Two cybersecurity professionals admit running ALPHV-affiliated ransomware

TL;DR

Two cybersecurity workers pleaded guilty to conspiring to extort victims using ALPHV/BlackCat ransomware after planting malware at five U.S. companies. Only one target, a medical device firm, paid about $1.2 million in bitcoin; the defendants split the payment and attempted to launder the proceeds.

What happened

Federal prosecutors say two cybersecurity professionals — identified as Ryan Clifford Goldberg and Kevin Tyler Martin — pleaded guilty to a single count of conspiracy to obstruct, delay, or affect commerce via extortion. Authorities say the pair and an unnamed co-conspirator became affiliates of the ALPHV/BlackCat ransomware operation, agreeing to remit 20% of ransom proceeds to ALPHV administrators in exchange for use of the malware. From May through November 2023 they leveraged their security expertise to deploy ransomware at five U.S.-based targets: a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone maker. Only the medical device company paid roughly $1.2 million in bitcoin; prosecutors say the three suspects split that payment and tried to launder it. The two named defendants are due to be sentenced in federal court in March and face up to 20 years in prison.

Why it matters

• Insiders with defensive cybersecurity skills used that expertise to conduct attacks, highlighting risks from trusted professionals turning criminal.
• Targets included health and engineering sectors, underscoring potential impacts on critical services and patient care.
• The affiliate model lets attackers outsource access and tooling, complicating attribution and response efforts.
• A large single ransom payment and alleged laundering show how cryptocurrency can be exploited in cybercrime.
• Sentencing and prosecutions may affect how law enforcement and industry respond to insider-assisted ransomware.

Key facts

• Defendants: Ryan Clifford Goldberg and Kevin Tyler Martin (two named); a third co-conspirator remained unnamed in the public announcement.
• Charge: Guilty pleas to one count of conspiracy to obstruct, delay, or affect commerce by extortion.
• Timeline: Attacks occurred from May to November 2023; indictments were returned in October 2025; guilty pleas entered on a Monday in late December 2025.
• Affiliate arrangement: The trio agreed to pay ALPHV administrators 20% of any ransom proceeds for use of the ransomware.
• Victims: Five organizations were targeted — a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer.
• Ransom payment: Only the medical device company paid, sending roughly $1.2 million in bitcoin; prosecutors say the payment was divided among the three suspects.
• Alleged laundering: Authorities report the defendants attempted to launder the ransom proceeds.
• Sentencing: Federal court will sentence Goldberg and Martin in March; each faces up to 20 years behind bars.
• ALPHV context: ALPHV/BlackCat is noted in the report for a high-profile 2024 attack on a healthcare services company that disrupted pharmacy operations.

What to watch next

• March federal sentencing for Goldberg and Martin, where penalties will be determined.
• Status of the unnamed third co-conspirator: not confirmed in the source.
• Whether ALPHV/BlackCat or its affiliates re-emerge with new tooling or branding: not confirmed in the source.

Quick glossary

• Ransomware: Malicious software that encrypts or otherwise denies access to data or systems, with attackers demanding payment to restore access.
• Affiliate model: A criminal structure where malware developers provide tools to third parties in exchange for a share of proceeds from attacks.
• Extortion: The act of obtaining money, property, or services from a person or institution through coercion, threats, or force.
• ALPHV/BlackCat: A ransomware group referenced in the report; in criminal schemes, such groups may operate and manage ransomware infrastructure and take a cut of ransom payments.
• Bitcoin: A form of cryptocurrency often used in digital transactions; it has been used in some criminal ransom payments due to its pseudonymous characteristics.

Reader FAQ

What crimes did the defendants plead guilty to?
They pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion.

Who were the victims of the attacks?
The reported targets were a medical device company, a pharmaceutical firm, a doctor's office, an engineering company, and a drone manufacturer.

Did the attackers receive ransom payments?
Prosecutors say only the medical device company paid about $1.2 million in bitcoin, which the defendants split.

Will the defendants go to prison?
They face sentencing in March and each could receive up to 20 years; the final penalties are not yet determined.

Is the status of the third co-conspirator known?
Not confirmed in the source.

CYBER-CRIME Cybersecurity pros admit to moonlighting as ransomware scum Pair became ALPHV affiliates to prey on US-based clients Simon Sharwood Wed 31 Dec 2025 // 01:46 UTC A ransomware negotiator and a security incident…

Sources

• Cybersecurity pros admit to moonlighting as ransomware scum
• Cybersecurity experts charged with running BlackCat …
• Prosecutors allege incident response pros used ALPHV …
• Cyber Defenders Gone Rogue: Experts Charged in …

Related posts

• New York’s mayor-elect bars Raspberry Pi from inauguration block party
• Research: Honey Detects Testers and Conceals Affiliate Network Violations
• NYC Mayoral Inauguration bans Raspberry Pi and Flipper Zero alongside explosives