DOJ sentences two U.S. cybersecurity professionals for ALPHV BlackCat ransomware attacks
6 min. read 
Published on
Two American cybersecurity professionals have been sentenced to four years each in federal prison for using ALPHV BlackCat ransomware against U.S. victims.
The U.S. Department of Justice said Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, took part in a 2023 ransomware conspiracy that attacked multiple companies across the United States.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The case stands out because both men worked in cybersecurity. They used the kind of technical knowledge normally used to defend companies to help deploy ransomware, extort victims, and launder proceeds.
What the DOJ announced
Goldberg and Martin were sentenced on April 30, 2026. Both had pleaded guilty in December 2025 to one count of conspiracy to obstruct, delay, or affect commerce through extortion.
According to court documents cited by the DOJ, Goldberg, Martin, and co-conspirator Angelo Martino deployed ALPHV BlackCat between April 2023 and December 2023 against multiple U.S. victims.
The group successfully extorted one victim for about $1.2 million in Bitcoin. The three men then split their 80 percent affiliate share and laundered the money through different means.
At a glance
| Item | Details |
|---|---|
| Defendants sentenced | Ryan Goldberg and Kevin Martin |
| Sentence | Four years each in federal prison |
| Sentencing date | April 30, 2026 |
| Ransomware used | ALPHV BlackCat |
| Attack period | April 2023 to December 2023 |
| Known ransom payment | About $1.2 million in Bitcoin from one victim |
| Co-conspirator | Angelo Martino, sentencing set for July 9, 2026 |
How the ALPHV BlackCat affiliate model worked
ALPHV BlackCat operated as a ransomware-as-a-service platform. Its developers maintained the ransomware, infrastructure, negotiation portals, and leak sites.
Affiliates handled the actual intrusions. They identified victims, gained access, deployed ransomware, stole data, and pressured organizations to pay.
In this case, the men agreed to give ALPHV BlackCat administrators a 20 percent cut of any ransom payments. The affiliates kept the remaining 80 percent.
Why this case is different
The defendants were not outsiders with no security background. The DOJ said all three men worked in the cybersecurity industry and had experience protecting systems from the same kind of harm they caused.
That professional background made the case more damaging. Cybersecurity workers often have deep knowledge of incident response, victim pressure points, network defense, and ransom negotiation patterns.
The DOJ said the attacks harmed U.S. companies that provided medical and engineering services. In one case, patient data from a doctor’s office was leaked after the victim did not comply with the ransom demand.
Angelo Martino’s role
Angelo Martino, 41, of Florida, pleaded guilty in April 2026. He had worked as a ransomware negotiator for victims through a U.S.-based cyber incident response company.
The DOJ said Martino abused that role by giving BlackCat actors confidential victim information. That information included insurance policy limits and internal negotiating positions.
He also admitted that he conspired with Goldberg and Martin to deploy BlackCat ransomware against U.S. victims. His sentencing is scheduled for July 9, 2026.
What ALPHV BlackCat did to victims
- Stole sensitive data before encryption.
- Encrypted victim systems and blocked access to files.
- Used leak sites to pressure victims into paying.
- Threatened or carried out publication of stolen data.
- Shared ransom proceeds between developers and affiliates.
BlackCat’s wider impact
ALPHV BlackCat became one of the most prolific ransomware groups in the world after it emerged in late 2021. It targeted more than 1,000 victims globally, according to DOJ court documents.
The group hit businesses, healthcare organizations, schools, government entities, manufacturers, and other critical infrastructure operators. It also used data theft to increase pressure before and after encryption.
U.S. officials previously described ALPHV BlackCat as a major ransomware-as-a-service operation. Its affiliates used compromised credentials, social engineering, and other intrusion methods to gain access to victim networks.
Law enforcement pressure on BlackCat
The sentencing follows the DOJ’s December 2023 disruption of ALPHV BlackCat. During that operation, the FBI developed a decryption tool and made it available to hundreds of victims through field offices and law enforcement partners.
The DOJ said the tool helped victims restore systems and saved about $99 million in ransom payments. The FBI also seized several websites operated by the ransomware group.
The DOJ said the FBI tracked Goldberg across 10 countries after he tried to flee abroad. Officials used the case to stress that ransomware actors can face prosecution even when they operate from inside the United States.
What organizations should learn from the case
The case shows that ransomware risk can involve insiders, contractors, negotiators, and trusted security professionals. Companies should not assume that a cybersecurity title alone proves good intent.
Organizations should apply strong controls around incident response vendors, negotiators, administrator accounts, privileged access, and sensitive negotiation data.
They should also report ransomware incidents quickly. Early reporting can help law enforcement identify shared infrastructure, provide decryption help when available, and connect related cases.
Practical steps for businesses
- Vet incident response vendors and ransomware negotiators before giving them sensitive data.
- Limit access to insurance details and negotiation strategy documents.
- Use separate accounts for incident response work and normal administration.
- Monitor privileged access during active ransomware incidents.
- Keep offline and immutable backups.
- Test recovery plans before an incident happens.
- Report ransomware attacks to the FBI or IC3 as soon as possible.
- Review third-party access after every major security incident.
Why the sentencing matters
The four-year sentences send a message to ransomware affiliates and facilitators. U.S. prosecutors are not only going after foreign ransomware developers, but also domestic actors who use those platforms.
The case also highlights how the ransomware economy depends on many roles. Developers build the malware, affiliates run intrusions, negotiators apply pressure, money launderers move funds, and leak sites enforce threats.
For defenders, the lesson is direct. Ransomware defense needs technical controls, trusted response partners, careful access management, and fast reporting when attackers strike.
FAQ
Ryan Goldberg of Georgia and Kevin Martin of Texas were sentenced to four years each in federal prison.
They pleaded guilty to conspiracy to obstruct, delay, or affect commerce through extortion in connection with ransomware attacks.
Martino worked as a ransomware negotiator and admitted that he shared confidential victim information with BlackCat actors. He also admitted joining the ransomware conspiracy.
The DOJ said the men successfully extorted about $1.2 million in Bitcoin from one victim.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages