Cybersecurity Insiders Plead Guilty: When the Defenders Become Attackers

Two former cybersecurity professionals have pleaded guilty to orchestrating ransomware attacks against U.S. companies, marking a stunning betrayal of trust in an industry built on protecting organizations from cyber threats.

December 19, 2025

Executive Summary

Ryan Clifford Goldberg and Kevin Tyler Martin, two former employees of cybersecurity incident response firms, pleaded guilty on Thursday to federal crimes for launching their own ransomware attacks against multiple U.S. businesses. The pair acknowledged in court filings that, along with a third unnamed conspirator, they spent years attempting to hack and extort companies, successfully receiving a ransom payment of more than $1 million in cryptocurrency from a Florida medical device company.

Insider Threat Matrix - Comprehensive Cybersecurity Framework

Interactive insider threat detection and prevention framework. Assess, monitor, and mitigate insider security risks with our comprehensive cybersecurity tool.

Insider Threat MatrixCISO Marketplace

The guilty pleas represent a dramatic conclusion to a case that first came to light in July 2025 and sent shockwaves through the cybersecurity community when charges were filed in November. The defendants now face up to 50 years in federal prison.

The Defendants and Their Roles

Ryan Clifford Goldberg

Position: Former incident response supervisor at Sygnia Consulting Ltd. (Israel-based cybersecurity firm)
Guilty Plea: One count of conspiracy to interfere with commerce by extortion
Current Status: Held in federal custody since September 2025, considered a flight risk

Goldberg's background in incident response gave him intimate knowledge of how companies respond to ransomware attacks. According to FBI interviews conducted in June 2025, Goldberg confessed to being recruited by the unnamed co-conspirator to "try and ransom some companies" as a means to escape personal debt. He admitted his role in the conspiracy earned him approximately $200,000 from the successful medical device company attack.

In a failed attempt to evade justice, Goldberg fled to Paris with his wife in June 2025 after learning the FBI had raided his co-conspirator's home. He remained in France until September 21, when he flew from Amsterdam to Mexico City, where he was arrested upon landing and deported to the United States.

Kevin Tyler Martin

Position: Former ransomware negotiator at DigitalMint (Chicago-based firm)
Guilty Plea: One count of conspiracy to interfere with commerce by extortion
Current Status: Released on $400,000 bond, prohibited from working in cybersecurity

Martin's role at DigitalMint placed him at the center of the ransomware negotiation industry. His expertise in communicating with threat actors and facilitating cryptocurrency payments provided critical insights into the extortion process—knowledge he allegedly exploited for personal gain. He had previously given a talk at a law school on negotiation ethics, making the allegations particularly ironic.

The Unnamed Co-Conspirator

The third member of the conspiracy worked alongside Martin as a ransomware negotiator at DigitalMint and obtained an affiliate account with the ALPHV BlackCat ransomware operation. This individual has not been charged and is not identified in court records, though they allegedly served as the ringleader who recruited Goldberg and Martin into the scheme.

Timeline of the Criminal Conspiracy

May 2023 - The Campaign Begins

The trio launched their first attack against a medical device company in Tampa, Florida, demanding approximately $10 million in ransom. After negotiations, the company paid about $1.27 million (or $1.274 million in some reports) in cryptocurrency—a payment the conspirators routed through cryptocurrency mixing services and multiple wallets in an attempt to obscure the transaction trail.

May - November 2023 - Additional Targets

During this six-month period, the group attempted to extort four additional companies:

• Maryland pharmaceutical company - Ransom demand amount not disclosed
• Virginia drone manufacturer - Demanded $1 million in ransom (unsuccessful)
• California engineering firm - Targeted but attack unsuccessful
• California doctor's office - Demanded $5 million in ransom (unsuccessful)

April 2025 - FBI Investigation Intensifies

The FBI raided the unnamed co-conspirator's home in Land O'Lakes, Florida, effectively ending the group's operations. The conspiracy allegedly continued until this point, though no new victims after November 2023 have been disclosed in court records.

June 2025 - Goldberg's Confession

During a consensual recorded FBI interview on June 17, Goldberg initially denied involvement but eventually confessed to his role in the attacks. He provided details about the money laundering operation and admitted that they "successfully ransomed" the Tampa medical device company.

October 2, 2025 - Federal Indictment

Martin and Goldberg were formally indicted on charges of conspiracy to interfere with interstate commerce by extortion, interference with interstate commerce by extortion, and intentional damage to a protected computer.

November 2025 - Original Charges Made Public

News of the indictment became public, revealing the scope of the insider betrayal to the cybersecurity industry and the public.

