US Cybersecurity Experts Accused of Using BlackCat Ransomware

Three former employees of cybersecurity firms—companies whose job was to protect against ransomware attacks—now stand accused of conducting those very attacks themselves. According to the US Department of Justice, they participated in BlackCat (ALPHV) ransomware operations and extorted millions of dollars from victims.

This represents one of the most brazen insider threat cases in recent cybersecurity history. The accused didn't just have technical skills—they had direct access to how companies respond to ransomware attacks and negotiate with criminals. In my opinion, this knowledge made them far more dangerous than typical ransomware operators.

The Accused

The case involves 28-year-old Kevin Tyler Martin from Texas, 33-year-old Ryan Clifford Goldberg from Georgia, and an unnamed accomplice. They face charges of conspiracy to commit interstate commerce interference through extortion, actual interference with commerce, and intentional damage to protected computers. The maximum penalty for these charges is up to 50 years in prison.

According to the Chicago Sun-Times, Martin and the unnamed accomplice worked at DigitalMint, a firm specializing in negotiations with ransomware operators. Goldberg led incident response at Sygnia, a cybersecurity company that investigates breaches and helps victims recover from attacks.

Think about that for a moment: these individuals spent their days helping ransomware victims, learning exactly what worked and what didn't in negotiations, understanding victim psychology and decision-making processes. Then they allegedly used that knowledge to become more effective attackers.

The Investigation

The investigation claims that the accused became partners in the BlackCat extortion scheme. This means they hacked corporate networks, stole data, and deployed the ransomware themselves. After compromising each victim, they demanded ransom payments in cryptocurrency for decrypting the data and promising "non-disclosure" of the stolen information.

According to court documents, the group's victims include:

• A medical equipment manufacturer from Tampa
• A pharmaceutical company from Maryland
• An engineering firm from California
• A medical clinic from California
• A drone developer from Virginia

The ransoms demanded by the attackers ranged from $300,000 to $10 million, depending on the victim's size and perceived ability to pay. However, the only payment the hackers actually received was $1.27 million, which the Tampa-based company transferred after an attack in May 2023.

This single successful payment demonstrates both the challenge of ransomware enforcement and the reality that most victims either refuse to pay or successfully recover through other means. The accused demanded tens of millions but collected just over one million—a failure rate that likely contributed to their eventual capture.

The BlackCat Context

BlackCat (also known as ALPHV) is one of the most active ransomware operations in recent years. According to the FBI, in just its first two years of operation, its partners carried out over 1,000 attacks and received at least $300 million in ransoms.

The group operates as a Ransomware-as-a-Service (RaaS) platform, meaning it provides the ransomware infrastructure while "affiliates" conduct the actual attacks. The affiliates and the core group then split the ransom payments. Per the FBI's assessment, this model has made BlackCat one of the most profitable cybercrime operations in history.

What makes this case particularly significant is that the accused weren't just affiliates conducting attacks—they were cybersecurity professionals who knew exactly how to exploit their victims' vulnerabilities and maximize pressure during negotiations.

The Insider Threat Problem

This case highlights a problem that the cybersecurity industry doesn't talk about enough: insider threats from trusted professionals. When you hire a company to negotiate with ransomware operators or investigate breaches, you're giving them access to your most sensitive information—your security weaknesses, your decision-making processes, your financial thresholds for payment.

The accused allegedly took that trust and weaponized it. They understood victim psychology because they had counseled victims. They knew which ransom amounts would be considered "reasonable" because they had facilitated those negotiations. They understood recovery timelines because they had managed incident response.

Furthermore, their positions gave them credibility and access. A cybersecurity professional reaching out to a potential victim might not raise the same red flags as an unknown attacker. Their understanding of security tools and practices made them harder to detect and stop.

What This Means for Organizations

If you're an organization that has hired or is considering hiring incident response firms or ransom negotiators, this case should prompt several questions:

1. Background checks: Are your incident response providers conducting thorough background checks on their employees? Not just criminal history, but financial stress indicators that might motivate insider threats?
2. Access controls: What safeguards exist to prevent incident response team members from accessing client data after an engagement ends?
3. Monitoring: Are there detection mechanisms in place to identify if former employees of security firms are conducting reconnaissance against their previous clients?
4. Vetting affiliates: For ransomware negotiation firms, what processes exist to ensure employees aren't maintaining relationships with threat actors?

These aren't theoretical concerns anymore. This case proves that the people you trust to protect you can become the people attacking you.

The Broader Implications

This case also raises questions about the ransomware negotiation industry itself. When you employ people whose job is to maintain relationships with criminals and facilitate illegal payments (even if those payments are legally permitted in some jurisdictions), you create a pipeline between legitimate business and criminal enterprises.

Some of those employees will be ethical professionals doing difficult but necessary work. Others, as this case allegedly demonstrates, will see an opportunity. They have the criminal contacts, they understand the business model, and they know how to maximize profits from attacks.

I'm not suggesting we should eliminate ransomware negotiation services—victims often need expert guidance during attacks. However, this case demonstrates that we need better oversight, stronger vetting, and clear boundaries around who has access to victim information and for how long.

Conclusion

The arrest of three cybersecurity professionals for allegedly conducting BlackCat ransomware attacks represents a significant breach of trust in an industry built on trust. These individuals weren't just criminals who happened to work in cybersecurity—they allegedly used their professional expertise to become more effective criminals.

For organizations, this case is a reminder that insider threats can come from unexpected sources, including the security vendors you hire to protect you. For the cybersecurity industry, it's a wake-up call about the need for better vetting, monitoring, and accountability among professionals with access to sensitive victim information.

The maximum 50-year prison sentence these individuals face reflects the seriousness of their alleged crimes. If convicted, their case will serve as a warning to other cybersecurity professionals considering similar schemes: your knowledge and access don't make you untouchable—they make your crimes more serious and the consequences more severe.