Skip to main content
Emerging ThreatsMalware & Ransomware

US Cybersecurity Workers Jailed for Aiding BlackCat Ransomware Gang

Two men in formal attire sit in a courtroom with a judge's bench in the background under natural light.
“These were supposed to be cybersecurity specialists who did good and helped businesses and people. Instead, they used their high-level cyber skills to feed their greed,” said assistant attorney general A. Tysen Duva — words that framed federal prosecutors’ account of two American security professionals who turned their training into tools for extortion.

Ryan Goldberg and Kevin Martin: guilty pleas and four-year sentences

Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas were each sentenced to four years in prison for their roles in facilitating ransomware attacks during 2023, the US Department of Justice said in a statement published on April 30. According to the DOJ, both men pleaded guilty to the charges in December 2025.

The DOJ statement places Goldberg and Martin in a small but consequential class of defendants: people who previously worked in cybersecurity roles and then participated directly in criminal ransomware operations. The two men worked alongside Angelo Martino, 41, of Florida, who pleaded guilty to working for the BlackCat group on April 20 and is set to be sentenced in July.

How they worked with BlackCat (ALPHV)

The defendants are linked to the BlackCat ransomware operation, also known as ALPHV, which the DOJ’s description notes first emerged in 2021 and was highly active between 2022 and 2024. Prosecutors say BlackCat attackers routinely demanded millions of dollars for decryption keys and used double-extortion tactics — threatening to leak stolen data from victims who refused to pay.

Court documents cited by the DOJ state that Goldberg and Martin helped launch ransomware attacks against multiple victims and paid BlackCat administrators a 20% share of any ransom payments they received. In one documented case, Goldberg, Martin and Martino received a Bitcoin ransom worth $1.2m; they reportedly paid 20% to BlackCat and split the remaining 80% among themselves. In another attack, the former cybersecurity workers leaked patient data from a victim in the healthcare industry, according to the filings.

Prosecutors’ message and the FBI’s international pursuit

Prosecutors emphasized the betrayal implicit in the prosecutions. Assistant attorney general A. Tysen Duva’s remarks framed the case as more than an accountant’s tally of proceeds — they were a condemnation of professionals who used acquired specialist skills to cause harm.

The FBI described an extensive pursuit. Assistant director Brett Leatherman of the FBI’s cyber division said the case shows ransomware criminals can operate anywhere and that the FBI is actively working to dismantle their networks. The DOJ account adds that Goldberg attempted to flee prior to his arrest; agents tracked him across ten countries to capture him.

What this means for cybersecurity staff, the FBI, and healthcare providers

  • Cybersecurity staff: The DOJ’s language and the sentences underscore that personnel with specialist cyber skills who aid criminals face criminal liability. Prosecutors explicitly condemned the defendants for using skills “they had acquired working in the cybersecurity industry” to commit harm.
  • The FBI: The bureau’s portrayal of an international pursuit — tracking a suspect across ten countries — signals the FBI’s intent to describe ransomware investigations as transnational efforts that leverage overseas operations to apprehend domestic actors.
  • Healthcare providers: At least one victim was a healthcare organization whose patient data was leaked, illustrating the direct and sensitive harm ransomware attacks can inflict when actors apply double-extortion tactics to stolen medical records.

Penalty, deterrence, and an unresolved calendar

The four-year sentences for Goldberg and Martin and the upcoming July sentencing for Angelo Martino offer the Department of Justice a public example it says underscores accountability for ransomware-enabled crime. In the DOJ’s framing, the case is at once punitive and preventive: a statement that high-level cyber skills applied to criminal ends will be met with law enforcement reach and criminal sentences.

What remains on the docket is the sentencing date for Martino in July and the broader question implicit in the filings: how many other insiders with cybersecurity training have the capability and motive to join criminal networks. For now, the record is focused on these defendants, the documented payments — including the $1.2m Bitcoin payout — and the DOJ and FBI’s insistence that such conduct will be pursued and punished.

Original story