Two cybersecurity professionals have pleaded guilty to running a secret ransomware racket, using their trusted industry roles to extort US companies for millions.
Last week, the US Department of Justice (DOJ) announced 36-year-old Texas man Kevin Martin and 40-year-old Georgia man Ryan Goldberg had pleaded guilty in a Miami federal court after targeting multiple victims in the US with ransomware.
Martin, who previously worked as a ransom negotiator for Chicago-based incident response firm DigitalMint, allegedly targeted and demanded cryptocurrency payments from victims in the medical and engineering sectors.
Court documents alleged Goldberg, who was previously supervising incident response for Israel-based cybersecurity firm Sygnia Consulting Ltd, conspired with Martin and a third party to extort victims in exchange for decryption keys and promises not to publish stolen data.
After being indicted for their attacks in October – including the extortion of a medical device company for approximately $1.9 million in Bitcoin — the two men pleaded guilty last week to one count of “conspiracy to obstruct, delay, or affect commerce or the movement of any article or commodity in commerce by extortion”.
The duo face a maximum penalty of 20 years in prison, with sentencing scheduled for mid-March 2026.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said DOJ Assistant Attorney General Tysen Duva.
Cyber pros fess up to ransom crimes
The DOJ wrote that Martin and Goldberg successfully deployed a ransomware known as ALPHV BlackCat between April 2023 and December 2023.
The ransomware belonged to a notorious criminal gang of the same name which was linked to attacks at the likes of Reddit, HWL Ebsworth and Barts Health NHS Trust between 2021 and early 2024.
The men agreed to pay BlackCat administrators a 20 per cent cut of any ransoms they extorted in exchange for access to the group’s illicit ransomware products — while the remaining 80 per cent was split and laundered through “various means”.
Martin reportedly pleaded not guilty in October last year, though court documents show Goldberg had already confessed to the Federal Bureau of Investigation (FBI) in June.
After initially denying his involvement, Goldberg said he was recruited to “try and ransom some companies” with Martin and an unnamed third party.
Though they successfully “ransomed” their first victim, Goldberg told the FBI their attacks on other companies were unsuccessful.
Ten days after confessing to the FBI, Goldberg and his wife fled to Paris. He and Martin later formally pleaded guilty in December.
When asked about Martin’s former employment with DigitalMint, a company spokesperson said the company remained in “full cooperation” with the DOJ.
“From inception, we have always remained dedicated to ensuring accountability for those who violate the law,” they said.
A Sygnia spokesperson also confirmed the company had cooperated with “law enforcement’s investigation”, and that Goldberg’s actions hadn’t impacted Sygnia clients.
“Based on our own independent investigation into the matter, we can confirm that the defendant acted on his own,” they said.
“We're glad to see this case come to a close.”
Third suspect remains unidentified
Court documents revealed that Martin and Goldberg worked alongside one other Florida-based co-conspirator for their string of BlackCat ransomware attacks.
The DOJ did not reveal the identity of the third suspect, though court documents alleged they were directly involved in the men’s attacks against five separate companies.
Information Age was unable to discern the identity of the third suspect or establish contact with any active members of BlackCat, though a DigitalMint spokesperson confirmed Martin was not the only former employee related to the case.
“We are reaffirming here that the terminated employees charged or assumed to be charged in the indictment acted wholly outside the scope of their employment and without any authorisation, knowledge, or involvement from the company,” a spokesperson told Information Age.
“The alleged misconduct is a direct violation of our company's ethical standards, and not representative of the company’s overall operations or values.”
Information Age understands BlackCat’s last known attack targeted Change Healthcare in March 2024 following significant law enforcement action against the collective in December 2023.
Notably, the DOJ has set up a dark web portal for anonymous whistleblowers to share information about BlackCat’s activities and affiliates for potential rewards.
