Two U.S. Cybersecurity Professionals Sentenced to Four Years for BlackCat Ransomware Operations

TL;DR Ryan Goldberg and Kevin Martin, both working in cybersecurity roles, have been sentenced to four years in prison for their involvement in BlackCat ransomware attacks between April and December 2023. The two conspired with Angelo Martino to deploy the ransomware against multiple U.S. victims, paying BlackCat administrators 20% of ransom proceeds in exchange for access to the malware and extortion platform. All three defendants exploited their industry positions to facilitate the attacks.

What happened

The U.S. Department of Justice announced the sentencing on Thursday of two cybersecurity professionals for their roles in facilitating BlackCat ransomware attacks. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were sentenced to four years each in prison. Both pleaded guilty to their crimes in December 2025.

Goldberg and Martin, along with Angelo Martino, 41, of Florida, conspired to deploy BlackCat ransomware against multiple victims throughout the United States during a nine-month period from April through December 2023. The three defendants agreed to pay the ALPHV BlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware itself and ALPHV/BlackCat's extortion platform.

In at least one documented case, the defendants successfully extorted a victim for approximately $1.2 million in Bitcoin. After receiving the ransom, they split their 80% share three ways and subsequently laundered the funds.

All three men worked in the cybersecurity industry at the time of the attacks. Martino and Martin were employed by DigitalMint, while Goldberg worked as an incident response manager for cybersecurity company Sygnia. Their positions provided them with specialized knowledge of computer systems and security practices—expertise they weaponized against their targets.

Martino is said to have further abused his role as a negotiator by sharing confidential information about victims' insurance policy limits with the BlackCat operators, enabling the group to extract higher ransom demands. Martino pleaded guilty to the same charges and is scheduled to be sentenced in July 2026.

Why it matters

This case represents a significant breach of trust within the cybersecurity profession. Individuals hired to defend critical systems instead leveraged their specialized knowledge to compromise them. For defenders and incident responders in the MENA region and beyond, the case underscores several operational risks:

Insider threat vectors: Attackers with legitimate employment in security roles can bypass technical controls and social engineering detection. They understand network architecture, backup systems, detection tools, and organizational response procedures from the inside.

Ransom negotiation intelligence: The misuse of negotiator credentials to share insurance limits demonstrates how internal information flow during crisis response can be weaponized. Organizations must assume that ransom negotiations may be monitored by adversary insiders.

Supply-chain trust: Employees at managed security providers, incident response firms, and security vendors have access to client infrastructure during active compromises. This case demonstrates that such access can be abused to facilitate rather than remediate attacks.

Cryptocurrency laundering: The defendants successfully moved $1.2 million in Bitcoin proceeds without apparent immediate detection, indicating that cryptocurrency transaction monitoring capabilities may not be sufficient to prevent ransomware operators from monetizing attacks.

Affected systems and CVEs

BlackCat ransomware was deployed against multiple victims throughout the United States between April and December 2023. The broader BlackCat/ALPHV operation is estimated to have targeted more than 1,000 victims worldwide, though the source does not specify how many were directly targeted by Goldberg, Martin, and Martino.

No CVE assigned at the time of publication.

What to do

The source article does not provide explicit mitigation recommendations. However, organizations should consider:

Reviewing access controls for incident response staff and security vendors with elevated privileges to customer infrastructure
Implementing additional monitoring and audit trails for high-value asset access during ransom negotiations
Establishing policies that segregate ransom negotiators from technical incident response teams to prevent information consolidation in single individuals
Conducting background checks and ongoing vetting of security personnel with access to sensitive business information, particularly insurance details

Open questions

How did Goldberg, Martin, and Martino initially gain access to BlackCat's ransomware and extortion platform, and were there other insiders within the BlackCat operation?
How many victims were specifically targeted by these three defendants versus attacks carried out by other BlackCat affiliates?
What specific attack paths or techniques did they employ that differed from typical BlackCat operations, leveraging their insider cybersecurity knowledge?
How were the Bitcoin proceeds laundered, and at what point were the transactions detected?
Why did the BlackCat/ALPHV RaaS operation cease to exist, and is there evidence of its infrastructure being seized or disrupted by law enforcement?
What was the total financial loss across all victims targeted by these three defendants?