TL;DR: Ryan Goldberg, 40, a manager of incident response at cybersecurity firm Sygnia, and Kevin Martin, 36, a ransomware negotiator at cryptocurrency firm DigitalMint, pleaded guilty on December 29, 2025, to running BlackCat (ALPHV) ransomware attacks against five U.S. companies between April and December 2023. They targeted a Florida medical company, a Maryland pharmaceutical company, a California doctor's office, a California engineering company, and a Virginia drone manufacturer. Total losses exceeded $9.5 million. They successfully extorted roughly $1.3 million from the medical company alone. A third co-conspirator, also from DigitalMint, remains unnamed. Both face up to 20 years in prison, with sentencing scheduled for March 12, 2026. If your company uses third-party incident response firms, this is your wake-up call.

The Perfect Cover

Ryan Goldberg's job was to help companies survive ransomware attacks. As a manager of incident response at Sygnia (a well-regarded Israeli-founded cybersecurity firm) he was the guy organizations called when everything was on fire. He knew the playbook: how attackers get in, how they move laterally, how they encrypt systems, how they pressure victims into paying.

He knew it so well that he started running the playbook himself.

Kevin Martin had an even more ironic role. As a ransomware negotiator at DigitalMint, he sat on the other side of the table, talking to ransomware gangs on behalf of victims, negotiating payments in cryptocurrency. He understood exactly how much pressure to apply, how to structure demands, and which victims were most likely to pay.

Between April and December 2023, both men, alongside an unnamed third co-conspirator also employed at DigitalMint, deployed BlackCat ransomware against five American companies. According to prosecutors, they "abused a position of public or private trust, or used a special skill, in a manner that significantly facilitated the commission or concealment" of their crimes.

That's DOJ-speak for: they used their defender knowledge as an attack manual.

Five Targets, One Payday

The trio went after five companies in a six-month spree:

  • A Florida medical company (the only one that paid, handing over approximately $1.3 million in Bitcoin)
  • A Maryland pharmaceutical company
  • A California doctor's office (patient photos were stolen and published on BlackCat's leak site)
  • A California engineering company
  • A Virginia drone manufacturer

Total losses across all five victims exceeded $9.5 million, according to court filings. Only the Florida medical company actually paid the ransom. The other four were targeted but refused, though "refused to pay" doesn't mean "unharmed." The California doctor's office had patient photos dumped publicly. That data is gone forever.

From that $1.3 million Bitcoin payment, the trio sent 20% to the BlackCat administrators as an affiliate fee. The remaining 80% they split three ways. Each defendant has been ordered to forfeit $342,000, and may face fines up to $250,000 plus restitution.

Ransomware as a Franchise

Goldberg and Martin didn't build BlackCat. They didn't write the encryption code or maintain the infrastructure. They were affiliates, the ransomware equivalent of franchise operators.

Here's how the model works: The BlackCat administrators (also known as ALPHV) built and maintained the ransomware toolkit and an extortion platform complete with a dark web leak site. Affiliates like Goldberg and Martin signed up, got access to the tools, picked their own targets, and carried out the attacks. In exchange, the administrators took a 20% cut of any ransom collected.

It's a business model. The people who build the weapons don't use them. The people who use them don't build them. That separation makes the whole operation harder to disrupt: the FBI can arrest affiliates all day, but the administrators keep recruiting new ones.

BlackCat/ALPHV was one of the most prolific ransomware operations in history. Before the FBI disrupted it in December 2023, it had claimed over 1,000 victims worldwide. The group later resurfaced to claim responsibility for the February 2024 Change Healthcare attack, a breach that exposed data on 190 million people and resulted in a reported $22 million ransom payment. It allegedly shut down operations in March 2024.

The Paris Tickets

One detail from court records stands out. In June 2023, just 10 days after FBI agents interviewed Goldberg, he and his wife purchased one-way flights to Paris.

One-way tickets. To a country where extradition, while possible, is slow and complicated.

He didn't end up running. But the purchase tells you something about how aware he was that the walls were closing in. A guy whose entire career was built on understanding how digital investigations work knew exactly what an FBI interview meant.

The Cybersecurity Industry's Trust Problem

This case exposes an uncomfortable truth: the cybersecurity industry runs on trust, and that trust has almost no verification behind it.

When a company suffers a ransomware attack, they call an incident response firm. That firm gets keys to the kingdom: full access to compromised systems, backup infrastructure, sensitive data, network architecture. They see everything. They have to, in order to do their job.

Now imagine the responder is also the attacker, or is feeding information to attackers. They'd know exactly which backups to target, which systems are most critical, and precisely how much the company can afford to pay.

Goldberg didn't just know how ransomware works theoretically. He knew how specific companies defended against it, because he helped build those defenses. Martin didn't just understand negotiation tactics. He knew which victims would pay because he'd been on those calls.

Sygnia fired Goldberg immediately upon learning of his involvement. DigitalMint issued a statement saying Martin's actions were "undertaken without the knowledge, permission or involvement of the company" and calling his behavior "a clear violation of our values and ethical standards."

Both companies said the right things. But neither caught it while it was happening.

What This Means for You

Vet Your Incident Response Firms

If you hire a third-party cybersecurity firm, ask about their employee vetting process. Background checks. Conflict-of-interest policies. Compartmentalized access. If they can't answer these questions clearly, that's a red flag.

Limit Access During Incidents

Even trusted responders shouldn't have blanket access to everything. Segment access based on what's actually needed for the investigation. Monitor what external consultants access and when.

Assume Breach, Always

This case is a reminder that insider threats come from everywhere, including the people you hire to protect you. Maintain offline backups that no external party can touch. Test your recovery process independently.

Watch the Sentencing

March 12, 2026. Both defendants face up to 20 years. A third co-conspirator remains unnamed. The sentence will signal how seriously courts treat insider cybersecurity threats, and whether the penalty is enough to deter the next one.

Who Guards the Guards?

The cybersecurity industry is worth over $200 billion globally. Companies spend enormous sums hiring specialists, consultants, and incident response teams to defend against attackers. The entire model assumes that the defenders are actually on your side.

Goldberg and Martin proved that assumption wrong. And they had a built-in advantage most attackers don't: they knew exactly how the defenses worked because they helped build them.

The FBI's disruption of BlackCat in December 2023, the same month Goldberg and Martin's spree ended, saved hundreds of victims an estimated $99 million through decryption tools. That's the scale of the operation these two plugged into. Not some garage operation. A global criminal enterprise with over a thousand victims.

The third co-conspirator is still out there, unnamed. Sentencing is March 12. And somewhere, right now, another cybersecurity professional with the right skills and the wrong ethics is looking at the ransomware-as-a-service market and running the math.

The uncomfortable question isn't whether this will happen again. It's whether we'd catch it next time.

References

  1. Department of Justice - Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV/BlackCat Ransomware (December 2025)
  2. The Record - Ransomware Responders Plead Guilty to Using ALPHV in Attacks on U.S. Organizations (December 2025)
  3. CyberScoop - Former Incident Responders Plead Guilty to Ransomware Attack Spree (December 2025)
  4. CSO Online - Two Cybersecurity Experts Plead Guilty to Running Ransomware Operation (December 2025)
  5. Bleeping Computer - US Cybersecurity Experts Plead Guilty to BlackCat/ALPHV Ransomware Attacks (December 2025)