Two Cybersecurity Pros Face 20 Years for ALPHV Ransomware Role

Two American cybersecurity professionals have pleaded guilty to deploying ALPHV/BlackCat ransomware against multiple U.S. victims—while simultaneously holding jobs meant to protect organizations from exactly these attacks. Ryan Goldberg, 40, and Kevin Martin, 36, face up to 20 years in prison. Sentencing is scheduled for March 12, 2026.

The case represents one of the most troubling insider threat scenarios imaginable: defenders who secretly moonlighted as attackers, exploiting their knowledge of how organizations respond to ransomware to maximize their criminal profits.

The Defendants

According to the Department of Justice, Ryan Goldberg worked for Sygnia, a prominent incident response firm. Kevin Martin worked as a ransomware negotiator at DigitalMint. Both held positions that gave them intimate knowledge of how victims detect, respond to, and pay ransomware demands.

Between April and December 2023, Goldberg, Martin, and an unnamed third co-conspirator launched ALPHV BlackCat ransomware attacks against multiple U.S. organizations. They operated as affiliates of the ransomware-as-a-service operation, paying ALPHV administrators 20% of ransom proceeds in exchange for access to the malware and extortion platform.

One confirmed victim paid approximately $1.2 million in Bitcoin. After taking their 80% share, the three men split the proceeds and laundered the funds through various channels.

Why This Case Matters

The cybersecurity industry runs on trust. Organizations hire incident response firms when they're at their most vulnerable. They bring in negotiators to handle communications with criminal gangs. Both roles require access to sensitive systems, confidential business information, and strategic decision-making during crises.

Goldberg and Martin weaponized that trust. They understood how defenders think because they were defenders. They knew what triggers organizations would respond to, what ransom amounts victims could afford, what pressure points would maximize payments.

This isn't the first time insiders exploited their positions for criminal gain, but the scale and sophistication here is unusual. These weren't disgruntled employees stealing data on their way out. They ran sustained criminal operations while maintaining their legitimate roles.

The ALPHV BlackCat Operation

ALPHV BlackCat targeted over 1,000 victims worldwide before law enforcement disrupted its infrastructure in late 2023. The group pioneered several techniques that made it particularly effective, including public leak sites with searchable victim data and a reputation for following through on threats.

The ransomware-as-a-service model meant ALPHV administrators handled malware development and infrastructure while affiliates like Goldberg and Martin handled the actual intrusions and negotiations. The 80/20 revenue split gave affiliates strong financial incentive to maximize ransom payments.

When we covered the Black Basta leader's Interpol Red Notice, we noted how ransomware operations have become professionalized criminal enterprises. This case shows that professionalization extends to recruiting people with legitimate industry credentials.

Industry Implications

The guilty pleas will likely trigger uncomfortable conversations within cybersecurity firms:

Vetting procedures need scrutiny. How do you screen for someone with no criminal record who decides to become a criminal? Background checks would have shown nothing problematic about either defendant before their arrest.

Access controls matter internally. Even trusted employees should operate with least-privilege principles. Do incident responders need access to client data when they're not actively working cases? Do negotiators need visibility into organizational finances beyond what's necessary for specific engagements?

Monitoring isn't just for external threats. The same behavioral analytics organizations deploy against attackers should apply internally. Unusual data access patterns or communications with known criminal infrastructure deserve investigation regardless of who generates them.

Client trust may be affected. Organizations considering incident response retainers or negotiation services may now ask harder questions about personnel security. Firms may need to demonstrate their own internal security practices, not just their technical capabilities.

What Happens Next

Both defendants pleaded guilty to conspiracy to obstruct commerce by extortion. The maximum penalty is 20 years in federal prison. Sentencing is scheduled for March 12, 2026.

Federal sentencing guidelines will consider various factors: the amount of financial harm, whether defendants cooperated with investigators, their role in the conspiracy, and any other relevant criminal history. The $1.2 million confirmed ransom represents just one known victim—the total damage across their campaign may be significantly higher.

The unnamed third co-conspirator's status remains unclear. Depending on whether they've been apprehended and are cooperating, additional charges or defendants may emerge.

For the cybersecurity industry, this case serves as a reminder that threats don't always come from outside the organization. The people with the most access and knowledge can cause the most damage when they choose to. Vigilance has to be omnidirectional.