Former Cybersecurity Incident Responders Plead Guilty to

The Fox Guarding the Henhouse

In one of the most striking insider-threat cases in recent memory, two American cybersecurity professionals are awaiting sentencing on March 12, 2026, after admitting to operating as affiliates of the BlackCat (ALPHV) ransomware gang while simultaneously holding positions at legitimate cybersecurity firms.

Defendant	Age	Role	Employer
Ryan Goldberg	40, Georgia	Incident Response Manager	Sygnia
Kevin Martin	36, Texas	Ransomware Negotiator	DigitalMint

Attacking the Organizations They Were Trained to Defend

Between April and December 2023, Goldberg and Martin — along with an unnamed co-conspirator also employed at DigitalMint — conducted ransomware attacks against five U.S. companies. Three of the five victims were healthcare organizations, a sector frequently targeted due to the critical nature of patient care and the urgency to restore operations.

The attackers agreed to pay BlackCat administrators a 20% share of any ransoms collected in exchange for access to the ransomware toolkit and the group's extortion platform.

Their roles at legitimate firms gave them deep insight into:

Common security postures and defensive gaps
Incident response playbooks and procedures
Ransomware negotiation tactics and payment processes
How organizations prioritize and fund ransom payments

Guilty Pleas and Sentencing

Both defendants entered guilty pleas on December 18 in the U.S. District Court for the Southern District of Florida to one count of conspiracy to obstruct, delay, or affect commerce by extortion.

Each defendant faces:

Up to 20 years imprisonment
3 years of supervised release
Fine of up to $250,000 or twice the gross gain or loss of the offense

Lessons for the Industry

The case serves as a stark reminder that insider threats can emerge from even the most trusted positions within the cybersecurity industry. Organizations should consider:

Background checks with ongoing monitoring for employees with privileged access
Separation of duties in incident response and negotiation workflows
Behavioral analytics on employee network activity, especially for those with knowledge of defensive tools
Whistleblower programs to encourage reporting of suspicious colleague behavior
Vendor vetting for third-party incident response and negotiation firms

The DOJ emphasized that the case demonstrates the government's commitment to prosecuting cybercriminals regardless of their professional backgrounds.

The Fox Guarding the Henhouse

Defendant

Age

Role

Employer

Ryan Goldberg

40, Georgia

Incident Response Manager

Sygnia

Kevin Martin

36, Texas

Ransomware Negotiator

DigitalMint

Attacking the Organizations They Were Trained to Defend

The attackers agreed to pay BlackCat administrators a 20% share of any ransoms collected in exchange for access to the ransomware toolkit and the group's extortion platform.

Their roles at legitimate firms gave them deep insight into:

Common security postures and defensive gaps

Incident response playbooks and procedures

Ransomware negotiation tactics and payment processes

How organizations prioritize and fund ransom payments

Guilty Pleas and Sentencing

Each defendant faces:

Up to 20 years imprisonment

3 years of supervised release

Fine of up to $250,000 or twice the gross gain or loss of the offense

Lessons for the Industry

The case serves as a stark reminder that insider threats can emerge from even the most trusted positions within the cybersecurity industry. Organizations should consider:

Background checks with ongoing monitoring for employees with privileged access

Separation of duties in incident response and negotiation workflows

Behavioral analytics on employee network activity, especially for those with knowledge of defensive tools

Whistleblower programs to encourage reporting of suspicious colleague behavior

Vendor vetting for third-party incident response and negotiation firms

The DOJ emphasized that the case demonstrates the government's commitment to prosecuting cybercriminals regardless of their professional backgrounds.

Former Cybersecurity Incident Responders Plead Guilty to

The Fox Guarding the Henhouse

Attacking the Organizations They Were Trained to Defend

Guilty Pleas and Sentencing

Lessons for the Industry

Phobos Ransomware Admin Pleads Guilty — 1,000+ Victims

Manager of Botnet Used in Ransomware Attacks Gets 2 Years in Prison

Russian Hacker Who Helped Yanluowang Ransomware Gang Gets Nearly 7-Year Prison Sentence

Former Cybersecurity Incident Responders Plead Guilty to

The Fox Guarding the Henhouse

Attacking the Organizations They Were Trained to Defend

Guilty Pleas and Sentencing

Lessons for the Industry

Phobos Ransomware Admin Pleads Guilty — 1,000+ Victims

Manager of Botnet Used in Ransomware Attacks Gets 2 Years in Prison

Russian Hacker Who Helped Yanluowang Ransomware Gang Gets Nearly 7-Year Prison Sentence