Two American cybersecurity professionals pleaded guilty to operating as BlackCat/ALPHV ransomware affiliates, using their security expertise to attack US organizations including healthcare providers. The case highlights the insider threat risk when security professionals turn to cybercrime.
Incident overview
| Attribute | Details |
|---|---|
| Defendants | Ryan Goldberg, Kevin Martin |
| Ransomware | ALPHV/BlackCat |
| Attack period | April - December 2023 |
| Victims | 5 US organizations |
| Total losses | $9.5+ million |
| Largest single ransom | $1.2 million |
| Plea date | January 2, 2026 |
| Sentencing date | March 12, 2026 |
| Maximum sentence | 20 years |
The defendants
| Name | Age | Location | Employer | Role |
|---|---|---|---|---|
| Ryan Clifford Goldberg | 40 | Georgia | Sygnia | Incident Response Manager |
| Kevin Tyler Martin | 36 | Texas | DigitalMint | Ransomware Negotiator |
| Unnamed co-conspirator | — | Land O’Lakes, Florida | DigitalMint | Ransomware Negotiator |
Both men worked in cybersecurity roles that gave them deep knowledge of how organizations respond to ransomware attacks. Martin and an unnamed co-conspirator were employed as ransomware negotiators at DigitalMint, a company that helps victims communicate with attackers. Goldberg worked as an incident response manager at Sygnia, an Israeli cybersecurity firm.
The attacks
Between April and December 2023, Goldberg and Martin operated as BlackCat affiliates, targeting five US organizations:
| Target | Industry | Location |
|---|---|---|
| Medical device company | Healthcare | Florida |
| Pharmaceutical company | Healthcare | Maryland |
| Doctor’s office | Healthcare | California |
| Engineering company | Technology | California |
| Drone manufacturer | Defense/Tech | Virginia |
Three of the five targets were healthcare organizations—a sector particularly vulnerable to ransomware due to patient safety concerns and regulatory pressure.
How the operation worked
As affiliates, Goldberg and Martin handled the operational side of attacks:
| Phase | Activity |
|---|---|
| 1. Target identification | Selecting and researching victim organizations |
| 2. Initial compromise | Gaining access to victim networks |
| 3. Deployment | Installing BlackCat ransomware |
| 4. Negotiation | Communicating ransom demands to victims |
| 5. Collection | Receiving cryptocurrency payments |
| 6. Laundering | Converting and dispersing funds |
In exchange for access to the BlackCat ransomware and extortion infrastructure, they paid 20% of collected ransoms to the ransomware administrators.
Professional advantage
| Insider knowledge | Exploitation |
|---|---|
| Incident response procedures | Knew how victims would respond |
| Negotiation tactics | Understood what victims would pay |
| Recovery timelines | Could pressure victims on deadlines |
| Insurance coverage patterns | Informed ransom demands |
| Technical defenses | Knew common security gaps |
Financial impact
| Metric | Amount |
|---|---|
| Total victim losses | $9.5+ million |
| Traced proceeds (Goldberg & Martin) | $342,000 each |
| Single attack (Florida medical company) | $1.2 million |
| ALPHV administrator cut | 20% ($240,000 from Florida attack) |
| Affiliate share | 80% |
After successfully extorting one victim for approximately $1.2 million in Bitcoin, the men split their 80% share three ways and laundered the funds.
Forfeiture
Both defendants are ordered to forfeit $342,000, representing the value of proceeds traced to their crimes.
Flight risk
After being interviewed by the FBI, Goldberg and his wife allegedly purchased one-way flights to Paris just 10 days later—raising significant flight risk concerns that likely influenced subsequent legal proceedings.
Legal outcome
Both defendants pleaded guilty in Miami federal court to one count of conspiracy to obstruct commerce by extortion.
| Legal detail | Status |
|---|---|
| Charge | Conspiracy to obstruct commerce by extortion |
| Court | U.S. District Court, Southern District of Florida |
| Maximum sentence | 20 years in prison |
| Sentencing date | March 12, 2026 |
| Forfeiture | $342,000 each |
DOJ statements
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop.” — Assistant Attorney General A. Tysen Duva
“Ransomware is not just a foreign threat—it can come from inside our own borders. Goldberg and Martin used trusted access and technical skill to extort American victims and profit from digital coercion.” — U.S. Attorney Jason A. Reding Quiñones
Employer responses
Sygnia
Sygnia stated that Goldberg was fired as soon as the company learned of the situation:
“While Sygnia is not a target of this investigation, we are continuing to work closely with the Federal Bureau of Investigation.”
