The Setup
Two incident response professionals just pleaded guilty to launching the exact attacks they were hired to stop. Here's what happened, and why it matters.
Imagine your company gets hit with ransomware. You call in the experts, an incident response team and a ransomware negotiator. These are the people you trust with your company's survival. Now imagine they're the ones who attacked you.
None of this is hypothetical . It actually happened.
The Players
Ryan Goldberg, 40, was an incident response manager at Sygnia, a respected cybersecurity firm specializing in breach response. His job was to help companies recover when they get hacked.
Kevin Martin, 36, was a ransomware threat negotiator at DigitalMint, a company that helps victims negotiate with attackers and pay ransoms in cryptocurrency. His job was to talk to ransomware gangs on behalf of victims.
A third unnamed co-conspirator, also a DigitalMint negotiator, allegedly obtained access to ALPHV/BlackCat—one of the most notorious ransomware-as-a-service operations in the world. The same platform allegedly used in the Change Healthcare attack that compromised 190 million patient records.
The Attacks
Between May and November 2023, the trio hit five U.S. companies:
Florida medical device company: $10M demand, negotiated down to $1.27M paid
Maryland pharmaceutical company: Demand undisclosed, refused to pay
California doctor's office: $5M demand, refused to pay
—patient photos published on leak site as retaliation
California engineering company: $1M demand, refused to pay
Virginia drone manufacturer: $300K demand, refused to pay
Only one victim paid. But that one payout netted the group over $1 million.
The Irony
In May 2024, while allegedly still involved in the conspiracy, Martin spoke at a technology law conference about his work as a ransomware negotiator. He was explaining how to fight ransomware while allegedly conducting ransomware attacks at the same time..
As the DOJ put it: "These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks; the very type of crime that they should have been working to stop."
Though, you’d think as professionals, they’d be a little more successful than 1 out of 5.
The DOJ on their heels
The scheme collapsed after the FBI seized ALPHV/BlackCat servers in December 2023. That seizure gave investigators affiliate data, communications, and payment records.
When the FBI interviewed Goldberg in June 2025, he initially denied involvement—then confessed later. He told agents he joined the scheme to pay off personal debt.
Ten days later, Goldberg and his wife boarded a one-way flight to Paris.
They stayed in Europe for three months. When Goldberg flew from Amsterdam to Mexico City on September 21, Mexican authorities arrested him as soon as he landed and he was deported back to the U.S.
The Outcome
Both men pleaded guilty in December 2025 to conspiracy to interfere with commerce by extortion. Sentencing is set for March 12, 2026. Each faces up to 20 years in federal prison.
Total damages from their attacks: $9.5 million. You see, theres still a cost even if a ransom is never paid.
Why This Matters
This case represents the cybersecurity industry's worst nightmare: trusted defenders weaponizing their access.
Both Sygnia and DigitalMint say the attacks happened without their knowledge, outside their systems, and that the employees were terminated upon discovery.
These weren't obvious bad actors. They passed background checks. They did their day jobs. They had the credentials. And then they used everything they knew about defending companies to attack them instead.
The FBI has warned organizations to "exercise due diligence when engaging third parties for ransomware incident response" and to "report suspicious or unethical behavior."
If you experience a ransomware attack:
Report to FBI: ic3.gov or 1-800-CALL-FBI
CISA resources: cisa.gov/stopransomware
& dontgetgot.
How'd we like Today's story?
