Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted.
The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
Timeline
Nov 5, 2025
DigitalMint denies involvement and says it cooperated
DigitalMint publicly denied any role in the attacks and said it cooperated with law enforcement after the case became public.
Nov 5, 2025
Martin pleads not guilty in federal court
Following the indictment, Kevin Tyler Martin pleaded not guilty to the federal charges tied to the alleged ransomware and extortion campaign.
Nov 3, 2025
U.S. prosecutors indict former cyber professionals
The U.S. Department of Justice unsealed charges against Ryan Clifford Goldberg and Kevin Tyler Martin, alleging they used insider access and expertise from firms including Sygnia and DigitalMint to conduct BlackCat ransomware attacks and extortion.
Nov 2, 2025
Goldberg is arrested in Mexico City after attempted flight
According to later reporting, Goldberg tried to flee to Europe but was apprehended in Mexico City as authorities moved against the group.
Nov 2, 2025
FBI investigation identifies suspects and obtains confession
The FBI traced the alleged operation, including cryptocurrency laundering through wallets and mixers, and obtained admissions from Ryan Clifford Goldberg, who reportedly said he joined the scheme because of debt.
Apr 1, 2025
Alleged scheme continues until April 2025
Court filings and later reporting say the conspiracy remained active through April 2025, even though no additional victims after 2023 were publicly named in the referenced coverage.
Dec 31, 2023
Attack campaign expands to five U.S. companies
Across 2023, the accused allegedly targeted at least five U.S. companies in multiple states, stealing data, deploying BlackCat ransomware, and demanding between $300,000 and $10 million. Prosecutors say only one victim paid, while the other extortion attempts failed.
Dec 1, 2023
International operation seizes ALPHV/BlackCat servers
U.S. and European law enforcement partners seized ALPHV/BlackCat infrastructure in December 2023. Later reporting said evidence from that disruption may have helped investigators identify the suspects.
May 1, 2023
Florida medical company pays $1.27 million ransom
In the first successful extortion case, the group allegedly attacked a Tampa-area Florida medical company and secured a cryptocurrency ransom payment of about $1.27 million after an initial demand reportedly reached as high as $10 million.
May 1, 2023
BlackCat affiliates begin targeting U.S. companies
Federal prosecutors allege three Florida men, including cybersecurity professionals employed in incident response and ransomware negotiation roles, began a string of ALPHV/BlackCat ransomware attacks against U.S. companies in May 2023.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like the hacker news, cso online, register security, cyberscoop and bleeping computer
Related Stories
US Charges Former DigitalMint Negotiator for Allegedly Partnering With BlackCat in Ransomware Extortion
Former DigitalMint ransomware negotiator Angelo Martino pleaded guilty to conspiring with **ALPHV/BlackCat** operators and U.S.-based accomplices to attack and extort American organizations while simultaneously serving in a trusted incident-response role. Prosecutors said Martino used insider access to share confidential victim information — including negotiation positions, strategies, and insurance policy limits — with BlackCat actors, helping drive up ransom demands. He was previously charged with conspiracy to interfere with interstate commerce by extortion after surrendering to U.S. Marshals, and he now faces up to 20 years in prison. Court filings allege Martino worked with former DigitalMint negotiator Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg in at least 10 attacks, including cases where five victims hired DigitalMint and were assigned Martino as their negotiator. Authorities said the group acted as BlackCat affiliates, paid the gang a 20% share for use of its ransomware and extortion portal, and extracted more than **$75.25 million** across multiple incidents, including payments exceeding **$25 million** and one Florida medical-sector extortion that yielded about **$1.2 million** in Bitcoin. Law enforcement has seized roughly **$10 million** or more in Martino’s assets, while DigitalMint said it was unaware of the scheme, fired the implicated employees, cooperated with investigators, and added stronger oversight, auditing, and logging controls.
Today
Cybersecurity Professionals Plead Guilty to ALPHV/BlackCat Ransomware Attacks
Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy charges after using their positions as a ransomware negotiator and incident response manager to conduct ransomware attacks with the ALPHV/BlackCat group. The pair, along with an unnamed co-conspirator, leveraged their infosec expertise to compromise five organizations—including a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer—between May and December 2023. They agreed to pay ALPHV administrators 20% of any ransom collected in exchange for access to the ransomware platform. The only successful extortion resulted in a $1.2 million bitcoin payment from the medical device company, which was split among the perpetrators, with a portion sent to ALPHV. Patient photos stolen from the doctor's office were published on the gang’s leak site. Goldberg and Martin face up to 20 years in prison, with sentencing scheduled for March. Authorities highlighted the betrayal of trust, as both men used their cybersecurity training and privileged access to facilitate the very crimes they were supposed to prevent.
1 months ago
Former Black Basta Affiliates Target Executives With Teams Phishing and Email Bombing
Suspected former **Black Basta** affiliates have launched a fast-scaling social-engineering campaign against dozens of organizations, targeting more than 100 employees to gain network access for **data theft, ransomware deployment, and extortion**. According to ReliaQuest, the operators use mass email bombing to overwhelm victims and then follow up through **Microsoft Teams** messages or phone calls while impersonating IT help desk staff. The activity has been linked to former Black Basta members or closely aligned actors because the tooling, targeting, and execution closely mirror the group’s historical playbook, even after Black Basta fragmented following the leak of its internal chats. The campaign has increasingly focused on senior leaders and other highly privileged personnel, with executive targeting rising from **59%** in January and February to **77%** in March. Attackers have persuaded victims to install remote monitoring and management tools such as **Supremo Remote Desktop** or to launch **Windows Quick Assist**, sometimes obtaining remote access within minutes before running malicious scripts. Manufacturing and professional services have been hit hardest, with finance, insurance, construction, and technology also affected, underscoring how the operators are moving faster and using more automation to scale intrusions and make early detection more difficult.
3 days ago