December 2025 - Guilty Pleas Entered

Both defendants pleaded guilty to one count each of conspiracy to interfere with commerce by extortion, acknowledging years of attempting to hack and extort businesses.

The ALPHV BlackCat Ransomware Connection

The conspirators used ALPHV BlackCat, one of the most sophisticated and prolific ransomware-as-a-service (RaaS) operations in recent history. Understanding this choice is crucial to the case.

What is ALPHV BlackCat?

ALPHV BlackCat emerged in late 2021 as a successor to the notorious DarkSide and BlackMatter ransomware operations. The group:

• Compromised over 1,000 entities by September 2023, with 75% in the United States
• Demanded over $500 million in ransoms
• Received nearly $300 million in actual ransom payments
• Became the second most prolific ransomware variant globally by mid-2023

BlackCat operated using a sophisticated ransomware-as-a-service model where developers maintained the infrastructure while affiliates—like the unnamed co-conspirator in this case—conducted the actual attacks in exchange for a share of the proceeds.

The FBI Disruption and BlackCat's Demise

On December 19, 2023, the FBI announced a major disruption campaign against ALPHV BlackCat, seizing multiple websites and distributing a decryption tool that saved over 500 victims an estimated $68 million in ransom payments. The FBI gained this capability through a confidential source who successfully signed up as a BlackCat affiliate and accessed the group's backend affiliate panel.

However, BlackCat quickly "unseized" their domain and claimed to continue operations, removing all rules from their affiliate program—including restrictions against targeting critical infrastructure. In early 2024, the group was linked to the devastating Change Healthcare ransomware attack, where they allegedly received a $22 million payment before imploding in an exit scam that cheated their own affiliate out of their share.

By March 2024, BlackCat claimed to be shutting down, and as of early 2025, the group has apparently disappeared from the ransomware landscape entirely.

Why the Conspirators Chose BlackCat

The timing and sophistication of BlackCat made it an attractive option for the conspirators:

1. Mature Infrastructure: BlackCat offered robust tools for affiliates, including advanced encryption capabilities for both Windows and Linux systems
2. Revenue Sharing Model: Affiliates received a substantial cut of ransom payments
3. Established Reputation: BlackCat's track record made their threats credible to victims
4. Double/Triple Extortion: The platform supported data theft before encryption and threatened DDoS attacks for additional pressure

Most importantly, the conspirators shared their illicit profits with BlackCat's developers, as is standard in the RaaS model. This means a portion of the $1.27 million payment went to the criminal organization, further funding global ransomware operations.

The Ransomware Negotiation Industry: A House of Cards?

This case exposes troubling vulnerabilities in the cottage industry that has emerged to help companies respond to ransomware attacks. As we previously reported in our July investigation, the ransomware negotiation business model creates inherent conflicts of interest.

How Ransomware Negotiation Works

Firms like DigitalMint position themselves as critical intermediaries in the ransomware economy. These companies:

• Negotiate with threat actors to reduce ransom demands
• Facilitate cryptocurrency payments when companies decide to pay
• Help coordinate data recovery and decryption
• Provide incident response services during attacks

DigitalMint specifically claims expertise in "over 2,000" ransomware negotiations since 2017, with clients ranging from small businesses to Fortune 500 companies.

The Structural Conflict of Interest

As James Taliento, CEO of cyber intelligence firm AFTRDRK, explained in the original investigation: "A negotiator is not incentivized to drive the price down or to inform the victim of all the facts if the company they work for is profiting off the size of the demand paid. Plain and simple."

Bill Siegel, CEO of ransomware negotiation firm Coveware, noted that business models not utilizing fixed-fee structures lend themselves to potential abuse. When negotiators profit from higher ransom payments—or in this extreme case, when they are the attackers themselves—the fundamental trust relationship breaks down completely.

Historical Precedents

This isn't the first time negotiators have been caught in unethical practices. A 2019 ProPublica investigation revealed that firms like MonsterCloud and Proven Data secretly paid ransomware gangs while charging clients for "proprietary data recovery services." Some ransomware operations even created special discount codes specifically for these corrupt intermediaries.

The Goldberg-Martin case, however, represents an entirely new level of betrayal: incident responders and negotiators becoming the threat actors themselves.

Company Responses

DigitalMint's Statement

DigitalMint President Marc Jason Grens responded to the guilty pleas with a statement emphasizing the company had no knowledge of the criminal activity:

"The co-conspirators acted wholly outside the scope of their employment and without any authorization, knowledge or involvement from the company. The charged conduct took place outside of DigitalMint's infrastructure and systems. The co-conspirators did not access or compromise client data as part of the charged conduct."

