Two American men with cybersecurity expertise just pleaded guilty to using that expertise to commit ransomware attacks against U.S. victims. They deployed sophisticated malware. They extorted businesses for millions. They laundered the proceeds.
The kicker: they worked in the cybersecurity industry. They had the training and skills to protect computer systems. Instead, they used it to attack them.
Ryan Goldberg, 40, from Georgia, and Kevin Martin, 36, from Texas, pleaded guilty to conspiracy to commit extortion using the ALPHV BlackCat ransomware. They’re now facing up to 20 years in federal prison.
This is what happens when people trusted to defend networks weaponize their expertise for profit.
What They Actually Did
Between April 2023 and December 2023, Goldberg, Martin, and a third co-conspirator deployed ALPHV BlackCat ransomware against multiple victims across the United States.
The ransomware-as-a-service model worked like this: They paid ALPHV BlackCat operators a 20% cut of any ransom they successfully extorted. In exchange, they got access to the ransomware and the extortion platform where they could communicate with victims, post stolen data, and collect payments.
The three men identified vulnerable targets. They deployed the malware. They encrypted the victims’ files. They threatened to release stolen data unless the victim paid.
One victim paid approximately $1.2 million in Bitcoin. Goldberg and Martin split their 80% share and laundered the money through various means.
But that was just one victim. The court documents indicate they targeted multiple organizations. The scale of their operation remains unclear from the public record, but one successful extortion for $1.2 million suggests they were effective at identifying vulnerable targets and maximizing payouts.
Why This Is Particularly Egregious
These weren’t amateur hackers. They weren’t kids experimenting with code. They were trained cybersecurity professionals.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva.
That’s the infuriating part: Goldberg and Martin had the education, training, and professional experience to build defenses. Instead, they turned that expertise inward and attacked.
It’s like hiring a security expert to design your building’s security system, then discovering he’s using his knowledge to plan a robbery.
For businesses trying to protect their networks, this case is a stark reminder: threats come from inside your organization. Someone with legitimate access and technical knowledge can be more dangerous than outside attackers because they understand your infrastructure intimately.
How ALPHV BlackCat Works
ALPHV (also known as BlackCat) is one of the most sophisticated ransomware operations globally. They operate a ransomware-as-a-service platform where developers maintain the malware and infrastructure, and affiliates identify and attack targets.
The model is efficient: Developers focus on malware development and keeping systems running. Affiliates focus on finding vulnerable organizations and deploying attacks. When ransoms are paid, proceeds are split.
According to court documents, ALPHV BlackCat has targeted more than 1,000 victims worldwide. They’ve extorted hundreds of millions in ransom payments collectively.
Goldberg and Martin were affiliates in this operation—the people identifying targets and executing attacks. They weren’t the most sophisticated tier, but they were effective enough to extract $1.2 million from a single victim.
The ALPHV BlackCat Timeline
In December 2023, federal law enforcement executed a coordinated disruption of ALPHV BlackCat. The FBI developed a decryption tool that allowed victims to restore their files without paying ransom.
The FBI also seized websites operated by ALPHV BlackCat, disrupting their platform.
That action saved victims approximately $99 million in ransom payments. It wasn’t a complete dismantling—the operation has continued—but it was a significant blow.
Goldberg and Martin’s guilty plea comes nearly two years after that disruption, suggesting federal investigation and prosecution have been ongoing throughout 2024 and 2025.
What Ransomware Actually Does
Ransomware is malware that encrypts an organization’s files, making them inaccessible. The attackers then demand ransom payment in exchange for a decryption key.
The damage is substantial:
- Business operations halt (can’t access files, can’t operate systems)
- Data theft (attackers copy files before encrypting them)
- Reputation damage (breach becomes public)
- Regulatory fines (HIPAA violations if healthcare data, etc.)
- Recovery costs (IT teams working around the clock to restore systems)
For a hospital, ransomware means patient records inaccessible, surgeries delayed, emergency care disrupted. For a financial institution, it means customer accounts frozen, transactions blocked, confidence shattered.
The average ransomware payment is now in the millions for large organizations. The victims Goldberg and Martin targeted were likely significant businesses with substantial data and operational criticality.
The Bitcoin Laundering
They extorted $1.2 million in Bitcoin. Then they had to launder it—convert the cryptocurrency into usable dollars without law enforcement tracing the flow.
Court documents mention they laundered proceeds “through various means.” That likely involved mixing services that obscure the origin of cryptocurrency, converting Bitcoin to other cryptocurrencies, moving funds through multiple wallets, or converting back to cash through exchanges in different jurisdictions.
Federal investigators traced it anyway. The FBI’s financial crimes unit has gotten sophisticated at following cryptocurrency transactions. What used to be “anonymous” blockchain money now leaves digital footprints that law enforcement can follow.
Why U.S. Cybersecurity Professionals Matter
When trained cybersecurity professionals turn to crime, it’s a security vulnerability itself. Organizations trust these professionals. They grant network access. They rely on their expertise. They assume ethical behavior.
Goldberg and Martin violated that trust fundamentally. They used legitimate positions to identify vulnerable organizations, understand their systems, and attack them.
For Texas-based businesses and organizations, this case is a warning: insider threats are real. Someone with legitimate access and technical skill can cause catastrophic damage.
The Prosecution Going Forward
Goldberg and Martin are scheduled to be sentenced on March 12, 2026. They each face up to 20 years in federal prison.
The charges: conspiracy to commit extortion through ransomware attacks. That’s a serious federal charge with mandatory minimum sentencing guidelines.
Federal prosecutors will argue for substantial prison time. The defendants will argue for leniency based on cooperation, background, or other factors. The judge will decide.
Expect sentences in the range of 8-15 years based on comparable ransomware prosecutions—substantial prison time, but likely not the full 20-year maximum.
What This Means for Ransomware Going Forward
This prosecution sends a message: ransomware operators and affiliates will be identified, prosecuted, and imprisoned. The U.S. Department of Justice has made ransomware a priority. Since 2020, the Computer Crime and Intellectual Property Section has convicted over 180 cybercriminals and recovered over $350 million in victim funds.
That’s not just prosecution. That’s successful prosecution with financial recovery.
For organizations being extorted by ransomware operators, there’s a message too: report the attack. Cooperate with law enforcement. The FBI is actively investigating, disrupting, and prosecuting ransomware operations. Paying ransom often just funds the next attack.
The Broader ALPHV BlackCat Threat
ALPHV BlackCat remains a significant threat despite the disruption. The operation continues targeting organizations globally. New affiliates replace those who are arrested or killed. The malware evolves.
But each prosecution, each affiliate arrested, each operation disrupted puts pressure on the entire ecosystem. Eventually, the risks become too high for some operators. Profit margins shrink. Operators migrate to other activities.
That pressure, applied consistently, reduces ransomware’s profitability and effectiveness.
For Texas Specifically
Kevin Martin is from Texas. That means the prosecution involved federal law enforcement working across districts—Southern District of Florida, Eastern District of Texas, and Middle District of Georgia all coordinated.
For Texas businesses and organizations, this case demonstrates federal commitment to prosecuting cybercrime regardless of where the attacker operates. Martin operated from Texas but was prosecuted in Florida where the financial crimes occurred. Jurisdiction followed the crime, not the perpetrator.
That matters for deterrence: attackers can’t assume geographic distance protects them. Federal prosecutors have broad jurisdiction for federal crimes and can prosecute across state lines.
What You Should Do
If your organization experiences ransomware:
Report it to the FBI immediately. File a report at ic3.gov. Contact your local FBI field office. Don’t pay ransom without consulting law enforcement—you might be funding further attacks.
If you work in cybersecurity:
Understand the temptation is real, but the consequences are severe. Federal prison. Massive financial penalties. Lifetime conviction record. Your career is destroyed. Goldberg and Martin faced that calculation and made the wrong choice.
If you notice suspicious cybersecurity behavior internally:
Report it. Alert your CISO or IT security leader. Contact law enforcement if you have evidence of actual crimes. Whistleblower protections exist for these situations.
The Bottom Line
Ryan Goldberg and Kevin Martin, both trained cybersecurity professionals, pleaded guilty to using ALPHV BlackCat ransomware to extort American victims. They successfully extracted at least $1.2 million in one attack. They laundered the proceeds.
Now they face federal prison time—potentially 8-15 years based on sentencing guidelines for comparable cases.
The message: ransomware operators and their affiliates will be prosecuted. Even if you have technical skill. Even if you work in cybersecurity. Even if you thought you were sophisticated enough to avoid detection.
Federal law enforcement is hunting ransomware criminals. They’re finding them. They’re prosecuting them. They’re sending them to prison.
That message applies to anyone considering ransomware extortion: the risk isn’t worth it.
