The Defenders Became the Attackers
On December 30, 2025, the Department of Justice announced that two American cybersecurity professionals had pleaded guilty to conspiring to launch ransomware attacks against US companies.
Not hackers who learned their trade on dark web forums. Not foreign actors operating from jurisdictions beyond US law. Security industry professionals employed by reputable firms — people whose jobs were specifically to protect organizations from ransomware.
Ryan Goldberg, 40, worked as an incident response manager at Sygnia, an Israeli-owned cybersecurity firm. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a company that helps organizations respond to ransomware attacks. A third unnamed co-conspirator remains under investigation.
Together, they deployed BlackCat/ALPHV ransomware against at least five US companies, including three healthcare organizations. They successfully extorted approximately $1.2 million in Bitcoin from a Tampa medical device manufacturer.
Take Our 2-Minute Security Assessment
centrexIT has helped organizations assess their security posture since 2002. If you’re concerned about how insider threats could affect your business, let’s find out together.
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
How Security Expertise Became a Weapon
The defendants weren’t just cybersecurity employees — they were specialists in ransomware response. Goldberg’s job involved helping organizations recover from attacks. Martin’s job involved negotiating with attackers to reduce ransom demands and manage incident response.
That expertise translated directly into attack capability. They understood how organizations detect intrusions. They knew the incident response playbooks. They knew how companies evaluate whether to pay ransoms and how ransom negotiations typically proceed.
According to court documents, the three men obtained an affiliate account with the BlackCat/ALPHV ransomware operation in May 2023. They agreed to pay BlackCat’s administrators a 20% cut of any ransoms received in exchange for access to the ransomware toolkit and extortion platform.
Between May 2023 and April 2025, they launched attacks against five companies. Only one paid — a medical device manufacturer that transferred $1,274,781.23 in cryptocurrency. After BlackCat’s 20% cut went to the Russian-linked developers, the three conspirators split their 80% share and laundered the funds through cryptocurrency mixing services.
What BlackCat/ALPHV Was
BlackCat/ALPHV was one of the most prolific ransomware operations before its disruption. The group targeted more than 1,000 organizations globally using a ransomware-as-a-service model, where core developers built and maintained the ransomware while affiliates like Goldberg and Martin carried out attacks.
Notable victims included MGM Resorts (which suffered devastating operational disruptions) and Change Healthcare, whose breach affected 192.7 million individuals — the largest healthcare data breach in US history. In the Change Healthcare attack, the ransomware gang encrypted servers and extracted 6 terabytes of protected health information, demanding and receiving a $22 million ransom.
In December 2023, the FBI disrupted BlackCat’s infrastructure, seized their dark web sites, and developed a decryption tool that helped hundreds of victims recover systems without paying ransoms — saving an estimated $99 million. But the operation had already caused massive damage, and affiliates like Goldberg and Martin continued attacking during the disruption.
The Insider Threat Reality
This case illustrates an uncomfortable truth: the skills that make someone an effective cybersecurity professional also make them a potentially dangerous threat.
Security teams need system access to do their jobs. Incident responders need to understand attack techniques to identify and counter them. Threat analysts need to study criminal operations to anticipate them.
That knowledge and access cuts both ways.
Most cybersecurity professionals are exactly what they appear to be — dedicated defenders working to protect organizations. But the Goldberg/Martin case demonstrates that vetting, monitoring, and access controls matter even for (perhaps especially for) security personnel.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva. “Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets.”
What This Means for Organizations
The case raises difficult questions about trust in security partnerships and internal security teams.
Background checks and reference verification matter, but they wouldn’t have caught Goldberg or Martin. Both had legitimate employment histories and professional credentials. The crimes weren’t visible until law enforcement connected the dots.
More practical safeguards focus on limiting damage rather than predicting betrayal. Principle of least privilege means security personnel have access only to what they need, not blanket administrative rights. Separation of duties ensures no single person can execute critical actions without oversight. Audit logging creates accountability trails for sensitive access.
For organizations working with external security vendors, the calculus is similar. Verify credentials and references, but also structure engagements to limit exposure. Don’t give incident responders more access than they need for specific tasks. Maintain independent logging that the vendor can’t modify. Conduct your own verification of findings and recommendations.
None of this is foolproof. A determined insider with the right access can cause significant damage. But the goal is risk reduction, not risk elimination.
The Accountability Question
Goldberg and Martin face maximum penalties of 20 years in prison. They’ve agreed to forfeit $324,123.26 each — roughly their individual shares of the laundered ransom. Sentencing is scheduled for March 12, 2026.
DigitalMint, Martin’s former employer, issued a statement: “We strongly condemn his actions, which were undertaken without the knowledge, permission, or involvement of the company.” Sygnia, Goldberg’s former employer, confirmed he was terminated immediately upon learning of the situation.
For the victims — including three healthcare organizations — the recovery continues. Ransomware attacks cause damage beyond the ransom payment itself: operational disruption, forensic investigation costs, regulatory compliance concerns, and reputational impact.
And for the cybersecurity industry, the case serves as a reminder that trust must be earned and verified continuously, not assumed based on job titles or professional affiliations.
Take Our 2-Minute Security Assessment
centrexIT has helped organizations think through security challenges since 2002. Insider threat is one of many concerns that requires thoughtful governance and appropriate controls.
Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/
Sources
- US Department of Justice Press Release (December 30, 2025)
- Reuters (December 30, 2025) – “Two US Cyber Experts Plead Guilty”
- The Record from Recorded Future News (December 30, 2025)
- Bank Info Security (December 30, 2025) – “2 Cyber Pros Admit to Being BlackCat Affiliates”
- SiliconANGLE (December 30, 2025)