The Chicago-based company confirmed that two of the accused had worked for them and were fired "upon learning of their illicit activity given the information provided to us during the law enforcement investigation." The company emphasized it continues to cooperate with the Department of Justice and noted that "no one potentially involved in the charged scheme has worked at the company in over four months."

DigitalMint maintains it is not a target of the investigation and has been a cooperating witness throughout the process.

Sygnia's Response

Sygnia Consulting Ltd., the Israel-based cybersecurity firm where Goldberg worked, confirmed he was fired "immediately upon learning of the situation." A spokesperson, Andrea MacLean, stated the company is not a target of the investigation and continues to work closely with investigators.

The company also disputed Goldberg's title in court records, clarifying he was "a manager" rather than "a director of incident response" as described in some documents.

Impact on the Victims

While only the Tampa medical device company is confirmed to have paid the ransom, all five targeted organizations suffered significant harm:

Quantifiable Damages

• Tampa medical device company: $1.27 million paid in cryptocurrency
• Operational disruption: Systems encrypted and business operations halted
• Data theft: Sensitive company information exfiltrated before encryption
• Recovery costs: Likely millions in incident response, forensics, and remediation

Broader Industry Impact

• Undermined trust: Companies now must question whether their security providers might be threats
• Insurance implications: Cyber insurance premiums may increase due to insider threat concerns
• Regulatory scrutiny: Expect increased oversight of ransomware negotiation firms
• Reputational damage: The cybersecurity industry faces public skepticism about internal controls

The Ransomware Landscape in 2025

This case occurs against a backdrop of evolving ransomware economics. As detailed in our recent analysis of The Ransomware Revolution entering 2026, the threat landscape has undergone dramatic transformation:

• Attack volumes surged 34% year-over-year in 2025
• Ransom payments fell to historic lows despite increased attacks
• 76% of attacks now involve data exfiltration prior to encryption
• Manufacturing sector experienced 61% increase in targeting
• Average ransomware insurance claims rose 68% to $353,000

The Goldberg-Martin case represents a disturbing variation on traditional ransomware economics: insiders with access to victim psychology, payment processes, and defensive strategies turning that knowledge against the very companies seeking protection.

Legal Implications and Sentencing

The Charges

Both defendants pleaded guilty to conspiracy to interfere with commerce by extortion under 18 U.S.C. § 1951 (Hobbs Act). This charge carries:

• Maximum penalty: 20 years in federal prison
• Potential fines: Up to $250,000 per count
• Restitution: Likely required to compensate victims
• Supervised release: Expected following imprisonment

The original indictment included additional charges (interference with interstate commerce and intentional damage to a protected computer) that would have carried up to 50 years combined. By pleading guilty to the conspiracy count, the defendants may receive reduced sentences in exchange for their cooperation.

Sentencing Considerations

Federal sentencing guidelines will consider:

1. Amount of loss to victims: The $1.27 million payment alone significantly impacts sentencing
2. Number of victims: Five attempted attacks demonstrate pattern of criminal behavior
3. Abuse of position of trust: Working in cybersecurity while conducting attacks is an aggravating factor
4. Cooperation with authorities: Goldberg's confession may earn some leniency
5. Flight risk: Goldberg's attempt to flee to Europe works against him
6. Deterrence value: Given the high-profile nature and industry impact, courts may impose harsh sentences

Sentencing dates have not been publicly announced. The defendants remain subject to the court's discretion, though neither appears to have negotiated formal plea agreements with specific sentencing recommendations.

Broader Legal Implications

This case establishes important precedents:

• Insider threat prosecution: Demonstrates DOJ's willingness to aggressively prosecute cybersecurity professionals who abuse their positions
• RaaS affiliate liability: Confirms that affiliates, not just ransomware developers, face serious federal charges
• Cryptocurrency tracing: Showcases government capability to trace cryptocurrency transactions despite mixing services
• International cooperation: Goldberg's extradition from Mexico demonstrates cross-border law enforcement coordination

Industry Wake-Up Call: Lessons and Recommendations

For Cybersecurity Firms

Implement Enhanced Background Checks:

• Continuous monitoring of employee financial situations
• Regular security clearance reviews for high-access positions
• Psychological evaluations for incident response personnel

Establish Separation of Duties:

• No single employee should have complete access to victim payment processes
• Implement dual-control for cryptocurrency wallet access
• Require multi-party approval for ransom payment facilitation

Monitor Employee Activities:

• Track unusual access to client systems or data
• Implement behavioral analytics for anomaly detection
• Review communications between employees and external parties

Create Ethical Reporting Mechanisms:

• Anonymous whistleblower hotlines
• Protection for employees who report concerns
• Regular ethics training and certification requirements

