their confidential negotiation strategies with the BlackCat/ALPHV ransomware group—helping inflate ransom demands and pocketing millions. The DOJ case against Angelo Martino and two fellow cybersecurity professionals exposes a systemic vulnerability that every Saudi financial institution relying on third-party incident response must address immediately.

The Scheme: Cybersecurity Professionals Turned Ransomware Affiliates

In April 2026, Angelo Martino, 41, of Florida pleaded guilty to conspiracy charges after admitting he collaborated with BlackCat/ALPHV operators while employed as a ransomware negotiator at DigitalMint, a U.S.-based cyber incident response firm. Between April and December 2023, Martino worked alongside Ryan Goldberg (Georgia) and Kevin Martin (Texas)—both cybersecurity professionals—to deploy BlackCat ransomware against multiple U.S. organizations.

The trio exploited their positions of trust to devastating effect. While Martino negotiated ransoms on behalf of five different victims, he simultaneously fed attackers each client's maximum payment threshold, negotiation timeline, and insurance coverage details. In one case, a U.S. financial services company paid approximately $25.66 million—a sum prosecutors believe was artificially inflated by Martino's intelligence sharing. After a separate successful extortion of $1.2 million in Bitcoin, the three split their 80% affiliate share and laundered proceeds through cryptocurrency mixing services.

Sentencing and Asset Seizure

Goldberg and Martin were each sentenced to four years in federal prison in late April 2026. Martino faces sentencing on July 9, 2026, with a maximum penalty of 20 years. Law enforcement seized over $10 million in assets from Martino alone—including digital currency, vehicles, a luxury fishing boat, and a food truck purchased with ransomware proceeds. Goldberg was tracked across 10 countries before his arrest, underscoring the global coordination required to bring insider-threat actors to justice.

Why This Matters for Saudi Financial Institutions

SAMA's Cyber Security Framework (CSCC) mandates that regulated entities implement robust third-party risk management controls, including due diligence on vendors with access to sensitive systems and incident data. The BlackCat insider case reveals a specific gap many organizations overlook: incident response and negotiation vendors receive the most sensitive breach intelligence—attack scope, recovery timelines, insurance limits, board-level decision parameters—and a single corrupted insider can weaponize all of it.

Under NCA's Essential Cybersecurity Controls (ECC), organizations must verify the integrity and trustworthiness of personnel handling critical security functions. When that personnel belongs to a third party, the oversight challenge multiplies. Saudi banks, insurance companies, and fintech firms that outsource incident response without implementing contractual safeguards and monitoring mechanisms face exactly the risk that materialized in this case.

Additionally, PDPL considerations arise when third-party responders access personal data during breach investigation. If that data is shared with threat actors—as happened here—the regulated entity bears regulatory liability regardless of whether the leak originated from their own staff or a vendor.

Practical Recommendations for Mitigating Third-Party IR Risk

1. Compartmentalize breach intelligence: Never share insurance policy limits, board-approved payment ceilings, or negotiation redlines with the same team conducting attacker communications. Implement a Chinese wall between strategy and execution within your IR retainer structure.
2. Require dual-person controls for ransom negotiations: No single individual—internal or external—should have sole authority over attacker communications. All messages to threat actors should require approval from at least two parties across different organizations.
3. Conduct background verification on IR vendor personnel: Go beyond corporate due diligence. Request named-personnel background checks, conflict-of-interest declarations, and cryptocurrency wallet disclosures for individuals who will handle sensitive breach data. SAMA CSCC Section 3.3.7 supports this requirement.
4. Implement session logging for all negotiation channels: Every communication with threat actors should be recorded, timestamped, and stored independently of the negotiation vendor. Use a separate forensic firm to audit communication logs post-incident.
5. Include insider-threat clauses in IR retainer contracts: Specify that unauthorized disclosure of client negotiation strategy constitutes a material breach with liquidated damages. Require vendors to maintain employee monitoring on personnel assigned to active engagements.
6. Rotate IR vendors and conduct post-incident audits: Do not rely on a single firm indefinitely. Conduct independent audits of negotiation outcomes—comparing payment amounts against industry benchmarks for similar attack types and organization sizes.
7. Tabletop the insider-threat scenario: Add a corrupted-vendor scenario to your annual cyber exercises. Test whether your team can detect anomalous information flow from your organization to an attacker during active negotiations.

The Broader Insider Threat Landscape

This case is not isolated. The DOJ described all three defendants as cybersecurity industry professionals with "special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing." The convergence of legitimate security expertise and criminal motivation represents one of the most difficult threat vectors to detect—these individuals understand defensive telemetry, know how to avoid triggering alerts, and have legitimate access to the systems they compromise.

For Saudi financial institutions operating under heightened regulatory scrutiny, the takeaway is clear: trust verification cannot stop at the perimeter. Every entity with privileged access to your incident data—law firms, forensic vendors, negotiation specialists, insurance adjusters—represents a potential insider threat vector that requires continuous monitoring and contractual controls.

Conclusion

The BlackCat insider case fundamentally challenges the assumption that hiring external experts reduces risk during a ransomware incident. Without proper compartmentalization, monitoring, and contractual safeguards, third-party responders can become the most dangerous insider threat of all—one with legitimate access, deep technical knowledge, and financial motivation to betray their clients. Saudi regulated entities must integrate this scenario into their third-party risk management programs and SAMA CSCC compliance strategies before the next major incident forces the lesson in real time.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a review of your third-party incident response governance and insider threat controls.