There's a particular kind of betrayal at the heart of this story. Two men paid to defend networks decided it was more lucrative to break them, and the U.S. Department of Justice just sent them to prison for four years each.
On April 30, 2026, the DOJ announced that Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were sentenced for their role in deploying ALPHV BlackCat ransomware against multiple American victims throughout 2023. Both men worked in the cybersecurity industry. They knew exactly what they were doing, and exactly who they were doing it to.
The scheme
Goldberg, Martin, and a third co-conspirator, Florida resident Angelo Martino, 41, struck a deal with the operators of ALPHV BlackCat: in exchange for access to the ransomware and its extortion infrastructure, the trio would hand over 20% of any ransoms they collected. Between April and December 2023, they used that access to attack U.S. companies, including a medical practice and an engineering firm.
One victim paid roughly $1.2 million in Bitcoin. The three men split their 80% cut and laundered the proceeds through "various means," according to court documents.
What makes the medical-practice attack especially ugly is what happened when the negotiations didn't go their way: they leaked patient data. Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division didn't mince words, describing how the defendants "played hardball" with victims and went "so far as to cause the leak of patient data from a doctor's office victim." These were people, Duva added, who "were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed."
A reminder of how ransomware-as-a-service works
ALPHV BlackCat operated on a now-familiar criminal business model: ransomware-as-a-service, or RaaS. The developers built and maintained the malware and the dark-web infrastructure. Affiliates, like Goldberg, Martin, and Martino, went out and found victims to attack. After a successful extortion, both sides took a cut.
This division of labor is part of what made BlackCat so prolific. According to the DOJ, the group targeted more than 1,000 victims worldwide. It's also what makes RaaS operations so resilient: take down one affiliate, and dozens more remain.
A negotiator gone rogue
The Martino angle deserves its own moment of attention. Martino, who pleaded guilty in April 2026 and is scheduled for sentencing on July 9, didn't just help deploy ransomware. He worked as a ransomware negotiator, the person victims hire to broker deals with their attackers. According to the DOJ, he abused that role by feeding confidential victim information back to threat actors so they could jack up the ransom demand.
If true, that's a textbook conflict of interest weaponized into a crime. It's the kind of detail that should give every company hiring an outside negotiator a moment of pause about due diligence.
The takedown, and a chase across 10 countries
This sentencing is the latest chapter in a multi-year DOJ campaign against BlackCat. Back in December 2023, the FBI announced that it had developed a decryption tool and had used it to help hundreds of victims recover their systems, saving an estimated $99 million in ransom payments. The Bureau also seized several BlackCat-operated websites at the time.
The pursuit of Goldberg himself reads like a thriller subplot. According to FBI Cyber Division Assistant Director Brett Leatherman, when Goldberg tried to flee abroad to escape prosecution, the FBI tracked him through 10 countries before catching up with him. The Mexican federal investigative police at Mexico City's international airport assisted in the operation.
Goldberg and Martin pleaded guilty in December 2025 to one count each of conspiracy to obstruct, delay, or affect commerce by extortion. Each got four years.
What this case tells us
A few things stand out.
First, the insider threat in cybersecurity is real. The industry has a trust problem hidden inside it: the same skills that protect networks can dismantle them, and there's no clean way to vet for moral character. Companies relying on outside security professionals (pentesters, incident responders, ransomware negotiators) should think carefully about background checks, contractual safeguards, and segregation of access.
Second, law enforcement is getting better at this. The combination of the BlackCat infrastructure seizure in 2023, the development of a working decryption tool, and the international tracking of fleeing affiliates suggests federal cybercrime investigators are operating at a level that would have been hard to imagine a decade ago. The DOJ noted that since 2020, its Computer Crime and Intellectual Property Section has secured over 180 cybercriminal convictions and recovered more than $350 million for victims.
Third, four years still feels light. Goldberg and Martin participated in attacks that leaked patient data and extracted at least $1.2 million from a single victim, on top of attacks against multiple other organizations. Whether the sentence will deter the next cybersecurity professional tempted to moonlight as an extortionist is an open question.
If you've been hit
The DOJ's reminder at the end of the press release bears repeating. Ransomware victims should contact their local FBI field office or file a report at ic3.gov. Anyone with information about ALPHV BlackCat or its affiliates may be eligible for a reward through the State Department's Transnational Organized Crime Rewards or Rewards for Justice programs.
The takedown of one criminal cell never ends ransomware. But cases like this one make the calculus a little less attractive for the next would-be affiliate, especially the ones who already have day jobs defending the networks they're thinking about attacking.
Source: U.S. Department of Justice, Office of Public Affairs press release, April 30, 2026
