Cybersecurity Professionals Plead Guilty to ALPHV/BlackCat Ransomware Attacks
Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy charges after using their positions as a ransomware negotiator and incident response manager to conduct ransomware attacks with the ALPHV/BlackCat group. The pair, along with an unnamed co-conspirator, leveraged their infosec expertise to compromise five organizations—including a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer—between May and December 2023. They agreed to pay ALPHV administrators 20% of any ransom collected in exchange for access to the ransomware platform.
The only successful extortion resulted in a $1.2 million bitcoin payment from the medical device company, which was split among the perpetrators, with a portion sent to ALPHV. Patient photos stolen from the doctor's office were published on the gang’s leak site. Goldberg and Martin face up to 20 years in prison, with sentencing scheduled for March. Authorities highlighted the betrayal of trust, as both men used their cybersecurity training and privileged access to facilitate the very crimes they were supposed to prevent.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Sentencing set for March 12, 2026
Following the guilty pleas, the court scheduled sentencing for Ryan Goldberg and Kevin Martin for March 12, 2026. They were reported to face up to 20 years in prison on the extortion conspiracy charge.
Sygnia and DigitalMint terminate employees and cooperate with investigators
After the case became public, Sygnia and DigitalMint said the conduct was unauthorized, that the employees involved had been terminated, and that they were cooperating with law enforcement. The companies also said their clients were not impacted by the employees' criminal activity.
Goldberg and Martin plead guilty in Florida federal court
In late December 2025, Ryan Goldberg and Kevin Martin pleaded guilty in federal court in Florida to conspiring to commit extortion through ALPHV/BlackCat ransomware attacks on multiple U.S. victims. Prosecutors said both men abused trusted cybersecurity roles at Sygnia and DigitalMint while participating in the criminal scheme.
Federal authorities indict the alleged insider ransomware conspirators
U.S. authorities issued indictments in October 2025 against Ryan Goldberg, Kevin Martin, and an unnamed co-conspirator for conspiracy to commit extortion through ALPHV/BlackCat ransomware attacks. The case was investigated by the FBI Miami Field Office with support from other federal agencies.
ALPHV affiliates remain linked to Change Healthcare attack
In early 2024, ALPHV/BlackCat affiliates were tied to the major Change Healthcare ransomware attack, which disrupted U.S. pharmacy operations. The incident showed the group's ecosystem remained active despite the late-2023 law enforcement disruption.
FBI disrupts ALPHV/BlackCat and releases decryption capability
In December 2023, U.S. authorities disrupted ALPHV/BlackCat infrastructure, including seizing its website, and the FBI developed a decryption tool for victims. Officials said the tool helped victims avoid an estimated $99 million in ransom payments.
Medical device company pays $1.2 million Bitcoin ransom
During the 2023 campaign, one Florida medical device company paid about $1.2 million in Bitcoin after being hit by the conspirators' ALPHV ransomware attack. The group later split and laundered the proceeds, while the broader victim losses were reported at more than $9.5 million.
Cybersecurity insiders launch ALPHV ransomware attacks on U.S. victims
Between April and December 2023, Ryan Goldberg, Kevin Martin, and an unnamed co-conspirator used ALPHV/BlackCat ransomware to target five U.S. organizations, including firms in the medical, pharmaceutical, engineering, and drone sectors as well as a doctor's office. The conspirators agreed to give ALPHV's operators 20% of any ransom payments in exchange for use of the ransomware.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity
darkreading.com
Open sourceTwo cybersecurity experts plead guilty to running ransomware operation
csoonline.com
Open sourceTwo U.S. cybersecurity professionals plead guilty in BlackCat/Alphv ransomware case
securityaffairs.com
Open sourceTwo U.S. CyberSecurity Pros Plead Guilty for Working as ALPHV/BlackCat Affiliates
cybersecuritynews.com
Open sourceCybersecurity pros admit to moonlighting as ransomware scum
go.theregister.com
Open source2 US Cybersecurity Experts Guilty of Extortion Scheme for ALPHV Ransomware
hackread.com
Open sourceTwo Cybersecurity Professionals Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware
databreaches.net
Open sourceRansomware responders plead guilty to using ALPHV in attacks on US organizations
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted. The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
Mar 21, 2026
US Charges Former DigitalMint Negotiator for Allegedly Partnering With BlackCat in Ransomware Extortion
Former DigitalMint ransomware negotiator Angelo Martino pleaded guilty to conspiring with **ALPHV/BlackCat** operators and U.S.-based accomplices to attack and extort American organizations while simultaneously serving in a trusted incident-response role. Prosecutors said Martino used insider access to share confidential victim information — including negotiation positions, strategies, and insurance policy limits — with BlackCat actors, helping drive up ransom demands. He was previously charged with conspiracy to interfere with interstate commerce by extortion after surrendering to U.S. Marshals, and he now faces up to 20 years in prison. Court filings allege Martino worked with former DigitalMint negotiator Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg in at least 10 attacks, including cases where five victims hired DigitalMint and were assigned Martino as their negotiator. Authorities said the group acted as BlackCat affiliates, paid the gang a 20% share for use of its ransomware and extortion portal, and extracted more than **$75.25 million** across multiple incidents, including payments exceeding **$25 million** and one Florida medical-sector extortion that yielded about **$1.2 million** in Bitcoin. Law enforcement has seized roughly **$10 million** or more in Martino’s assets, while DigitalMint said it was unaware of the scheme, fired the implicated employees, cooperated with investigators, and added stronger oversight, auditing, and logging controls.
May 4, 2026
Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than **$100 million** via **business email compromise (BEC)** and romance scams, and a **Phobos** ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States. In the fraud case, **Derrick Van Yeboah** (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay **over $10 million** in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, **Evgenii Ptitsyn** (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the **Phobos** ransomware platform, which the U.S. DoJ says hit **1,000+** entities and extorted **$16+ million**; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to **20 years** in prison, with sentencing scheduled for July 15.
Mar 21, 2026