Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, pleaded guilty to charges tied to their roles in BlackCat/Alphv ransomware attacks that occurred in 2023. Court records show that Ryan Goldberg, Kevin Martin, and a co-conspirator deployed ALPHV BlackCat ransomware against US victims from April to December 2023, sharing 20% of the ransoms with the operators. Despite working in cybersecurity, they extorted about $1.2M in Bitcoin from one victim, split the proceeds, and laundered the funds. “According to court documents, Ryan Goldberg, 40, of Georgia, Kevin Martin, 36, of Texas, and another co-conspirator successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States,” reads the press release published by the US DOJ. “All three men worked in the cybersecurity industry, meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.”
In November 2025, US prosecutors charged Ryan Clifford Goldberg, Kevin Tyler Martin, and another Florida-based accomplice (aka “Co-Conspirator 1”) for using BlackCat ransomware to hack and extort five U.S. companies in 2023.
See: https://redskyalliance.org/xindustry/blackcat-tools-impacket-remcom-1
Between May and November 2023, the defendants carried out ransomware attacks on five US companies, demanding different ransom sums from each target: approximately $10 million from a medical device company (which ultimately paid about $1.27 million in cryptocurrency), an unspecified amount from a Maryland-based pharmaceutical firm, $5 million from a California doctor’s office, $1 million from a California engineering company, and $300,000 from a Virginia-based drone manufacturer.
Ryan Clifford Goldberg is a former incident response manager at cybersecurity firm Sygnia. Kevin Tyler Martin was a ransomware threat negotiator for cybersecurity firm DigitalMint at the time of the alleged conspiracy, while a suspected accomplice who was not indicted was also employed at the same company. DigitalMint denied any misconduct, dismissed the two employees, and fully cooperated with investigators.
In October, the DOJ indicted Clifford Goldberg and Kevin Tyler Martin for hacking and extortion in attacks on at least five US companies. “According to an affidavit filed in September by an FBI agent, the three men began using malicious software in May 2023 to conduct ransomware attacks against victims,” first hitting a medical company in Florida by locking its servers and demanding $10 million to unlock the systems, court records say,” reported the Chicago Sun Times. “The FBI agent noted the men ultimately made off with $1.2 million, although it was apparently the only successful attack.”
In October 2025, the DOJ indicted Kevin Tyler Martin and another unnamed employee, both of whom worked as ransomware negotiators at DigitalMint, on three counts of computer hacking and extortion related to a series of attempted ransomware attacks against at least five US-based companies.
The FBI said their scheme ran until April 2025. Goldberg admitted to helping launder $1.2M in crypto from a medical firm through mixers and wallets to hide the funds. He claimed debt drove him to join and later feared life imprisonment. After learning the FBI raided a co-conspirator, Goldberg fled to Paris with his wife. Both he and Martin were indicted on 2 October for extortion and computer damage.
Martin pleaded not guilty, while Goldberg allegedly confessed to the FBI that he was recruited by an unnamed co-conspirator to “ransom some companies” to escape debt. The third individual has not yet been indicated. Goldberg and Martin face extortion and cybercrime charges that could lead to sentences of up to 50 years in federal prison.
Court documents say ALPHV, aka BlackCat, hit over 1,000 victims worldwide using a ransomware-as-a-service model. Developers built and maintained the malware and infrastructure, while affiliates targeted high-value victims. After ransom payments, proceeds were shared between developers and affiliates. “Malware like ALPHV (BlackCat) ransomware is used by bad actors to steal, extort, and launder proceeds from victim businesses and organizations,” said Special Agent in Charge Brett Skiles of the FBI Miami Field Office. “The FBI remains committed to working alongside its law enforcement partners to disrupt and dismantle criminal enterprises involved in ransomware attacks and to hold accountable not only the perpetrators but also anyone who knowingly enables or profits from them. We will continue to leverage our intelligence, law enforcement tools, global presence, and partnerships to counter cybercriminals who seek to harm the American public through these insidious attacks. We strongly encourage businesses to exercise due diligence when engaging third parties for ransomware incident response, report suspicious or unethical behavior, and to expeditiously report any ransomware attack to the FBI and our law enforcement partners to safeguard their security and privacy.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators-of-compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments