Inside the Betrayal: Cybersecurity Professionals Sentenced to 4 Years for ALPHV/BlackCat Ransomware Attacks

Two American cybersecurity experts were sentenced to four years in prison for acting as ALPHV/BlackCat ransomware affiliates. The case exposes a significant in…

On April 30, 2026, Ryan Goldberg (40, Georgia) and Kevin Martin (36, Texas), two American cybersecurity professionals, were sentenced to four years in prison for their roles as affiliates for the ALPHV/BlackCat ransomware group between April and December 2023. An investigation by the U.S. Department of Justice and the FBI revealed how technical expertise and positions of trust were weaponized for extortion, severely compromising the integrity of the incident response industry.

The investigation also involves co-conspirator Angelo Martino, a negotiator who admitted to acting as a double agent. Martino used privileged information from victims to drive up ransom demands; his sentencing is scheduled for July 9, 2026.

Key Takeaways

Goldberg and Martin, formerly an incident response manager for Sygnia and an employee at DigitalMint, respectively, operated as ALPHV/BlackCat affiliates under a revenue-sharing model that allocated nearly 80% of ransoms to the affiliates and 20% to the group’s administrators.
Angelo Martino, a co-conspirator and negotiator for DigitalMint, pleaded guilty to sharing confidential insurance policy limits with threat actors to maximize extortion payments; all five companies he managed through his legitimate role ended up paying the ransoms.
The trio extorted approximately $1.2 million in Bitcoin from a single victim and laundered the proceeds. The indictment cites ten attacks, six of which resulted in total payments exceeding $75.25 million.
The FBI tracked Goldberg through nearly ten countries following an attempt to flee the United States. Authorities have seized approximately $9.2 million in cryptocurrency, property, and vehicles.

"These defendants exploited specialized cybersecurity knowledge not to protect victims, but to extort them." — U.S. Attorney Jason A. Reding Quiñones

Defenders with the Keys to the Kingdom: The Rise of Incident Response Insider Threats

Goldberg served as an incident response manager for Sygnia, while Martin and Martino were employed as ransomware negotiators for DigitalMint. These roles provided them with advanced technical skills, industry networks, and deep visibility into corporate defense strategies. According to the Department of Justice, the three exploited this internal knowledge to pivot from defense to compromise. The case demonstrates that insider risks are no longer confined to internal IT departments but can emerge from the very consultants hired to handle emergencies.

The 80/20 RaaS Model and High-Value Extortion

Between April and December 2023, the individuals operated as affiliates for the ALPHV/BlackCat Ransomware-as-a-Service (RaaS) program, which provided malware and infrastructure in exchange for a percentage of the profits. The DOJ confirmed that affiliates retained nearly 80% of the payments, with 20% going to the service administrators. In one documented instance, the co-conspirators extorted roughly $1.2 million in Bitcoin from a single victim and initiated a multi-jurisdictional laundering process.

The indictment lists a dozen attacks, six of which generated cumulative payments of over $75.25 million. It remains unclear whether this total represents the amount extorted exclusively by these three defendants or includes the broader affiliate network involved in the BlackCat program.

Negotiator Betrayal: When Responders Push Victims to Pay

Angelo Martino, a 41-year-old from Florida, represents one of the most egregious cases of conflict of interest in the sector. As a ransomware negotiator for DigitalMint, he was tasked with managing negotiations on behalf of victims seeking to minimize extortion costs. Instead, the DOJ found that Martino systematically abused his position by sharing confidential insurance coverage limits with BlackCat threat actors.

The objective was to calibrate ransom demands to fall just below or near the insurance coverage threshold, maximizing the likelihood of a payout without triggering a refusal from the victim. The investigation documented five victims managed by Martino while at DigitalMint; all five paid the ransom. DigitalMint was not charged and cooperated fully with authorities; CEO Jonathan Solomon issued an official statement regarding the matter.

"We strongly condemn these former employees’ criminal behavior, which violated our values, ethical standards and the law." — DigitalMint CEO Jonathan Solomon

Martino is set to be sentenced on July 9, 2026. His role highlights how the ransomware negotiation sector—often opaque and lacking uniform ethical standards—can become an intelligence channel for criminals if not subject to rigorous oversight.

International Manhunt and Asset Forfeiture: The FBI's Role

The investigation required a complex transnational effort. After proceedings began, Ryan Goldberg attempted to flee the country, leading the FBI on a chase through nearly ten nations before he was returned to U.S. soil for trial. The operation resulted in the seizure of approximately $9.2 million in cryptocurrency, along with real estate and vehicles linked to the extortion proceeds.

The Department of Justice noted that the maximum theoretical sentence for extortion conspiracy is 20 years. The four-year sentence for Goldberg and Martin likely reflects mitigating circumstances or cooperation, yet remains a significant penalty for professionals operating within the legitimate tech sector.

"Today’s sentencings show that ransomware criminals can operate anywhere, including right here in the United States, and that the FBI is actively working to track them down and dismantle their networks — wherever they exist." — FBI Assistant Director Brett Leatherman

Strategic Recommendations for Enterprises

Implement periodic background checks and strictly limit access privileges for incident responders and external negotiators, specifically regarding insurance policies and crisis budgets.
Segment sensitive data: Cyber insurance coverage limits and disaster recovery plans should not be accessible to incident response consultants without an explicit operational requirement.
Require binding exclusivity and non-disclosure agreements for ransomware negotiators, including severe penalties for conflicts of interest and a total ban on unauthorized communication with threat actors.
Audit every phase of the negotiation process and verify through independent channels that the negotiator is not simultaneously managing communications for their own benefit.

The BlackCat case is not an isolated anomaly but a warning for an industry that increasingly delegates security to specialized third parties. When the defensive perimeter is managed by those who may turn against it, the supply chain of trust becomes a primary battlefield. For enterprises, the lesson is clear: verifying the integrity of incident response partners is as critical as hardening the systems themselves.

Frequently Asked Questions

What were the specific roles of the three defendants within their legitimate companies?

Goldberg was an incident response manager for Sygnia, while Martin and Martino worked as ransomware negotiators for DigitalMint. DigitalMint was not charged and cooperated with the investigation.

How did the ALPHV/BlackCat revenue-sharing system work?

The Department of Justice confirmed a revenue split model where affiliates received nearly 80% of the ransoms, while 20% was paid to the administrators of the Ransomware-as-a-Service infrastructure.

Was DigitalMint held liable for the crimes of its former employees?

No. DigitalMint was not indicted and cooperated with authorities. CEO Jonathan Solomon publicly condemned the actions of the former employees, stating their behavior violated the company's ethical standards and values.

Information verified via cited sources and accurate at the time of publication.