Key Takeaways
- Two U.S. cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for facilitating BlackCat (ALPHV) ransomware attacks in 2023.
- They pleaded guilty in December 2025 to conspiracy to obstruct commerce by extortion, agreeing to pay the ransomware developers a 20 % cut of any ransoms collected.
- The pair extorted roughly $1.2 million in Bitcoin from a single victim, laundered the proceeds, and split the remaining share with their co‑conspirator Angelo Martino.
- ALPHV/BlackCat operated as a ransomware‑as‑a‑service (RaaS) platform, targeting over 1,000 organizations worldwide and sharing ransom payments between developers and affiliates.
- Law‑enforcement actions, including an FBI‑developed decryption tool, saved victims an estimated $99 million in ransom payments and led to the seizure of several BlackCat‑controlled websites.
- When Goldberg attempted to flee abroad, the FBI tracked him through ten countries, underscoring the agency’s global reach in cybercrime investigations.
- Angelo Martino, who also served as a ransomware negotiator, pleaded guilty in April 2026 to the same charge and awaits sentencing on July 9, 2026.
- The case highlights how technical expertise can be misused for profit, the effectiveness of coordinated federal responses, and the ongoing threat posed by RaaS models to businesses and critical infrastructure.
Background of the Defendants and Their Roles
Ryan Goldberg and Kevin Martin, both trained cybersecurity professionals, used their specialized knowledge not to defend networks but to enable criminal extortion. Court documents show that, between April and December 2023, they partnered with Angelo Martino to deploy the ALPHV/BlackCat ransomware against multiple U.S. victims. Their technical expertise allowed them to configure the malware, manage command‑and‑control infrastructure, and negotiate ransom demands, turning defensive skills into offensive tools for profit.
The BlackCat/ALPHV Ransomware‑as‑a‑Service Model
ALPHV, also known as BlackCat, operates under a ransomware‑as‑a‑service (RaaS) framework. In this model, a core group of developers creates and maintains the ransomware payload, payment portal, and support infrastructure, while affiliates—such as Goldberg, Martin, and Martino—select targets, execute infections, and handle negotiations. Ransom payments are typically split, with affiliates receiving a negotiated percentage (in this case, 80 % after the developers’ 20 % share). This structure lowers the barrier to entry for cybercriminals and enables rapid scaling of attacks across diverse sectors.
Details of the 2023 Campaign and Financial Gains
During the nine‑month window in 2023, the trio successfully compromised the computer networks of more than 1,000 organizations worldwide, though the most lucrative single incident yielded approximately $1.2 million in Bitcoin from one victim. After receiving the ransom, they retained the developers’ 20 % share as agreed, laundered the remaining proceeds through cryptocurrency mixers and other obfuscation techniques, and divided the net amount among themselves. The case illustrates how even a limited number of high‑value targets can generate substantial illicit revenue when ransom demands are set at seven‑figure levels.
Legal Proceedings and Guilty Pleas
In December 2025, Goldberg and Martin entered guilty pleas to a single count of conspiracy to obstruct, delay, or affect commerce by extortion, a federal offense that captures the economic impact of ransomware‑driven extortion. Their plea agreements acknowledged their role in facilitating the ALPHV/BlackCat infrastructure and profit‑sharing arrangement. Angelo Martino followed suit, pleading guilty in April 2026 to the same charge; his admission included the additional detail that he abused his position as a ransomware negotiator to leak confidential victim information to other threat actors, thereby inflating ransom demands.
Sentencing and Statements from Prosecutors
The court imposed a four‑year prison term on Goldberg and Martin, reflecting both the scale of the scheme and the real harm inflicted on businesses, employees, and individuals whose data was weaponized for profit. U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida emphasized that the defendants had misused cybersecurity expertise to lock down critical systems, steal sensitive data, and pressure American companies into paying for access to their own information. He warned that cybercriminals in this district would face federal prison and forfeiture of illicit proceeds.
FBI Response and Decryption Tool Impact
The case follows a broader federal effort against ALPHV/BlackCat initiated in December 2023. The FBI developed a decryption tool that enabled victims to recover encrypted files without paying ransoms, an intervention estimated to have saved roughly $99 million in potential payments. Simultaneously, the agency seized several websites and servers used by the ransomware group, disrupting its operational capacity. These actions demonstrate how technical counter‑measures, combined with legal authority, can mitigate the financial impact of ransomware campaigns.
International Manhunt and Angelo Martino’s Continued Involvement
When Goldberg attempted to evade prosecution by fleeing abroad, the FBI pursued him through ten different countries, illustrating the agency’s commitment to tracking cyber offenders across jurisdictions. His eventual capture reinforced the message that geographic borders do not shield perpetrators from U.S. law enforcement. Meanwhile, Angelo Martino’s continued role as a negotiator—coupled with his guilty plea—highlights the division of labor within RaaS ecosystems, where some affiliates specialize in negotiation and intelligence‑gathering to increase pressure on victims.
Broader Implications for Cybersecurity and Ransomware Threat Landscape
The prosecution of Goldberg, Martin, and Martino underscores a troubling trend: individuals with legitimate cybersecurity training can be recruited—or choose—to serve as enablers of ransomware operations. As RaaS models mature, the barrier to entry drops, allowing technically proficient actors to monetize their skills without developing malware themselves. For organizations, the case reinforces the need for robust defensive measures—such as network segmentation, multi‑factor authentication, regular offline backups, and employee awareness training—to reduce the likelihood of successful infection. It also highlights the value of public‑private partnerships; the FBI’s decryption tool exemplifies how government‑led technical assistance can directly reduce victim losses.
Conclusion and Outlook
The four‑year sentences handed down to Ryan Goldberg and Kevin Martin serve as a concrete deterrent, yet they also reflect the ongoing challenge posed by ransomware-as-a-service syndicates. While law‑enforcement actions have achieved notable successes—seizing infrastructure, creating decryption aids, and prosecuting affiliates—the persistence of groups like ALPHV/BlackCat indicates that threat actors will continue to adapt. Sustained investment in cybersecurity resilience, international cooperation, and proactive legal frameworks will be essential to curb the financial and operational damage caused by ransomware extortion in the years ahead.