Sponsored by
π Welcome to Unlocked
When a ransomware attack hits, most organizations do the same thing: call in a specialist. Someone who knows how these groups operate, how to stall for time, and how to drive the ransom down. Someone you can trust completely β because you're handing them your most sensitive information at your most vulnerable moment.
This week, we learned what happens when that person is already working for the other side.
Here's what you need to know.
π The Case: Three Negotiators, One Ransomware Gang, Zero Loyalty
On April 21st, Angelo Martino β a ransomware negotiator at DigitalMint, a Chicago-based incident response firm β pleaded guilty to conspiracy charges. He is the third cybersecurity professional in less than a year to admit to the same scheme.
The mechanics of the betrayal were straightforward and devastating:
Martino worked both sides simultaneously. While representing five ransomware victims as their negotiator, he was secretly feeding their confidential information to the BlackCat/ALPHV ransomware group β the same group that had attacked them
The information he handed over was surgical. Insurance policy limits. Internal negotiation positions. How much each victim could actually afford to pay, and how they planned to fight back
He didn't stop at leaking intel. Martino, alongside co-conspirators Kevin Martin (also from DigitalMint) and Ryan Goldberg (an incident response manager at Sygnia), eventually deployed BlackCat ransomware themselves β becoming affiliates of the criminal operation they were supposed to counter
The financial haul was significant. In one case, the trio extorted a medical device company for $1.274 million in Bitcoin. Law enforcement has seized $10 million in assets from Martino alone β including a food truck, cryptocurrency, and a luxury fishing boat
Martin and Goldberg pleaded guilty in December 2025. Martino's sentencing is scheduled for July 9th. All three face up to 20 years in prison.
π The Numbers Tell the Story
This wasn't a single bad actor. It was a structural trust failure:
3 cybersecurity professionals charged in the same insider scheme
5 ransomware victims had their negotiation strategies handed to their attackers
$75M+ in ransom demands across the 10 attacks included in the broader indictment
$10M in assets seized from Martino alone
20 years maximum prison sentence each defendant faces
π Why This Is an Access and Identity Story
The instinct when reading this story is to file it under "cybercrime" or "fraud." But that misses the more important lesson.
Martino didn't hack his way into anything. He walked in through the front door β with credentials, a contract, and the explicit trust of the organizations he was betraying. He had legitimate, privileged access to the most sensitive information imaginable: not just data, but strategy. Not just files, but intent.
That's not a ransomware problem. That's an access problem.
Think about what these victims handed over the moment they brought in a third-party negotiator:
Their cyber insurance limits
Their internal risk tolerance
Their legal exposure and regulatory obligations
Their bottom-line willingness to pay
In a normal engagement, that information flows one direction β from victim to trusted advisor. There was no mechanism to detect when it started flowing to the attacker as well. No audit trail that flagged unusual outbound communication. No least-privilege model that limited what the negotiator could access. No zero-trust architecture that asked, continuously, whether this person should still have this access.
The organizations weren't naive. They hired professionals from legitimate firms. They did what the incident response playbook told them to do. And it still wasn't enough β because the playbook assumes that access, once granted to a trusted party, stays trusted.
π€ The Bigger Picture: Third-Party Access Is the New Perimeter
This case isn't an anomaly. It's an acceleration of a trend that has been building for years.
Modern organizations don't operate in isolation. They extend privileged access to vendors, contractors, consultants, managed service providers, incident responders, and auditors. Each one of those relationships represents an access grant β often broad, rarely monitored continuously, and almost never revoked proactively when it's no longer needed.
As we covered in The Contractor Access Gap, third-party identities are one of the most consistently underestimated risks in enterprise security. Security teams spend enormous resources defending against external attackers. But the access those attackers want most is often already sitting in the hands of a third party β legitimate, credentialed, and trusted.
The Martino case puts a name and a sentence on what that risk actually looks like. And it isn't the first time ransomware groups have relied on insider access to maximize their leverage.
π‘ The Unlocked Insight: Trust Is Not a Security Control
Here's the hard truth: "we trust this vendor" is not a security architecture.
The organizations that will stay ahead of third-party risk are building something different β a model where trust is earned continuously, not granted once and forgotten.
Three shifts that matter right now:
Treat third-party access like any other privileged identity. Every vendor, consultant, or incident responder who touches your environment should be subject to the same least-privilege principles as your internal team. Access should be scoped to what's needed, time-limited, and reviewed regularly
Build audit trails for sensitive information, not just systems. The negotiators in this case weren't accessing servers β they were accessing strategy. Know who has seen your insurance limits, your legal assessments, your negotiation positions. That information deserves access controls too. Our breakdown of IAM solutions covers how leading platforms are starting to integrate exactly this kind of visibility
Plan your incident response relationships before an incident. The worst time to evaluate whether you trust your ransomware negotiator is at 2am with a ransom note on your screen. Vet your IR partners now, understand their access requirements, and establish what information they actually need β and what they don't
In a world where the person holding your hand through a breach might also be the one who caused it, the old model of extended trust has to be replaced with something more durable. That's what zero-trust architecture is actually designed for β not just external threats, but the assumption that any identity, internal or external, could be compromised.
π‘ Unlocked Tip of the Week
Ask your security team this week: "If we called in a third-party incident responder today, what information would they have access to β and what stops them from sharing it?"
If the answer involves words like "contract" and "professional ethics" but not words like "audit logs," "scoped access," and "time-limited credentials" β your third-party risk model is built on trust, not architecture. The Martino case is the perfect forcing function to revisit it.
π Poll of the Week
When a third-party vendor or responder enters your environment, what's your biggest concern?
π₯ Final Takeaway
Three credentialed professionals. Five betrayed victims. One ransomware gang that knew exactly how much to demand β because someone on the inside told them.
The lesson isn't that you shouldn't bring in outside help during a breach. It's that help, like everything else in security, needs to be scoped, monitored, and verified. Trust is a starting point, not a control.
Stay ready. Stay resilient.
Until next time,
Meet Kevin Patel β Cybersecurity Researcher & Digital Risk Analyst
Kevin Patel brings a strategic eye to the evolving threat landscape, specializing in how emerging technologies change the "math" of digital risk. With a background in threat intelligence and identity security, Kevin focuses on bridging the gap between technical vulnerabilities and the human psychology that attackers weaponize. He believes that in 2026, the only way to beat machine-speed fraud is through cryptographically-backed trust and relentless anomaly detection.
Our Sponsor
How 2M+ Professionals Stay Ahead on AI
AI is moving fast and most people are falling behind.Β
The Rundown AI keeps you ahead of the curve.Β
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and theyβll recommend the best AI tools, guides, and courses β tailored to your needs.
