Wolves in Sheep's Clothing: Cybersecurity Experts Turned Accomplices of ALPHV BlackCat — Robbed Those They Vowed to Help
They taught companies to defend against extortionists — then began extorting millions from them themselves.
They taught companies to defend against extortionists — then began extorting millions from them themselves.
In the US, another high-profile episode in the history of the ALPHV BlackCat extortion group has concluded. A federal court has accepted the guilty pleas of two Americans who previously worked in cybersecurity and then switched sides to the extortionists, participating in attacks using this ransomware.
The individuals are Ryan Goldberg, a 40-year-old resident of Georgia, and Kevin Martin, a 36-year-old resident of Texas. Both pleaded guilty in December of last year in the federal court for the Southern District of Florida, and their pleas have now been officially accepted. Previously, Goldberg held a leadership position on the incident response team at the Israeli company Sygnia, while Martin worked as a ransomware negotiation specialist at the American firm DigitalMint.
According to the FBI, these two were behind an attack on a medical device manufacturer in 2023. At that time, the attackers used the ALPHV BlackCat ransomware and demanded a ransom of $1.2 million. The investigation claims this was not an isolated incident. Between April and December 2023, the group involving Goldberg and Martin successfully deployed ransomware against several companies in the United States. The case also involves a third individual who previously worked at DigitalMint, but no charges have been filed against him.
In addition to the successful attack on the medical company, the defendants admitted to involvement in at least four other attempted extortion attempts that did not yield money. Among the targets were a pharmaceutical company from Maryland, a medical practice in California with a $5 million ransom demand, an engineering firm from the same state with a $1 million demand, and a drone manufacturer from Virginia from which they tried to obtain $300,000.
US authorities specifically emphasize that both defendants used professional skills acquired in their legitimate jobs. Their experience in incident response and negotiating with extortionists helped them effectively deploy malware and carry out attacks that they were previously duty-bound to combat. Both Sygnia and DigitalMint stated they no longer work with these individuals and are cooperating with the investigation.
As investigators established, the attacks were carried out under the classic ransomware-as-a-service scheme. The ALPHV BlackCat group provided its partners with access to its ransomware and infrastructure, and in return received a share of the ransoms. In this case, the defendants agreed to transfer 20 percent of each sum received to the group's administrators. In the case of the medical device company, the $1.2 million was divided among the participants, after which the money was laundered through complex financial chains.
The case unfolded against the backdrop of ALPHV BlackCat's own decline. In December 2023, the FBI seized its darknet site, sparking a prolonged confrontation between law enforcement and the group. A year later, the extortionists suddenly ceased activity, having previously received, according to authorities, about $22 million from an attack on Change Healthcare, a subsidiary of UnitedHealth Group. These funds, it is claimed, were not distributed among the partners, giving rise to rumors of a so-called exit scam and a possible rebranding of the group.
It is unclear whether Goldberg and Martin were among those "abandoned" partners. It is only known that during ALPHV BlackCat's existence, its attacks affected over a thousand organizations worldwide, and the FBI at one point even announced a $15 million reward for information on key members of the group.
Both defendants pleaded guilty to a charge of conspiracy to commit extortion affecting interstate commerce. The maximum penalty for this charge is up to 20 years in prison and a fine of up to $250,000. Sentencing is scheduled for March 12, 2026.
As part of the operation against ALPHV BlackCat, the FBI also released a free decryptor, which helped at least five hundred victim organizations recover data and avoid paying tens of millions of dollars in ransom.
