{ "id": "73122e35-2554-45bc-9654-9339d9ced457", "created_at": "2026-04-06T00:18:00.591422Z", "updated_at": "2026-04-10T03:29:40.106802Z", "deleted_at": null, "sha1_hash": "766f3167d1b570fc5b0005e9268412836c330c51", "title": "Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44333, "plain_text": "Two Americans Plead Guilty to Targeting Multiple U.S. Victims\r\nUsing ALPHV BlackCat Ransomware\r\nPublished: 2025-12-30 · Archived: 2026-04-05 13:10:25 UTC\r\nYesterday, a federal district court in the Southern District of Florida accepted the guilty pleas of two men to\r\nconspiring to obstruct, delay or affect commerce through extortion in connection with ransomware attacks\r\noccurring in 2023.\r\n“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks\r\n— the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen\r\nDuva of the Justice Department’s Criminal Division. “Extortion via the internet victimizes innocent citizens every\r\nbit as much as taking money directly out of their pockets. The Department of Justice is committed to using all\r\ntools available to identify and arrest perpetrators of ransomware attacks wherever we have jurisdiction.”\r\n“Ransomware is not just a foreign threat — it can come from inside our own borders,” said U.S. Attorney Jason A.\r\nReding Quiñones for the Southern District of Florida. “Goldberg and Martin used trusted access and technical\r\nskill to extort American victims and profit from digital coercion. Their guilty pleas make clear that cybercriminals\r\noperating from within the United States will be found, prosecuted, and held to account.”\r\n“Malware like ALPHV (BlackCat) ransomware is used by bad actors to steal, extort, and launder proceeds from\r\nvictim businesses and organizations,” said Special Agent in Charge Brett Skiles of the FBI Miami Field Office.\r\n“The FBI remains committed to working alongside its law enforcement partners to disrupt and dismantle criminal\r\nenterprises involved in ransomware attacks and to hold accountable not only the perpetrators but also anyone who\r\nknowingly enables or profits from them. We will continue to leverage our intelligence, law enforcement tools,\r\nglobal presence, and partnerships to counter cybercriminals who seek to harm the American public through these\r\ninsidious attacks. We strongly encourage businesses to exercise due diligence when engaging third parties for\r\nransomware incident response, report suspicious or unethical behavior, and to expeditiously report any\r\nransomware attack to the FBI and our law enforcement partners to safeguard their security and privacy.”\r\nAccording to court documents, Ryan Goldberg, 40, of Georgia, Kevin Martin, 36, of Texas, and another co-conspirator successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December\r\n2023 against multiple victims located throughout the United States. The three men agreed to pay the ALPHV\r\nBlackCat administrators a 20% share of any ransoms received in exchange for access to the ransomware and\r\nALPHV BlackCat’s extortion platform. All three men worked in the cybersecurity industry — meaning that they\r\nhad special skills and experience in securing computer systems against harm, including the type of harm they\r\nthemselves were committing against the victims in this case. After successfully extorting one victim for\r\napproximately $1.2 million in Bitcoin, the men split their 80% share of this ransom three ways and laundered the\r\nfunds through various means.\r\nAccording to court documents, ALPHV BlackCat targeted the computer networks of more than 1,000 victims\r\naround the world. The group used a ransomware-as-a-service model in which developers were responsible for\r\nhttps://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware\r\nPage 1 of 3\n\ncreating and updating ransomware and for maintaining the illicit internet infrastructure. Affiliates were responsible\r\nfor identifying and attacking high-value victim institutions with the ransomware. After a victim paid, developers\r\nand affiliates shared the ransom.\r\nToday’s announcement follows the Justice Department’s prior actions in December 2023 to disrupt ALPHV\r\nBlackCat ransomware, in which the FBI developed a decryption tool that allowed FBI field offices across the\r\ncountry and law enforcement partners around the world to offer hundreds of victims the capability of restoring\r\ntheir systems, saving victims approximately $99 million in ransom payments. At that time, the FBI also seized\r\nseveral websites operated by ALPHV BlackCat.\r\nGoldberg and Martin each pleaded guilty to one count of conspiracy to obstruct, delay or affect commerce or the\r\nmovement of any article or commodity in commerce by extortion in violation of 18 U.S.C. § 1951(a). The\r\ndefendants are scheduled to be sentenced on March 12, 2026, and face a maximum penalty of 20 years in prison.\r\nA federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and\r\nother statutory factors.\r\nThe FBI Miami Field Office is leading the investigation, with assistance provided by the U.S. Secret Service.\r\nTrial Attorneys Christen Gallagher and Jorge Gonzalez of the Justice Department’s Computer Crime and\r\nIntellectual Property Section (CCIPS) and Assistant U.S. Attorneys Thomas Haggerty and Quinshawna Landon\r\nfor the Southern District of Florida are prosecuting the case. Assistant U.S. Attorney Mitchell Hyman for the\r\nSouthern District of Florida is handling asset forfeiture.\r\nCCIPS investigates and prosecutes cybercrime in coordination with domestic and international law enforcement\r\nagencies, often with assistance from the private sector. Since 2020, CCIPS has secured the conviction of over 180\r\ncybercriminals and court orders for the return of over $350 million in victim funds. \r\nSignificant assistance in this investigation was provided by Assistant U.S. Attorney Paul B. Morris for the Eastern\r\nDistrict of Texas and Assistant U.S. Attorney Daniel W.A. Peach for the Middle District of Georgia. Additional\r\nassistance was provided by the Policía de Investigación of the Aeropuerto Internacional de la Ciudad de México.\r\nPrivate sector organizations can report any suspicious activities and threats to the FBI’s National Threat\r\nOperations Center by calling 1-800-CALL-FBI (225-5324), visiting www.tips.fbi.gov or contacting their local FBI\r\nfield office.\r\nIf you are a victim of ransomware, contact your local FBI field office or file a report at ic3.gov.\r\nIf you have information about ALPHV BlackCat, their affiliates or activities, you may be eligible for a reward\r\nthrough the Department of State’s Transnational Organized Crime Rewards program\r\nhttps://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware\r\nPage 2 of 3\n\nor Rewards for Justice program\r\n. Information can be submitted through the following Tor-based tip line (Tor browser required):\r\nhe5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.\r\nSource: https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware\r\nhttps://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware" ], "report_names": [ "two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434680, "ts_updated_at": 1775791780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/766f3167d1b570fc5b0005e9268412836c330c51.pdf", "text": "https://archive.orkl.eu/766f3167d1b570fc5b0005e9268412836c330c51.txt", "img": "https://archive.orkl.eu/766f3167d1b570fc5b0005e9268412836c330c51.jpg" } }