What Happened
Angelo Martino, 41, a former employee of cybersecurity incident response firm DigitalMint, pleaded guilty on April 21, 2026, to conspiring with the BlackCat (ALPHV) ransomware group to extort at least five US organizations. While ostensibly working as a ransomware negotiator on behalf of victims, Martino fed confidential information about those victims to the ransomware gang to help maximize ransom payments. Two other negotiators — Ryan Clifford Goldberg from Sygnia and Kevin Tyler Martin, also from DigitalMint — pleaded guilty to the same charge in December 2025.
The five victims included a financial services firm paying $25.6 million and a nonprofit paying $26.8 million. Total extorted funds exceeded $52 million across the five organizations. Authorities seized $10 million in assets from Martino, including digital currency, vehicles, and a luxury fishing boat. Sentencing is scheduled for July 9, 2026, with a maximum penalty of 20 years. Full coverage available at BleepingComputer and the US Department of Justice.
Why This Matters for Canadian Organizations
Canada does not require organizations to disclose which incident response firm they engage following a ransomware attack, nor does the Office of the Privacy Commissioner mandate transparency about third-party responders. This creates a gap: organizations often share their most sensitive operational data — network diagrams, financial exposure, insurance coverage limits, backup status — with IR firms under the implicit assumption of absolute confidentiality.
The Martino case demonstrates this assumption is not always warranted. For Canadian organizations, the implications are direct. When retaining an incident response firm after a ransomware event, you are sharing information determining whether you pay, how much, and whether you survive the attack. This information has market value to the threat actor on the other side of the negotiation. Due diligence on IR vendors — including background checks on personnel assigned to your engagement — is no longer a box-ticking exercise.
Ransomware cyber insurance in Canada also depends heavily on IR firm assessments of loss severity and recovery cost. If those assessments are being influenced by actors with financial incentives to inflate the ransom, the downstream effects on insurance claim validity and coverage disputes are significant. Canadian insurers and legal counsel advising breach clients should be aware of this case.
What to Do
Before retaining an incident response firm, verify personnel assigned to your engagement hold current professional certifications and are subject to background screening. Ensure your IR engagement letter includes confidentiality provisions with explicit penalties for unauthorized disclosure of victim information. Engage legal counsel independent of the IR firm for all ransom payment decisions — creating a separation between the people assessing your situation and those advising on financial exposure. If you have used DigitalMint or Sygnia for prior engagements involving ransom negotiations, review those cases to confirm the integrity of the advice you received. Document all decisions and the information shared with IR partners from day one of any incident.
