Cybersecurity Professionals Plead Guilty to ALPHV/BlackCat Ransomware Attacks
Two cybersecurity professionals, Ryan Goldberg and Kevin Martin, have pleaded guilty to conspiracy charges after using their positions as a ransomware negotiator and incident response manager to conduct ransomware attacks with the ALPHV/BlackCat group. The pair, along with an unnamed co-conspirator, leveraged their infosec expertise to compromise five organizations—including a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer—between May and December 2023. They agreed to pay ALPHV administrators 20% of any ransom collected in exchange for access to the ransomware platform.
The only successful extortion resulted in a $1.2 million bitcoin payment from the medical device company, which was split among the perpetrators, with a portion sent to ALPHV. Patient photos stolen from the doctor's office were published on the gang’s leak site. Goldberg and Martin face up to 20 years in prison, with sentencing scheduled for March. Authorities highlighted the betrayal of trust, as both men used their cybersecurity training and privileged access to facilitate the very crimes they were supposed to prevent.
Timeline
Mar 12, 2026
Sentencing set for March 12, 2026
Following the guilty pleas, the court scheduled sentencing for Ryan Goldberg and Kevin Martin for March 12, 2026. They were reported to face up to 20 years in prison on the extortion conspiracy charge.
Dec 30, 2025
Sygnia and DigitalMint terminate employees and cooperate with investigators
After the case became public, Sygnia and DigitalMint said the conduct was unauthorized, that the employees involved had been terminated, and that they were cooperating with law enforcement. The companies also said their clients were not impacted by the employees' criminal activity.
Dec 30, 2025
Goldberg and Martin plead guilty in Florida federal court
In late December 2025, Ryan Goldberg and Kevin Martin pleaded guilty in federal court in Florida to conspiring to commit extortion through ALPHV/BlackCat ransomware attacks on multiple U.S. victims. Prosecutors said both men abused trusted cybersecurity roles at Sygnia and DigitalMint while participating in the criminal scheme.
Oct 1, 2025
Federal authorities indict the alleged insider ransomware conspirators
U.S. authorities issued indictments in October 2025 against Ryan Goldberg, Kevin Martin, and an unnamed co-conspirator for conspiracy to commit extortion through ALPHV/BlackCat ransomware attacks. The case was investigated by the FBI Miami Field Office with support from other federal agencies.
Feb 1, 2024
ALPHV affiliates remain linked to Change Healthcare attack
In early 2024, ALPHV/BlackCat affiliates were tied to the major Change Healthcare ransomware attack, which disrupted U.S. pharmacy operations. The incident showed the group's ecosystem remained active despite the late-2023 law enforcement disruption.
Dec 1, 2023
FBI disrupts ALPHV/BlackCat and releases decryption capability
In December 2023, U.S. authorities disrupted ALPHV/BlackCat infrastructure, including seizing its website, and the FBI developed a decryption tool for victims. Officials said the tool helped victims avoid an estimated $99 million in ransom payments.
May 1, 2023
Medical device company pays $1.2 million Bitcoin ransom
During the 2023 campaign, one Florida medical device company paid about $1.2 million in Bitcoin after being hit by the conspirators' ALPHV ransomware attack. The group later split and laundered the proceeds, while the broader victim losses were reported at more than $9.5 million.
Apr 1, 2023
Cybersecurity insiders launch ALPHV ransomware attacks on U.S. victims
Between April and December 2023, Ryan Goldberg, Kevin Martin, and an unnamed co-conspirator used ALPHV/BlackCat ransomware to target five U.S. organizations, including firms in the medical, pharmaceutical, engineering, and drone sectors as well as a doctor's office. The conspirators agreed to give ALPHV's operators 20% of any ransom payments in exchange for use of the ransomware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
3 more from sources like hackread, data breaches net and the record media
Related Stories
Insider Ransomware Attacks by Cybersecurity Professionals Using BlackCat
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for orchestrating a series of BlackCat (ALPHV) ransomware attacks against five U.S. companies between May and November 2023. The accused, including Kevin Tyler Martin and Ryan Clifford Goldberg, allegedly abused their positions as incident response professionals to gain unauthorized access to victim networks, deploy ransomware, steal sensitive data, and demand cryptocurrency ransoms ranging from $300,000 to $10 million. The Department of Justice and FBI state that the group operated as BlackCat affiliates, with at least one successful extortion resulting in a $1.27 million payment from a Tampa medical device manufacturer after its servers were encrypted. The indictment details additional targets, including a Maryland pharmaceutical company, a California doctor's office, a California engineering firm, and a Virginia drone manufacturer, though it is unclear if further ransom payments were made. DigitalMint and Sygnia have both denied organizational involvement, terminated the implicated employees, and are cooperating with law enforcement. The case highlights the risk of insider threats within cybersecurity firms and the sophisticated tactics used by ransomware operators to exploit trusted access for criminal gain.
1 months ago
US Charges Former DigitalMint Negotiator for Allegedly Partnering With BlackCat in Ransomware Extortion
Former DigitalMint ransomware negotiator Angelo Martino pleaded guilty to conspiring with **ALPHV/BlackCat** operators and U.S.-based accomplices to attack and extort American organizations while simultaneously serving in a trusted incident-response role. Prosecutors said Martino used insider access to share confidential victim information — including negotiation positions, strategies, and insurance policy limits — with BlackCat actors, helping drive up ransom demands. He was previously charged with conspiracy to interfere with interstate commerce by extortion after surrendering to U.S. Marshals, and he now faces up to 20 years in prison. Court filings allege Martino worked with former DigitalMint negotiator Kevin Tyler Martin and former Sygnia incident response manager Ryan Goldberg in at least 10 attacks, including cases where five victims hired DigitalMint and were assigned Martino as their negotiator. Authorities said the group acted as BlackCat affiliates, paid the gang a 20% share for use of its ransomware and extortion portal, and extracted more than **$75.25 million** across multiple incidents, including payments exceeding **$25 million** and one Florida medical-sector extortion that yielded about **$1.2 million** in Bitcoin. Law enforcement has seized roughly **$10 million** or more in Martino’s assets, while DigitalMint said it was unaware of the scheme, fired the implicated employees, cooperated with investigators, and added stronger oversight, auditing, and logging controls.
Today
Guilty Pleas in Major Cyber-Enabled Fraud and Ransomware Operations
U.S. authorities secured guilty pleas in two separate cyber-enabled criminal cases: a Ghana-based fraud ring that stole more than **$100 million** via **business email compromise (BEC)** and romance scams, and a **Phobos** ransomware administrator tied to a global extortion operation. The cases highlight parallel monetization paths—social engineering and payment redirection in BEC/romance schemes versus data encryption and extortion in ransomware-as-a-service (RaaS)—and both involve international arrests/extraditions to the United States. In the fraud case, **Derrick Van Yeboah** (40) pleaded guilty to conspiracy to commit wire fraud and agreed to pay **over $10 million** in restitution for his role in a Ghana-based operation that targeted U.S. victims from 2016 to May 2023, using spoofed emails to impersonate customers/employees and laundering proceeds through U.S. intermediaries before sending funds to coordinators in West Africa. Separately, **Evgenii Ptitsyn** (43) pleaded guilty to wire fraud conspiracy for helping develop, sell, distribute, and operate the **Phobos** ransomware platform, which the U.S. DoJ says hit **1,000+** entities and extorted **$16+ million**; he was arrested in South Korea in 2024, extradited to the U.S., and faces up to **20 years** in prison, with sentencing scheduled for July 15.
1 months ago