Two former incident responders admit to moonlighting as ransomware affiliates, extorting $1.2 million from healthcare companies while working at firms hired to prevent such attacks

December 30, 2025

The cybersecurity industry’s worst fears have been confirmed. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas—two cybersecurity professionals who worked at companies hired to defend against ransomware—have pleaded guilty in Miami federal court to conducting the very attacks they were supposed to prevent.

The guilty pleas, entered on December 18, 2025, mark the conclusion of one of the most disturbing insider threat cases in the industry’s history (Case No. 25-CR-20443-MOORE/D’ANGELO, U.S. District Court, Southern District of Florida). Both men admitted to participating in a conspiracy to extort five U.S. companies, including three healthcare organizations, using the ALPHV/BlackCat ransomware.

“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva, head of the Department of Justice Criminal Division.

goldberg-martin-indictment-10-3-25goldberg-martin-indictment-10-3-25.pdf384 KB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle## The Scheme Unraveled

When we first reported on the original indictment in November, the allegations were shocking enough. Now, with guilty pleas on record, the full scope of the betrayal is undeniable.

Martin worked as a ransomware negotiator at DigitalMint, a firm companies turn to during their darkest hours when ransomware has locked them out of their own systems. Goldberg served as an incident response manager at Sygnia, helping companies recover from cyberattacks. A third, unnamed co-conspirator—believed to reside in Land O’Lakes, Florida—was also a DigitalMint employee and allegedly served as the ringleader who recruited the others.

In May 2023, the unnamed co-conspirator obtained an affiliate account with the BlackCat/ALPHV ransomware operation, one of the most prolific ransomware-as-a-service groups in history. He shared access with Goldberg and Martin. The trio agreed to pay BlackCat’s administrators a 20% cut of any ransoms received in exchange for access to the ransomware toolkit and extortion platform.

Between May 2023 and April 2025, they launched attacks against five companies:

Victim Location Industry Ransom Demand

Victim 1 Tampa, FL Medical Devices $10,000,000

Victim 2 Maryland Pharmaceutical Undisclosed

Victim 3 California Doctor’s Office $5,000,000

Victim 4 California Engineering $1,000,000

Victim 5 Virginia Drone Manufacturing $300,000

Only Victim 1—the Tampa medical device manufacturer—paid, transferring exactly $1,274,781.23 in cryptocurrency. After BlackCat’s 20% cut went to the Russian-speaking developers, the three conspirators split their 80% share and laundered the funds through cryptocurrency mixing services and multiple wallets to obscure the money trail.

The indictment notes there were over 20 ALPHV BlackCat ransomware victims in the Southern District of Florida alone during this period, with attacks causing “tens of millions in cryptocurrency ransom payments, major disruptions in ongoing operations, and large losses of proprietary information.”

How the Conspiracy Worked: The RaaS Model

The indictment provides a detailed look at how ALPHV BlackCat operated as a ransomware-as-a-service platform—and how the defendants exploited it.

BlackCat’s “developers” created and updated the ransomware, then recruited and vetted “affiliates” who would identify and attack victims. Affiliates accessed the ransomware through a password-protected “panel” on the dark web, customized to each affiliate.

Once an affiliate gained access to a victim’s network, they would steal data and deploy the ransomware to encrypt systems, leaving a ransom note directing victims to the BlackCat panel to negotiate. When victims agreed to pay, the attackers provided Bitcoin or Monero cryptocurrency addresses. The ransom payments were then “split up when received and moved into various cryptocurrency addresses through multiple transactions to obscure the source of the proceeds before it reached the point of cashing out for fiat currency.”

The conspirators agreed to pay BlackCat’s administrators a 20% cut of any ransoms received—the standard industry rate for RaaS operations. This meant that even as American cybersecurity professionals were enriching themselves through extortion, they were also funding Russian-speaking cybercriminal developers.

The Flight to Paris

Perhaps the most damning detail emerged from court documents: Goldberg’s apparent attempt to flee after FBI agents interviewed him.

On June 17, 2025, Goldberg initially denied involvement when questioned by the FBI. He eventually confessed that he was recruited by the unnamed co-conspirator to “try and ransom some companies” and admitted the scheme succeeded with the Tampa medical device manufacturer.

Ten days later, Goldberg and his wife flew from Atlanta to Paris on one-way tickets booked just two days before departure. According to FBI affidavits, agents were “unaware of any flights purchased by Goldberg to return to the United States.”