For Organizations Considering Ransomware Negotiation Services

Due Diligence Requirements:

• Verify firm credentials and insurance coverage
• Demand references from previous clients
• Understand fee structures (fixed-fee models reduce conflict of interest)
• Request evidence of compliance with relevant regulations

Transparency Expectations:

• Detailed reporting on all negotiation activities
• Access to cryptocurrency transaction records
• Regular updates on industry best practices and threats

Alternative Approaches:

• Prioritize prevention and backup strategies over payment readiness
• Work directly with law enforcement when possible
• Consider cyber insurance with vetted service providers

For Law Enforcement and Regulators

Enhanced Oversight of Negotiation Industry:

• Licensing requirements for ransomware negotiation firms
• Mandatory reporting of ransomware payments
• Regular audits of cryptocurrency handling procedures
• Background check requirements for employees handling sensitive negotiations

Increased Resources for Insider Threat Detection:

• Data sharing between private sector and law enforcement
• Improved cryptocurrency tracking capabilities
• International cooperation on ransomware investigations

Victim Support Infrastructure:

• Free or low-cost negotiation assistance for small businesses
• Expanded FBI decryption tool distribution
• Public education about payment alternatives

The Psychological Profile: Why Defenders Become Attackers

Understanding what motivated these cybersecurity professionals to become criminals offers insights into preventing similar cases.

Financial Pressure

Goldberg explicitly told FBI agents he "conducted the attacks to get out of debt." The $200,000 he earned from the successful Tampa attack suggests the debts were substantial. This raises questions about:

• Whether cybersecurity salaries adequately compensate for the trust placed in these professionals
• How financial stress screening might prevent insider threats
• The importance of employee assistance programs for financial difficulties

Insider Knowledge as Temptation

Both defendants possessed specialized knowledge that made them uniquely capable of successful attacks:

• Martin understood victim psychology, cryptocurrency payment processes, and negotiation tactics
• Goldberg knew incident response procedures, defensive strategies, and how companies react to attacks
• Both had access to or knowledge of potential high-value targets

This "insider's advantage" made the attacks more likely to succeed and potentially more appealing than typical cybercrime opportunities.

Rationalization and Moral Disengagement

Cybersecurity professionals who become criminals often engage in psychological rationalization:

• "These companies can afford it" (attacking insured businesses)
• "I'm just testing their defenses" (framing crime as research)
• "The ransomware ecosystem exists anyway" (minimizing personal responsibility)
• "I'll pay it back eventually" (temporary borrowing mentality)

The Affiliate Model's Psychological Impact

By working as BlackCat affiliates rather than developing their own ransomware, the defendants maintained psychological distance from the direct harm:

• They didn't write the malicious code
• They shared profits with "the real criminals" (BlackCat developers)
• They could frame themselves as business partners rather than cyber criminals

This psychological distancing is common in RaaS operations and may have made the transition from defender to attacker easier to justify.

Connection to Broader Cybersecurity Trends

Municipal and Critical Infrastructure Attacks

As documented in our analysis of The Cyber Siege on America's Cities and Towns, 2025 saw unprecedented ransomware attacks on municipal governments. The Goldberg-Martin case adds a disturbing dimension: what if ransomware negotiators hired by cities were actually working with attackers?

Healthcare Sector Vulnerability

The Florida medical device company attack aligns with BlackCat's known targeting of healthcare organizations. Following the FBI disruption in December 2023, BlackCat administrators specifically encouraged affiliates to target hospitals, leading to the devastating Change Healthcare attack in early 2024 that disrupted prescription services nationwide.

Third-Party Vendor Risk

Similar to the Marquis Software Solutions breach, this case highlights how trusted service providers can become the weakest link. Organizations that hire incident response firms to protect them effectively give those firms the keys to the kingdom—a privilege that requires ironclad integrity.

The Path Forward: Rebuilding Trust

The cybersecurity industry now faces a trust crisis following these guilty pleas. Rebuilding confidence requires concrete actions:

Industry Self-Regulation

Professional Certification Requirements:

• Mandatory background checks for incident response professionals
• Continuing education on ethics and legal obligations
• Revocation procedures for professionals who violate standards
• Public database of certified professionals

Industry Associations Must Act:

• (ISC)², ISACA, and similar organizations should strengthen ethical requirements
• Create reporting mechanisms for ethical violations
• Establish industry-wide standards for ransomware negotiation firms
• Publish best practices for insider threat prevention

Transparency Initiatives

Ransomware Payment Disclosure:

• Companies should report ransomware payments to authorities
• Aggregate data should be published to inform industry understanding
• Negotiation firms should provide detailed reporting on their activities

