The Justice Department has charged two ransomware negotiators and a cybersecurity manager with allegedly staging ALPHV BlackCat attacks against the very businesses they were hired to help. Prosecutors say the trio used insider access to pick targets, deploy malware, and then “negotiate” ransoms they set themselves. The scheme allegedly pulled in more than 1.2 million dollars.
- DOJ indictment names two negotiators and a cybersecurity manager.
- They are accused of deploying ALPHV BlackCat and steering victims into paid “negotiations.”
- Investigators say insider knowledge shaped targets, timing, and ransom demands.
- The group allegedly laundered proceeds through cryptocurrency mixers.
Trusted responders accused of running the attacks
According to the indictment, the incident responders companies trusted to rescue them from ransomware were, in fact, the ones pulling the strings. It flips the incident response model on its head and underscores how insider access can be weaponized. As U.S. Attorney Markenzy Lapointe put it, “The individuals charged held positions of trust assisting ransomware victims, yet they allegedly exploited that trust to perpetrate their own attacks.”
Who was charged and how did the scheme work?
The defendants are identified as Kevin Tyler Martin of Texas, Ryan Clifford Goldberg of Georgia, and a third Florida-based co-conspirator. Martin and Goldberg worked as ransomware negotiators at DigitalMint, while their associate managed operations at Sygnia Cybersecurity Services. Those roles gave them a front row seat to victims’ pain points, insurance limits, and internal timelines. Investigators say they used that vantage point to select targets, time intrusions, and push payouts that looked “reasonable” in the chaos of an active breach.
FBI Special Agent Bryan Vorndran captured the outrage felt across the industry. “Manipulating both sides of the ransomware crisis is the ultimate breach of faith and law.” Being hit by faceless criminals is bad enough. Being hit by the people you hired to help is something else entirely.
What role did ALPHV BlackCat play?
Prosecutors say the group used a variant of the prolific ALPHV BlackCat ransomware, long known for fast encryption and pressure tactics. Their insider vantage point allegedly made the playbook more effective. They knew how response teams negotiate, where victims often land on price, and which weaknesses defenders discuss privately. As the filing describes it, they were not only exploiting software flaws. They were exploiting trust, which is far more valuable. It is another reminder that insider knowledge can become a powerful weapon when it leaves the bounds of ethics and law.
Where did the money go?
The indictment alleges the trio made over 1.2 million dollars through ransoms. Assistant Attorney General Kenneth A. Polite Jr. called it a flagrant abuse of access. Investigators say the funds moved through cryptocurrency mixers to mask origin and flow. That is a familiar laundering pattern. It aims to break on-chain traceability, making it harder to follow the money back to the wallets that received the first payouts.
Get the latest tech updates and insights directly in your inbox.
How did investigators uncover the plot?
The case began to unravel after FBI searches in April 2025. Agents reportedly seized devices, logs, and chat histories, then conducted interviews through June. The digital breadcrumbs were telling. Negotiation notes, query histories, and wallet activity lined up with the timing and terms of several attacks. Deputy Attorney General Lisa Monaco said the investigation shows how patient work can pierce obfuscation. “This case highlights the DOJ’s commitment to rooting out insider cyber threats, no matter how sophisticated or well concealed.”
Why this rattled the cybersecurity industry
Trust is the currency of incident response. When it breaks, everything else wobbles. John Riggi, national advisor for cybersecurity at the American Hospital Association, summed it up. “Trust is foundational to incident response, and betrayal of this magnitude shakes the bedrock of cyber defense.” In the near term, boards and CISOs are pressing for tighter vetting, more separation of duties, and stronger conflict of interest checks for responders who touch negotiations, cryptocurrency flows, or decryption tooling.
How does this fit into DOJ’s broader playbook?
The Justice Department has stepped up pressure on ransomware crews and their enablers. Officials have highlighted disruptions to infrastructure and money flow. In a related move, the department announced a coordinated action against BlackSuit in August 2025. The message now reaches inside the response community too. “We are not only pursuing foreign operatives. Insiders will be prosecuted to the fullest extent when trust is betrayed,” said DOJ spokesperson Aryeh Friedman.
What should companies do next?
If the people at the table can be compromised, you need more than a trusted brand name. You need structural safeguards. Consider these steps:
- Require conflict of interest disclosures from responders and negotiators. Reaffirm them before every engagement.
- Separate duties. Do not let the same vendor both “negotiate” and control crypto wallets or payment flows.
- Mandate independent logging. Keep your own copy of communications, keys, and payment instructions.
- Use vetted panels. Build a bench of pre-approved IR, forensics, legal, and negotiation firms so you can swap quickly if trust erodes.
- Run tabletop exercises that include insider risk scenarios.
- Ask for third party attestations such as ISO 27001 and SOC 2 Type II, plus background checks for staff who will handle ransom channels.
- Document a no single point of failure policy for ransom wallets and keys, with dual control and approval.
This is a sobering moment, not unlike the recent case of an ex defense contractor accused of selling cyber exploits to foreign adversaries. As cybersecurity policy author Josephine Wolff noted, “This is a clarion call for transparency and accountability in all facets of ransomware response.” The takeaway is simple. Vigilance is not just about the perimeter anymore. It is about the people you let inside.
Recommended Tech
While large organizations grapple with insider threats, individuals and families still face daily risks from scams and breaches. The TechBull recommends exploring a comprehensive protection suite for identity and privacy. Aura’s all in one digital protection offers identity monitoring and a VPN to help lower everyday risk.
FAQs
Who has been charged in this case?
Prosecutors named Kevin Tyler Martin of Texas, Ryan Clifford Goldberg of Georgia, and a third Florida based co conspirator. Martin and Goldberg worked as ransomware negotiators and their associate was a cybersecurity manager, according to the indictment.
What ransomware did prosecutors say was used?
The indictment cites a variant of ALPHV BlackCat, a fast moving strain linked to high pressure extortion campaigns.
How much money did the group allegedly make?
Investigators say the scheme produced over 1.2 million dollars in ransom payments that were routed through cryptocurrency mixers.
How did investigators connect the dots?
FBI searches in April 2025 led to device seizures, chats, negotiation logs, and wallet activity that aligned with the timing and terms of multiple attacks, according to court filings.
What can companies change right now?
Enforce conflict of interest disclosures, split duties for negotiations and payment flows, log all communications independently, and maintain a bench of pre approved response partners so you can rotate on short notice.
Is paying a ransom legal?
Paying a ransom may violate sanctions rules depending on the recipient. Many organizations consult counsel and review government guidance before making any payment decision.
