A Florida cybersecurity professional has become the third person sentenced to prison in a US case involving negotiators who secretly colluded with a ransomware gang instead of protecting the victims who hired them.

Angelo Martino, 41, was sentenced on Thursday to 70 months in prison after pleading guilty in April. He was one of three men charged last year over their roles in ransomware attacks tied to the BlackCat/Alphv operation. All three worked at cybersecurity firms, and two of them, including Martino, were employed specifically as ransomware negotiators, a role meant to help victim organizations manage extortion demands.

According to the Department of Justice, Martino began working with BlackCat operators in April 2023 and assisted in extorting at least five victims. He was paid by the ransomware group to hand over confidential details about his own employer’s clients, including their negotiating positions and strategy, information that let the attackers push victims toward paying larger ransoms.

Authorities seized roughly $10 million in assets from Martino, including cryptocurrency, vehicles, a food truck, and a fishing boat. He will also owe restitution, with the amount to be set at a hearing scheduled for September.

The other two defendants in the case, Kevin Martin of Texas and Ryan Goldberg of Georgia, were each sentenced in late April to four years in prison for similar conduct.

Background on BlackCat/Alphv

BlackCat/Alphv targeted more than 1,000 organizations between 2021 and December 2023, when law enforcement disrupted the operation. Despite that takedown, the group’s operators later collected a $22 million ransom from a victim before executing an exit scam and vanishing with the funds. The US government continues to offer a $10 million reward for information leading to the identification of the group’s key members.

The case underscores a growing concern for organizations hit by ransomware: vetting the trustworthiness of third-party negotiators and incident responders is now as critical as vetting any other vendor with access to sensitive breach details.