Key Takeaways
- Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were each sentenced to four years in prison for conspiring to deploy the ALPHV BlackCat ransomware against multiple U.S. companies in 2023.
- A third accomplice, Angelo Martino, pleaded guilty and awaits sentencing scheduled for July 9, 2026.
- The trio extorted roughly $1.2 million in Bitcoin from a medical‑device firm; the total ransom demands across five targeted companies exceeded $20 million, though only one victim paid.
- Despite their legitimate jobs in incident response and ransomware negotiation, the defendants used their technical expertise to facilitate attacks, launder proceeds via cryptocurrency mixers, and attempted to flee abroad before being apprehended.
- The case underscores the FBI’s commitment to tracking ransomware operators globally and demonstrates that even those tasked with defending networks can become perpetrators when motivated by personal financial pressure.
Background of the Case
In early May 2026, the U.S. Department of Justice announced the sentencing of two cybersecurity experts who had abused their specialized knowledge to support ransomware operations. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, each received four‑year prison terms after pleading guilty to conspiracy to commit extortion. A third individual, Angelo Martino, 41, of Florida, also admitted participation in the scheme and is awaiting a July 9 sentencing hearing. The prosecution highlighted how the defendants, despite working in defensive security roles, turned their skills toward offensive cybercrime, targeting U.S. businesses between April and December 2023.
The Defendants and Their Professional Backgrounds
Ryan Goldberg had served as an incident‑response manager at the cybersecurity firm Sygnia, giving him deep insight into breach detection and mitigation. Kevin Martin worked as a ransomware threat negotiator for DigitalMint, a company that assists victims in communicating with attackers and, in some cases, facilitating payment. Their positions afforded them familiarity with ransomware tactics, encryption mechanisms, and the typical steps organizations take during an extortion event. DigitalMint publicly denied any wrongdoing, terminated both employees, and cooperated fully with investigators after the allegations surfaced.
The Ransomware Campaign and Target Selection
According to court documents and an FBI affidavit, the trio began deploying the ALPHV BlackCat ransomware‑as‑a‑service (RaaS) variant in May 2023. Over the ensuing eight months they launched attacks against five distinct U.S. companies: a medical‑device manufacturer, a Maryland‑based pharmaceutical firm, a California doctor’s office, a California engineering company, and a Virginia‑based drone manufacturer. The ransom demands varied widely—approximately $10 million for the medical device company, an undisclosed sum for the pharma firm, $5 million for the doctor’s office, $1 million for the engineering company, and $300,000 for the drone maker. Only the medical‑device victim ultimately paid, transferring roughly $1.27 million in cryptocurrency; the other targets refused to comply, resulting in no additional payouts.
Financial Gains, Money Laundering, and Attempted Flight
The successful extortion yielded about $1.2 million in Bitcoin, which the defendants split among themselves and the ransomware operators under a 20 % affiliate‑share arrangement typical of the BlackCat model. Goldberg admitted to laundering his portion through cryptocurrency mixers and multiple wallets to obscure the flow of funds. He told investigators that personal debt motivated his involvement and that he later feared a life sentence. After learning that the FBI had raided a co‑conspirator’s residence, Goldberg fled to Paris with his wife, hoping to evade capture. He was apprehended after the bureau tracked him through ten different countries, illustrating the agency’s resolve to pursue cybercriminals across borders. Martin initially pleaded not guilty but later entered a guilty plea as part of a plea agreement.
Legal Proceedings and Sentencing
In October 2025, a federal grand jury indicted Goldberg and Martin on charges of computer fraud, extortion, and money laundering related to the BlackCat attacks. Martino was charged separately and later pleaded guilty. The defendants’ guilty pleas in January 2026 avoided a trial, leading to sentencing hearings in May 2026. Judge‑presiding remarks emphasized the breach of trust inherent in cybersecurity professionals turning to crime, noting that their expertise amplified the harm inflicted on victims. Both Goldberg and Martin received four‑year prison terms, followed by supervised release, and were ordered to forfeit the illicit cryptocurrency proceeds. Martino’s sentencing remains pending, with a hearing set for July 9, 2026.
Impact and Law‑Enforcement Response
Assistant Director Brett Leatherman of the FBI’s Cyber Division praised the outcome, stating that the sentences demonstrate the agency’s ability to track ransomware actors regardless of geography and to dismantle their networks. He highlighted how the defendants leveraged their legitimate cybersecurity skills to commit offenses, underscoring the need for vigilance even within the security community. The case also served as a reminder that ransomware‑as‑a‑service platforms like ALPHV BlackCat enable individuals with modest technical knowledge to participate in large‑scale extortion, amplifying the threat landscape. The FBI’s collaborative effort with the Department of Justice, coupled with international cooperation, proved instrumental in securing the arrests and convictions.
Conclusion
The conviction of Ryan Goldberg, Kevin Martin, and Angelo Martino illustrates a troubling intersection: professionals entrusted with defending digital infrastructure can, under financial pressure, become the very actors they are tasked to thwart. Their use of legitimate expertise to facilitate ransomware attacks, launder proceeds, and attempt international flight showcases the sophistication and adaptability of modern cybercriminal enterprises. The sentences handed down—four years each for Goldberg and Martin—send a clear signal that the justice system will hold accountable those who abuse privileged knowledge for illicit gain, while the ongoing pursuit of Martino reflects the commitment to see all participants face justice. For organizations, the episode reinforces the importance of rigorous insider‑threat programs, continuous monitoring, and a culture that discourages the misuse of technical skills, even as law‑enforcement agencies sharpen their tools to combat ransomware on a global scale.