Cyber Defenders Gone Rogue: Experts Charged in Ransomware Scheme

Federal prosecutors have accused three cybersecurity professionals — individuals once tasked with defending organizations from ransomware — of instead carrying out their own cyberattacks. 

According to court documents filed in the U.S. District Court for the Southern District of Florida, the alleged perpetrators used the ALPHV, or BlackCat, ransomware strain to target five U.S. companies between May 2023 and April 2025.

Trusted Defenders Turned Attackers

The defendants, identified as Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator, are accused of conspiring to conduct ransomware attacks while employed in cybersecurity and digital finance roles. 

Goldberg was an incident response manager at Sygnia, a firm specializing in breach response and digital forensics, while Martin and his co-conspirator worked for DigitalMint, a company that facilitates cryptocurrency payments during ransomware negotiations.

Prosecutors allege that the trio leveraged their insider knowledge of incident response operations to carry out attacks under the guise of legitimate cyber defenders. 

Their activities began in May 2023, when one of the conspirators allegedly registered an affiliate account with ALPHV/BlackCat, a ransomware-as-a-service platform used by cybercriminals worldwide.

The conspirators then launched multiple ransomware campaigns against five U.S. organizations: a Florida-based medical company, a Maryland pharmaceutical firm, a California engineering company, a California doctor’s office, and a Virginia drone manufacturer.

The Heist and Fallout

The group’s first successful extortion occurred in May 2023, when the medical company paid a $1.3 million ransom to regain access to its systems. 

According to prosecutors, Goldberg and his partners received a portion of the payment — Goldberg’s share was approximately $200,000. 

However, the conspirators failed to extract payments from the other four targeted victims.

Court filings reveal that Goldberg confessed to the FBI during a June 2025 interview, admitting that he joined the scheme to pay off personal debts. 

Investigators say he disclosed how his co-conspirator had recruited him to “try and ransom some companies.” The FBI seized his devices during that interview.

Goldberg’s arrest followed an attempted international flight. 

Authorities reported that he and his wife boarded a one-way flight to Paris on June 27, remaining abroad for nearly three months. 

When Goldberg later flew from Amsterdam to Mexico City, Mexican authorities detained him upon arrival and extradited him to the United States.

Both Goldberg and Martin were indicted on charges of conspiracy to interfere with commerce by extortion, interference with commerce by extortion, and intentional damage to a protected computer. 

Each faces a potential maximum sentence of 50 years in federal prison if convicted.

Martin was arrested on October 14 and released on a $400,000 bond ten days later. 

As a condition of release, he is prohibited from working in cybersecurity pending trial. Goldberg remains in federal custody, deemed a flight risk by the court.

Employer Responses

In a statement, Sygnia confirmed Goldberg’s employment and stated that he was immediately terminated upon discovery of the allegations. The company emphasized that his activities were unrelated to its internal systems or clients.

DigitalMint also acknowledged the indictment of a former employee but maintained that the attacks occurred entirely outside of the company’s infrastructure. 

“No one potentially involved in the charged scheme has worked at the company in over four months,” DigitalMint said. “The co-conspirators did not access or compromise client data as part of the charged conduct.”

The BlackCat Connection

ALPHV, also known as BlackCat, has become one of the most notorious ransomware strains since emerging in 2021. 

Written in Rust, it is known for its flexibility and sophisticated encryption techniques. 

The group operating BlackCat has targeted healthcare, energy, and government sectors and is linked to several high-profile incidents, including the 2024 Change Healthcare breach, which exposed data from over 100 million individuals.

Prosecutors argue that Goldberg and Martin exploited this platform not as external attackers but as insiders, using their professional expertise to launch and manage attacks similar to those they were hired to prevent. 

This blending of legitimate cybersecurity skills with criminal intent highlights an emerging and troubling trend — insider-enabled ransomware.

Insider Threat Mitigation

The case underscores that even trusted cybersecurity professionals can pose significant risks. 

Organizations can mitigate insider threats through a combination of technical safeguards, monitoring, and cultural awareness:

• Apply least privilege: Limit employee access to only what’s needed and audit permissions regularly.
• Monitor behavior: Use analytics and SIEM tools to detect unusual logins, data transfers, or off-hours activity.
• Run background checks: Perform ongoing screenings to identify financial or personal risk factors.
• Separate duties: Split sensitive tasks and require peer oversight for high-risk activities.
• Promote accountability: Encourage transparency and offer safe channels to report suspicious behavior.
• Train regularly: Educate staff on insider threat warning signs and ethical responsibilities.

By combining technical controls with organizational vigilance, companies can better detect, deter, and respond to internal threats before they escalate.

The ALPHV insider case serves as a stark reminder that cyber defense is only as strong as the integrity of those entrusted to uphold it.  

Both defendants await trial, with proceedings expected to begin in early 2026.