The world of cybersecurity is built on trust. Companies hire experts to protect them from hackers, negotiate with criminals, and guide them through the chaos of ransomware incidents. That is why the recent indictment of two cybersecurity professionals in the United States shocked the industry. According to the Department of Justice, Ryan Clifford Goldberg and Kevin Tyler Martin, both of whom had worked in firms specializing in ransomware response, allegedly carried out ransomware attacks themselves using the ALPHV or BlackCat strain.
The Department of Justice announced in October 2025 that Goldberg and Martin, along with a third co-conspirator, acted as affiliates of the BlackCat ransomware group. Goldberg had previously worked as an incident response manager at Sygnia Cybersecurity Services, while Martin was a ransomware negotiator at DigitalMint, a Chicago-based firm that helps victims pay ransoms. Prosecutors claim that the two men used their insider knowledge of ransomware negotiations to run their own criminal operation.
According to the DOJ press release, the group targeted at least five companies between 2023 and 2025. Victims included a Florida medical device company, a Maryland pharmaceutical firm, a California doctor’s office, a California engineering company, and a Virginia drone manufacturer. The attackers demanded millions in cryptocurrency, with one ransom demand reaching ten million dollars. In some cases, victims paid, including the Florida medical device company which reportedly transferred about 1.2 million dollars in cryptocurrency.
The indictment describes how the group allegedly hacked into victim networks, exfiltrated sensitive data, encrypted systems, and then demanded ransom payments. They used the ALPHV or BlackCat ransomware, which is known for its double extortion model. This means that attackers not only lock systems but also steal data, threatening to leak it if victims refuse to pay.
The DOJ explained that the defendants laundered ransom payments through multiple cryptocurrency wallets and mixing services to obscure the funds. This is a common tactic in ransomware operations, allowing attackers to hide the trail of stolen money.
There are many ransomware cases, but this one is unique because the alleged attackers were insiders in the cybersecurity industry. Goldberg and Martin were supposed to help victims, not create them. Their professional roles gave them deep knowledge of how companies respond to ransomware, what negotiation strategies work, and how payments are processed.
The FBI described the BlackCat ecosystem as a professionalized criminal marketplace. Developers create the ransomware, affiliates deploy it, and negotiators handle payments. In this case, the defendants allegedly crossed the line from defenders to attackers, using their expertise to exploit the very system they once worked to protect.
The charges include conspiracy to interfere with interstate commerce by extortion, interference with commerce by extortion, and intentional damage to protected computers. If convicted, Goldberg and Martin face decades in prison. The DOJ emphasized that this case demonstrates how seriously the government takes insider abuse, especially when it involves trusted professionals in the security industry.
This case raises uncomfortable questions for the cybersecurity community. If professionals trained to defend against ransomware can be tempted to join the attackers, how can companies protect themselves?
The indictment of Goldberg and Martin is a reminder that insider threats are not limited to careless employees or compromised accounts. Sometimes, insiders act with intent, using their expertise to cause harm. For cybersecurity leaders, the lesson is clear. Insider threat management must be a priority, even in firms dedicated to protecting others.
The Department of Justice’s press release and reporting from outlets like Reuters and The Register make it clear that this case is still unfolding. What is already certain is that it will be remembered as one of the most striking examples of defenders turning into attackers.
In a world where ransomware has become a professionalized criminal marketplace, the line between defender and adversary can blur. That is why vigilance, transparency, and strong insider threat programs are essential for every organization.
Insider threats have quietly become the most persistent and costly cybersecurity risk facing organizations today.…
When the Malta tax office mistakenly sent sensitive company details to around 7000 recipients, the…
Insider threats are one of the most persistent risks facing organizations today. Whether malicious, negligent,…
In November 2025, the cybersecurity community was shaken by one of the most consequential breaches…
When most people think of insider threats, they picture rogue IT administrators or disgruntled engineers.…
Cybersecurity headlines often focus on zero‑day exploits, those mysterious vulnerabilities that attackers discover before vendors…
This website uses cookies.