Incident Response Standards:

• Clear protocols for when to involve law enforcement
• Documentation requirements for all negotiation activities
• Regular third-party audits of high-risk functions

Technology Solutions

Blockchain-Based Audit Trails:

• Immutable records of ransomware negotiations
• Cryptocurrency payment tracking and verification
• Multi-signature requirements for all ransom payments

AI-Powered Insider Threat Detection:

• Behavioral analytics for unusual employee activities
• Correlation of financial stress indicators with system access
• Automated flagging of suspicious patterns

Law Enforcement Partnership

Enhanced Public-Private Cooperation:

• Regular threat intelligence sharing
• Joint training exercises between industry and FBI
• Streamlined reporting procedures for suspicious activities

Victim Support Programs:

• Free consultation services for attacked organizations
• Rapid deployment of decryption tools when available
• Financial assistance for small businesses impacted by ransomware

Conclusion: A Watershed Moment

The guilty pleas of Ryan Clifford Goldberg and Kevin Tyler Martin represent a watershed moment in cybersecurity. When the people hired to defend against ransomware become the ransomware operators themselves, the entire industry must reckon with fundamental questions about trust, oversight, and professional responsibility.

These cases serve as a stark reminder that insider threats remain one of the most challenging aspects of cybersecurity. The specialized knowledge that makes professionals valuable also makes them potentially dangerous if their integrity fails. Financial pressure, opportunity, and the psychological ease of "just being an affiliate" combined to turn two defenders into attackers.

As the defendants await sentencing—facing up to 20 years in federal prison—their legacy extends far beyond their personal consequences. They have fundamentally changed how organizations must evaluate their relationships with cybersecurity service providers. The ransomware negotiation industry faces existential questions about its business models, oversight, and ethical foundations.

For the broader cybersecurity community, the message is clear: trust but verify. Background checks, financial monitoring, separation of duties, and behavioral analytics are no longer optional luxuries—they are essential safeguards against the next insider who might be tempted to cross from defender to attacker.

The unnamed third co-conspirator remains unindicted, a reminder that this investigation may not be complete. DigitalMint and other negotiation firms must now demonstrate their commitment to preventing future breaches of trust, not just through words but through concrete structural changes that make such betrayals more difficult to perpetrate and easier to detect.

As we documented in our original coverage of this case, these indictments sent shockwaves through an industry already grappling with questions about the ethics of ransomware negotiation. Now, with guilty pleas entered and sentencing pending, those shockwaves may finally catalyze the structural reforms necessary to prevent the next generation of defenders from becoming attackers.

Key Takeaways

1. Guilty Pleas Entered: Ryan Goldberg and Kevin Martin pleaded guilty to conspiracy to interfere with commerce by extortion, acknowledging years of ransomware attacks against U.S. businesses
2. $1.27 Million Stolen: The conspiracy successfully extorted over $1 million from a Florida medical device company using ALPHV BlackCat ransomware
3. Five Companies Targeted: Between May and November 2023, the group attacked companies in Florida, Maryland, Virginia, and California
4. Industry Insider Knowledge: Both defendants worked in cybersecurity—one as an incident responder, the other as a ransomware negotiator—giving them critical insights to exploit
5. Maximum 20 Years Each: The defendants face up to 20 years in federal prison under the Hobbs Act
6. Third Co-Conspirator Unindicted: An unnamed third member of the conspiracy, also from DigitalMint, has not been charged
7. Companies Not Implicated: Both DigitalMint and Sygnia maintain they had no knowledge of the criminal activity and are cooperating with investigators
8. International Flight Attempt: Goldberg fled to Paris before being arrested in Mexico City and deported to the U.S.
9. BlackCat Connection: The conspirators used ALPHV BlackCat, one of the most prolific ransomware operations before its 2024 collapse
10. Industry Trust Crisis: The case exposes fundamental vulnerabilities in the ransomware negotiation industry and raises questions about insider threat prevention

Related Coverage

For more context on this developing story, see our previous coverage:

• When the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations - November 2025 coverage of the original indictments
• DOJ Investigation Exposes Alleged Corruption in Ransomware Negotiation Industry - July 2025 investigation into DigitalMint
• The Ransomware Revolution: How Attack Economics Are Reshaping the Threat Landscape Entering 2026 - Analysis of 2025 ransomware trends
• The Cyber Siege: How Ransomware is Crippling America's Cities and Towns - Municipal ransomware attacks throughout 2025

Last Updated: December 19, 2025

Case Number: 25-CR-20443-MOORE/D'ANGELO in the U.S. District Court for the Southern District of Florida