Former "Negotiator" Sentenced to Nearly Six Years for BlackCat Conspiracy
A 41-year-old former cybersecurity professional has been sentenced to 70 months (approximately five years and ten months) in federal prison for their role in a conspiracy with the BlackCat / ALPHV ransomware group. The sentence follows a conviction for conspiring to extort multiple victims and coordinating ransomware attacks alongside two other individuals with cybersecurity backgrounds.
The case is a stark reminder that acting as a ransomware "negotiator" while secretly coordinating with — or profiting from — the attackers constitutes a serious federal crime.
Background: The BlackCat / ALPHV Ransomware Group
BlackCat (also tracked as ALPHV) was one of the most prolific Ransomware-as-a-Service (RaaS) operations of the early 2020s. Active from approximately 2021 until its disruption in 2024, the group was responsible for attacks on hundreds of organizations globally, including:
- Healthcare providers and hospitals
- Critical infrastructure operators
- Government agencies
- Financial institutions
BlackCat operated a sophisticated affiliate model, providing ransomware tooling and infrastructure to affiliates who conducted intrusions and split ransom proceeds with the core group. The FBI disrupted BlackCat operations in December 2023, seizing infrastructure and releasing a decryption tool — but the group attempted a brief revival before ultimately ceasing operations.
The Defendant's Role
According to the DOJ, the defendant — a cybersecurity professional presenting themselves as a legitimate ransomware negotiator — was in fact:
- Coordinating with BlackCat operators to facilitate ransom payments and extortion
- Assisting in targeting additional victims alongside two other cybersecurity professionals
- Profiting from the ransom payments negotiated in a dual-sided capacity
The scheme exploited the legitimate demand for ransomware negotiation services — a real field where incident response firms help victims assess demands, communicate with attackers, and recover systems. By secretly aligning with the attackers, the defendant violated victims' trust while positioning themselves as their advocate.
Charges and Sentence
| Item | Detail |
|---|---|
| Charge | Conspiracy to Commit Extortion |
| Sentence | 70 months federal prison |
| Age at sentencing | 41 years old |
| Co-conspirators | 2 additional cybersecurity professionals |
| Jurisdiction | U.S. Federal Court |
The 70-month sentence (≈ 5.8 years) reflects the severity of the conspiracy and the multiple victims involved. Federal sentencing guidelines for extortion-related offenses weigh factors including the number of victims, total financial harm, and the defendant's role in the scheme.
Why This Case Matters
The "Insider Threat" in Incident Response
This case highlights a concerning attack vector: the abuse of trusted incident response and negotiation roles. Organizations paying for ransomware negotiation services assume the negotiator is acting solely in their interest. When that assumption is violated by someone coordinating with the attacker, it compounds the harm — victims pay more, recover less, and may be targeted again.
DOJ Signaling
The sentence sends a clear message from the DOJ:
Cybersecurity credentials do not provide cover for criminal activity. Professionals who knowingly facilitate ransomware extortion — regardless of the role they claim — will face the same criminal liability as the attackers themselves.
This aligns with broader DOJ and CISA initiatives to hold ransomware ecosystem participants — not just operators — criminally accountable.
Guidance for Organizations
Vetting Incident Response Partners
When engaging ransomware negotiators or incident response firms:
- Verify credentials and reputation — look for established firms with verifiable client histories and industry affiliations (CISA-approved IR firms, vetted through cyber insurance providers)
- Require transparency — demand full documentation of all communications with threat actors
- Engage legal counsel in parallel — your attorneys can independently assess negotiation strategy
- Never pay ransoms without law enforcement notification — the FBI and CISA both recommend engaging them early; they may have decryption tools or intelligence on the specific group
- Audit payment flows — if a negotiator handles ransom payments directly, require escrow or direct payment control by your organization
Reporting
- FBI: Report to your local FBI field office or via ic3.gov
- CISA: Report at cisa.gov/report
- Stop Ransomware: stopransomware.gov
Source: The Hacker News, July 2026