DigitalMint
DigitalMint condemned Martin’s actions:
“These actions were undertaken without the knowledge, permission, or involvement of the company.”
About ALPHV/BlackCat
BlackCat emerged in late 2021 and became one of the most sophisticated ransomware-as-a-service (RaaS) operations:
| Attribute | Details |
|---|---|
| Launch | Late 2021 |
| Language | First major ransomware written in Rust |
| Platforms | Windows, Linux, VMware ESXi |
| Tactics | Triple extortion (encryption + data theft + DDoS threats) |
| Targets | Healthcare, education, critical infrastructure |
| Scale | 1,000+ ransomware incidents globally |
Notable ALPHV attacks
| Target | Impact |
|---|---|
| Las Vegas hotels | Major hospitality disruption |
| Real estate companies | Multi-billion dollar industry impact |
| UnitedHealth/Change Healthcare | Massive healthcare payment disruption |
FBI disruption (December 2023)
The FBI seized ALPHV’s infrastructure and developed a decryption tool that helped victims recover systems, preventing an estimated $99 million in ransom payments. However, the group later resurfaced with modified operations before eventually shutting down following the devastating UnitedHealth attack.
Group shutdown
Following devastating attacks including the Change Healthcare incident that disrupted insurance payments across the US healthcare system, ALPHV/BlackCat eventually ceased operations in 2024.
Insider threat patterns
The Goldberg/Martin case follows established patterns in insider-driven cybercrime:
| Pattern | This case |
|---|---|
| Access to sensitive knowledge | Both had deep IR/negotiation expertise |
| Financial motivation | Cryptocurrency payments |
| Rationalization | Healthcare targeting despite ethical concerns |
| Detection difficulty | Operated outside employer systems |
| Eventual identification | Cryptocurrency tracing, FBI investigation |
Lessons for the security industry
Background checks and vetting
| Consideration | Implementation |
|---|---|
| Enhanced background checks | Security roles require deeper vetting |
| Continuous evaluation | Periodic re-screening during employment |
| Financial stress indicators | Monitor for concerning patterns |
| Behavioral analytics | Unusual access patterns |
Access and monitoring
| Control | Purpose |
|---|---|
| Activity monitoring | Even trusted personnel face oversight |
| Separation of duties | No end-to-end visibility into attack/response |
| Role rotation | Reduce concentrated knowledge |
| Exit procedures | Revoke access immediately upon departure |
Organizational controls
| Measure | Benefit |
|---|---|
| Whistleblower programs | Anonymous reporting of suspicious behavior |
| Ethics training | Reinforce professional boundaries |
| Conflict of interest policies | Disclosure requirements |
| Peer review | Cross-checking of sensitive activities |
Recommendations
For security employers
| Priority | Action |
|---|---|
| Critical | Enhanced vetting for IR and negotiation roles |
| High | Implement activity monitoring for sensitive positions |
| High | Establish anonymous reporting channels |
| Medium | Periodic re-screening and financial wellness checks |
| Ongoing | Ethics and professional responsibility training |
For law enforcement
| Priority | Action |
|---|---|
| High | Cryptocurrency tracing capabilities |
| High | Coordination with security industry on insider cases |
| Medium | Behavioral pattern analysis across RaaS affiliates |
| Ongoing | International cooperation on affiliate prosecution |
For incident response firms
| Priority | Action |
|---|---|
| High | Review employee access to victim data |
| High | Implement segregation of duties |
| Medium | Monitor for unusual information requests |
| Ongoing | Background verification for new hires |
Context
Security professionals turning to cybercrime isn’t new, but the RaaS model makes it easier than ever. Affiliates don’t need to develop malware or maintain infrastructure—they just need to find and compromise targets. For insiders with security expertise, the technical barriers are minimal.
| Enabler | Impact |
|---|---|
| RaaS accessibility | Low barrier to entry for affiliates |
| Cryptocurrency | Anonymous payment and laundering |
| Professional knowledge | Understanding of defenses and responses |
| Victim insights | Knowledge of what organizations will pay |
The case also demonstrates that ransomware affiliate prosecution is possible. Law enforcement tracked cryptocurrency payments, linked them to identifiable individuals, and secured guilty pleas. The message: affiliates aren’t anonymous, and domestic prosecution is on the table.
For organizations hiring security personnel, the case reinforces that technical skills alone aren’t sufficient criteria—integrity matters, monitoring matters, and the insider threat extends to the defenders themselves.
The targeting of healthcare organizations—including a doctor’s office and medical device company—adds an ethical dimension to the case. These defendants knowingly endangered patient safety and healthcare delivery for financial gain, leveraging the very expertise they were trusted to use defensively.