A $220,000 Salary Wasn't Enough. A Cybersecurity Specialist Turned to the BlackCat Hackers (And Got Caught).
Experience with BlackCat and knowledge of cryptocurrencies turned into a criminal scheme that quickly collapsed.
Experience with BlackCat and knowledge of cryptocurrencies turned into a criminal scheme that quickly collapsed.
Helping companies pay off extortionists seems like a strange business. Formally, you negotiate with cybercriminals and try to lower the ransom amount so the affected organization can recover faster. In practice, you are still helping criminals get money, which means you are supporting their infrastructure and making new attacks more likely.
The American FBI has detailed a situation where this internal dilemma ended in a very predictable way. Several individuals working in ransomware response, who had seen from the inside how much money was being paid in cryptocurrency ransoms, decided to try it themselves. They knew how modern extortion schemes worked, saw vulnerable companies, and understood that ransomware-as-a-service programs now exist, where developers provide ready-made malware and infrastructure, and partners find victims and share the profits. At some point, one of these specialists, according to the investigation, asked a simple question: Why should other criminals get this money when I can organize an attack myself?
The FBI believes that's exactly what three cybersecurity specialists working in the US did. They switched to the other side and began deploying ransomware in the networks of American companies, counting on a quick income. In reality, it wasn't so simple. They only managed one successful payout. The other victims refused to pay, and the investigation quickly led back to the perpetrators themselves.
The case documents feature Kevin Martin. He worked for the Chicago-based company DigitalMint, which, after attacks, helps organizations assess demands, buy legitimate cryptocurrency, and safely transfer funds to meet the extortionists' terms as quickly as possible. According to the FBI, in 2023, Martin decided to become an affiliate for the BlackCat group. This group is known for providing partners with ready-made encryption software and dark web platforms, taking a cut of the ransom in return. Martin had seen this scheme in practice and proposed that two others join him. One of them, investigators claim, was Ryan Goldberg from Georgia, who worked on incidents at the company Sygnia. Goldberg told agents that Martin invited him to try "to extort money from companies."
In May 2023, the group chose its first victim: a medical company in Tampa, Florida. They deployed BlackCat in the network, encrypted corporate data, and demanded $10 million for the decryption key. The company eventually agreed to pay, but not the full amount. According to the FBI, it transferred $1.27 million in cryptocurrency. Part of it went to the BlackCat developers, and the rest was split between Martin, Goldberg, and a third participant, whose name has not yet been disclosed.
After this success, they tried to repeat the scheme. Throughout 2023, the group attacked a pharmaceutical company in Maryland, a doctor's office, an engineering firm in California, and a drone manufacturer in Virginia. The ransom amounts varied—sometimes $5 million, sometimes $1 million, sometimes $300,000. But unlike the first victim, the others refused to pay. This ended the profitable part of the story and attracted the attention of the FBI.
By the spring of 2025, the investigation was in full swing. In April, agents conducted a search of Martin's home. After this, according to Goldberg, the third participant began to panic about the search. In May, Goldberg was searching online for Martin's surname along with the US Department of Justice domain, trying to understand what was happening with the case. On June 17, Goldberg himself was searched and his devices were seized. At first, he denied involvement but later confessed and identified Martin as the organizer. He explained that he agreed to participate in the extortion attacks because he wanted to pay off debts and was very worried about the prospect of "spending the rest of his life in federal prison."
Goldberg was not immediately arrested. On June 24, he received official notification from the prosecutor's office that he was a subject of the case. The next day, he and his wife bought one-way tickets to Paris. On June 27, they flew out, and by the time charges were filed, Goldberg was already in Europe. In September, he returned to North America, but not to the US. He flew from Amsterdam to Mexico City, where he was detained and deported. The court considered this an attempt to flee, so unlike Martin, who was released on a $400,000 bond, Goldberg was denied pre-trial release. According to the court's calculations, if he pleads guilty, he could face between 78 and 97 months in prison. If he does not plead guilty and is convicted, the sentence could be longer.
The story seems particularly absurd considering that, according to court data, Goldberg was already earning a good salary of about $214,000 per year. After being fired, he lost that income, stopped paying his mortgage, and essentially destroyed his family's normal life because of one successful operation and several failed attempts. Now he and his loved ones will have to deal with the consequences for a long time.