The People Hired to Stop Ransomware Were Running It—Two Cybersecurity Pros Just Pleaded Guilty

The BlackCat Playbook

Between April and December 2023, Goldberg (40, from Georgia) and Martin (36, from Texas), along with an unnamed co conspirator who also worked at DigitalMint, operated as affiliates of the ALPHV/BlackCat ransomware operation. The ransomware as a service model let them pay the BlackCat administrators a 20% cut of any ransoms in exchange for access to the file encrypting malware and an extortion platform.

Their targets were not random. The trio attacked five U.S. companies across sectors that handle some of the most sensitive data:

• A Florida medical device company
• A Maryland pharmaceutical company
• A California doctor's office
• A California engineering company
• A Virginia drone manufacturer

The combined losses exceeded $9.5 million. After one successful extortion, the group collected approximately $1.2 million in Bitcoin, split their 80% share three ways, and laundered the proceeds.

Why Insider Knowledge Made Them Dangerous

What makes this case uniquely alarming is the expertise the attackers brought. Goldberg understood incident response playbooks from the inside. He knew what forensic investigators look for, how organizations prioritize recovery, and where the pressure points are that push victims toward paying. Martin understood the negotiation side, including how victims evaluate whether to pay, how insurance companies factor in, and what ransom amounts organizations will accept.

As the Department of Justice noted: "These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop."

Neither Sygnia nor DigitalMint were aware of the attacks. The trio conducted operations entirely outside their employers' infrastructure and systems.

The Broader BlackCat Threat

ALPHV/BlackCat was one of the most prolific ransomware operations in recent history, targeting over 1,000 victims globally before law enforcement disrupted its infrastructure in December 2023. The ransomware was particularly dangerous because it could exploit cloud backup copies of data, the very systems organizations deploy specifically to protect against ransomware.

The group's most notorious attack hit Change Healthcare in February 2024, disrupting prescription processing across the United States and affecting millions of patients. While Goldberg and Martin were not connected to that specific attack, their activities overlapped with the same criminal ecosystem.

What This Means for Cybersecurity Trust

This case exposes an uncomfortable truth about the cybersecurity industry. Organizations place enormous trust in incident responders and ransomware negotiators, granting them access to sensitive systems, breach details, and payment decisions. When those trusted insiders turn hostile, the damage potential is amplified far beyond what an outside attacker could achieve.

The case also raises questions about vetting within the cybersecurity industry. Both men held legitimate, respected positions at established firms. Their criminal activity was conducted outside work hours and off corporate systems, making detection through standard employment monitoring nearly impossible.

For organizations evaluating their security posture, the lesson is sobering: the people you trust most with your defenses may also understand best how to defeat them. Background checks, access controls, and the separation of duties between incident response and payment negotiation have never been more critical.

What Happens Next

Goldberg and Martin face sentencing on March 12, 2026, with a maximum penalty of 20 years in federal prison. Authorities traced $324,123.26 in criminal proceeds directly to the pair. A third co conspirator remains at large.

The case is being prosecuted by the U.S. Attorney's Office for the Southern District of Florida and the Department of Justice's Criminal Division. The FBI conducted the investigation.