Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted.
The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
DigitalMint denies involvement and says it cooperated
DigitalMint publicly denied any role in the attacks and said it cooperated with law enforcement after the case became public.
Martin pleads not guilty in federal court
Following the indictment, Kevin Tyler Martin pleaded not guilty to the federal charges tied to the alleged ransomware and extortion campaign.
U.S. prosecutors indict former cyber professionals
The U.S. Department of Justice unsealed charges against Ryan Clifford Goldberg and Kevin Tyler Martin, alleging they used insider access and expertise from firms including Sygnia and DigitalMint to conduct BlackCat ransomware attacks and extortion.
Goldberg is arrested in Mexico City after attempted flight
According to later reporting, Goldberg tried to flee to Europe but was apprehended in Mexico City as authorities moved against the group.
FBI investigation identifies suspects and obtains confession
The FBI traced the alleged operation, including cryptocurrency laundering through wallets and mixers, and obtained admissions from Ryan Clifford Goldberg, who reportedly said he joined the scheme because of debt.
Alleged scheme continues until April 2025
Court filings and later reporting say the conspiracy remained active through April 2025, even though no additional victims after 2023 were publicly named in the referenced coverage.
Attack campaign expands to five U.S. companies
Across 2023, the accused allegedly targeted at least five U.S. companies in multiple states, stealing data, deploying BlackCat ransomware, and demanding between $300,000 and $10 million. Prosecutors say only one victim paid, while the other extortion attempts failed.
International operation seizes ALPHV/BlackCat servers
U.S. and European law enforcement partners seized ALPHV/BlackCat infrastructure in December 2023. Later reporting said evidence from that disruption may have helped investigators identify the suspects.
Florida medical company pays $1.27 million ransom
In the first successful extortion case, the group allegedly attacked a Tampa-area Florida medical company and secured a cryptocurrency ransom payment of about $1.27 million after an initial demand reportedly reached as high as $10 million.
BlackCat affiliates begin targeting U.S. companies
Federal prosecutors allege three Florida men, including cybersecurity professionals employed in incident response and ransomware negotiation roles, began a string of ALPHV/BlackCat ransomware attacks against U.S. companies in May 2023.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
11 references tracked. Mallory keeps watching after this page renders.
How to trade your $214,000 cybersecurity job for a jail cell
arstechnica.com
Open sourceRisky Bulletin: US indicts two rogue cybersecurity employees for ransomware attacks
news.risky.biz
Open source2 Ex-Cyber Specialists Indicted for Alleged BlackCat Attacks
bankinfosecurity.com
Open sourceFormer cybersecurity firm experts attempted to extort five U.S. companies in 2023 using BlackCat ransomware attacks
securityaffairs.com
Open sourceRogue ransomware negotiators accused of extortion attacks
go.theregister.com
Open sourceUS cybersecurity experts indicted for BlackCat ransomware attacks
bleepingcomputer.com
Open sourceProsecutors allege incident response pros used ALPHV/BlackCat to commit string of ransomware attacks
cyberscoop.com
Open sourceChicago firm that resolves ransomware attacks had rogue workers carrying out their own hacks, FBI says
chicago.suntimes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Charges Former DigitalMint Negotiator for Allegedly Partnering With BlackCat in Ransomware Extortion
Former DigitalMint ransomware negotiator Angelo Martino pleaded guilty to conspiring with **ALPHV/BlackCat** operators and U.S.-based accomplices to attack and extort American organizations while simultaneously serving in a trusted incident-response role. Prosecutors said Martino used insider access to share confidential victim information — including negotiation positions, strategies, and insurance policy limits — with BlackCat actors, helping drive up ransom demands. He was previously charged with conspiracy to interfere with interstate commerce by extortion after surrendering to U.S. Marshals, and he now faces up to 20 years in prison. Court filings allege Martino worked with former DigitalMint negotiator Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg in at least 10 attacks, including cases where five victims hired DigitalMint and were assigned Martino as their negotiator. Authorities said the group acted as BlackCat affiliates, paid the gang a 20% share for use of its ransomware and extortion portal, and extracted more than **$75.25 million** across multiple incidents, including payments exceeding **$25 million** and one Florida medical-sector extortion that yielded about **$1.2 million** in Bitcoin. Law enforcement has seized roughly **$10 million** or more in Martino’s assets, while DigitalMint said it was unaware of the scheme, fired the implicated employees, cooperated with investigators, and added stronger oversight, auditing, and logging controls.
May 4, 2026
Cybersecurity Professionals Plead Guilty to ALPHV/BlackCat Ransomware Attacks
Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy charges after using their positions as a ransomware negotiator and incident response manager to conduct ransomware attacks with the ALPHV/BlackCat group. The pair, along with an unnamed co-conspirator, leveraged their infosec expertise to compromise five organizations—including a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer—between May and December 2023. They agreed to pay ALPHV administrators 20% of any ransom collected in exchange for access to the ransomware platform. The only successful extortion resulted in a $1.2 million bitcoin payment from the medical device company, which was split among the perpetrators, with a portion sent to ALPHV. Patient photos stolen from the doctor's office were published on the gang’s leak site. Goldberg and Martin face up to 20 years in prison, with sentencing scheduled for March. Authorities highlighted the betrayal of trust, as both men used their cybersecurity training and privileged access to facilitate the very crimes they were supposed to prevent.
Mar 21, 2026
Silent Ransom Group Uses Fake IT Calls and Office Visits to Steal Law Firm Data
The **Silent Ransom Group** — also tracked as **UNC3753**, **Luna Moth**, and **Chatty Spider** — has been targeting U.S. law firms and other professional, financial, insurance, and healthcare organizations with data-theft extortion campaigns that rely on social engineering instead of file encryption. FBI alerts and Google Mandiant reporting say the actors send invoice-themed phishing emails and follow up with voice calls impersonating internal IT or help desk staff, persuading employees to join screen-sharing sessions or install legitimate remote management tools such as AnyDesk, Zoho Assist, Bomgar, Splashtop, Syncro, Atera, and SuperOps. Once inside, the group rapidly searches document repositories and cloud stores for legal files, tax records, financial data, PII, and other sensitive material, then exfiltrates it with tools including WinSCP, hidden or renamed Rclone, Google Drive, Microsoft OneDrive, or victim-controlled file-sharing channels. Authorities said the campaign has escalated beyond remote access attempts to **in-person intrusions**, with imposters arriving at offices posing as technicians and connecting USB drives or external disks to steal data when remote social engineering fails. Mandiant said dozens of U.S. organizations were targeted between January and May, and in some cases the intrusion, theft, and extortion cycle was completed within a single business day, with ransom demands sent shortly after access ended. Researchers and the FBI linked the operation to the post-Conti cybercrime ecosystem and noted that its abuse of legitimate tools leaves few forensic artifacts, while Resecurity reported fast-flux infrastructure supporting leak sites including `business-data-leaks[.]com` and `ep6pheij[.]com`. The FBI and Google urged organizations to verify anyone claiming to be IT staff, restrict unauthorized remote management and VDI access, harden USB and removable-media controls, deploy phishing-resistant MFA, and closely monitor sensitive document systems.
Jun 17, 2026