Two former cybersecurity professionals have admitted to operating on the other side of the digital battlefield, using the ALPHV ransomware to extort US victims for personal gain.
On December 30, 2025, a federal court in the Southern District of Florida accepted guilty pleas from Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas. The two men were charged with conspiracy to obstruct, delay, or affect commerce through extortion, under 18 U.S.C. § 1951(a), in connection with ransomware attacks carried out throughout 2023. A third co-conspirator, still unnamed, remains under investigation.
The Department of Justice revealed that Goldberg and Martin leveraged their cybersecurity backgrounds to facilitate attacks as affiliates of the ALPHV (aka BlackCat) ransomware operation, a group known for deploying advanced ransomware-as-a-service (RaaS) attacks globally. The two agreed to pay a 20% cut of any ransom to the BlackCat developers in exchange for access to the malware and its infrastructure, then laundered the remaining 80% share after successful extortions. In one case, they extorted a victim for approximately $1.2 million in Bitcoin and divided the proceeds three ways.
This case follows our earlier reporting on the duo’s indictment in November 2025, which revealed that both men had previously held senior cybersecurity roles. Goldberg served as an incident response manager at Sygnia Cybersecurity, while Martin worked at DigitalMint, a Chicago-based ransomware negotiation firm. According to FBI affidavits, both exploited their insider knowledge and access to orchestrate attacks that mimicked the very threats they were hired to mitigate.
The scope of the conspiracy became evident during the DOJ’s investigation, which linked the trio to attacks on at least five known victims, including a Florida medical device firm and a Virginia-based drone manufacturer. Each breach involved unauthorized access, data encryption, and steep ransom demands, with payments routed through cryptocurrency mixers to obscure the financial trail.
ALPHV/BlackCat has been linked to over 1,000 ransomware incidents globally. The group operates under a RaaS model where core developers build and maintain the ransomware while affiliates carry out attacks and split the ransom proceeds. Victims of ALPHV have ranged from small businesses to large enterprises, with the most devastating incident involving Change Healthcare. That breach affected 192.7 million individuals, making it the largest healthcare-related data breach in US history.
In December 2023, the FBI disrupted ALPHV’s infrastructure, seized their dark web sites, and developed a decryption tool that helped victims recover systems, preventing an estimated $99 million in ransom payments.
Sentencing for Goldberg and Martin is scheduled for March 12, 2026. They each face up to 20 years in prison. The unnamed third co-conspirator, believed to have recruited Goldberg and warned the group of impending FBI activity, remains a central figure in the ongoing investigation.
Leave a Reply