Goldberg was back in U.S. custody by October 7, 2025, when both he and Martin were arraigned. While Martin was released on $400,000 bond, Goldberg remained in federal custody—a decision that now appears prescient given his apparent flight risk.

Sentencing and Penalties

Both defendants pleaded guilty to conspiracy to obstruct, delay, or affect commerce by extortion. They face maximum penalties of 20 years’ imprisonment, three years of parole, and fines of up to $250,000 or twice the gross gain or loss of the offense.

As part of the plea agreement, each agreed to forfeit any property tied to proceeds from the offense and pay a forfeiture monetary judgment of $324,123.26—roughly their individual shares of the laundered ransom. The government agreed to dismiss the remaining counts at sentencing.

Sentencing is scheduled for March 12, 2026.

“Ransomware is not just a foreign threat—it can come from inside our own borders,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida.

The Industry Reckoning

This case confirms concerns we raised in our July investigation into the ransomware negotiation industry, which first revealed the DOJ’s investigation into a former DigitalMint employee.

The ransomware negotiation industry has long operated in murky ethical territory. Firms position themselves as critical intermediaries—negotiating with threat actors, facilitating cryptocurrency payments, and helping victims recover. But the fee structures and access these roles provide create inherent conflicts of interest.

As James Taliento, CEO of cyber intelligence firm AFTRDRK, explained at the time: “A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid.”

Both employers have distanced themselves from the defendants. DigitalMint told Information Security Media Group: “We strongly condemn his actions, which were undertaken without the knowledge, permission or involvement of the company. His behavior is a clear violation of our values and ethical standards.”

Sygnia confirmed Goldberg was terminated immediately upon learning of the allegations and has been cooperating with the FBI.

A Broader Pattern

The guilty pleas come as law enforcement has intensified efforts against ransomware operations globally. As we documented in our 2025 cybercrime takedowns coverage, authorities have disrupted major operations including LockBit and the original BlackCat infrastructure.

BlackCat itself met an ignominious end in early 2024. After the FBI disrupted their operations in December 2023—seizing websites and releasing decryption tools that saved victims an estimated $68 million—the group attempted to continue. Their final act was an exit scam: after allegedly receiving a $22 million ransom from the Change Healthcare attack (which compromised data on 193 million Americans), BlackCat’s operators kept the entire payment rather than sharing it with the affiliate who conducted the attack.

The irony isn’t lost: a ransomware group that helped enable insider betrayal was itself betrayed from within.

What This Means for the Industry

The case raises critical questions for organizations selecting cybersecurity partners:

Enhanced vetting is essential. Regulatory attorney Rachel Rose noted after the initial indictment: “This stands out as a classic case of the fox guarding the hen house. Who is watching the fox? The first place to start is with adequate background checks.”

Access must be monitored. Rose also recommended that “companies need to evaluate software that can monitor access that a sophisticated cyber or tech person cannot access, or needs to be monitored by an independent and unknown third party.”

The trust model is broken. When incident responders and ransomware negotiators have the skills and access to become attackers themselves, traditional vendor trust models are insufficient.

The case also demonstrates that ransomware isn’t exclusively a foreign threat. While much attention focuses on Russian-speaking ransomware operations, American cybersecurity professionals with security clearances and trusted access can pose equal or greater risks.

The Unnamed Third Conspirator

One significant question remains: Who is “Co-Conspirator 1”? Court documents identify this person as a Land O’Lakes, Florida resident who worked alongside Martin as a ransomware negotiator at DigitalMint. This individual allegedly obtained the original BlackCat affiliate account and recruited both Goldberg and Martin into the scheme.

Despite being implicated throughout the indictment, this third person has not been charged. Whether they are cooperating with authorities, have fled jurisdiction, or face separate proceedings remains unclear.

Conclusion

The Goldberg and Martin case represents a watershed moment for the cybersecurity industry. The very professionals companies trusted to defend them exploited that trust for personal enrichment. They used their insider knowledge of how victims negotiate, how responders operate, and how the ransomware economy functions to become more effective attackers.

With guilty pleas now on record, the focus shifts to sentencing in March. Both men face up to 20 years in federal prison—a stark reminder that the defenders who become attackers face consequences as severe as any external threat actor.

For organizations evaluating incident response partners, the message is clear: trust must be verified, access must be monitored, and no one—regardless of their credentials—should be beyond scrutiny.

Related Coverage: