{ "id": "c1bf8ff7-e1d0-4e3c-82a5-f3fb049d5f7e", "created_at": "2026-04-06T01:30:59.817898Z", "updated_at": "2026-04-10T03:29:39.777917Z", "deleted_at": null, "sha1_hash": "f38787c00c0da4deeeccbe57f37fbccc5ba42046", "title": "When the Defenders Become the Attackers: Cybersecurity Experts Indicted for BlackCat Ransomware Operations", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97194, "plain_text": "When the Defenders Become the Attackers: Cybersecurity Experts\r\nIndicted for BlackCat Ransomware Operations\r\nPublished: 2025-11-03 · Archived: 2026-04-06 00:59:33 UTC\r\nThe Shocking Case That’s Rocking the Cybersecurity Industry\r\nComputer Security\r\nIn a stunning turn of events that reads like a cybercrime thriller, three former employees of cybersecurity incident\r\nresponse companies have been indicted for allegedly conducting the very ransomware attacks they were\r\nsupposedly hired to prevent. The case has sent shockwaves through an industry already grappling with questions\r\nabout the ethics of ransomware negotiation and payment facilitation.\r\nThe Accused: Insiders Turned Criminals\r\nThe defendants include Kevin Tyler Martin, 28, of Roanoke, Texas, Ryan Clifford Goldberg, 33, of Watkinsville,\r\nGeorgia, and an unnamed co-conspirator identified only as “Co-Conspirator 1” who resided in Land O’Lakes,\r\nFlorida.\r\nAccording to the indictment and FBI affidavits, Martin and Co-Conspirator 1 both worked as ransomware\r\nnegotiators at DigitalMint, a Chicago-based (River North neighborhood) cybersecurity incident response firm that\r\nhelps victims recover from ransomware attacks and, in some cases, facilitates ransom payments. Goldberg served\r\nas a director of incident response for Sygnia Cybersecurity Services, a multinational cybersecurity company where\r\nhe managed incident response operations.\r\nAntivirus \u0026 Malware\r\nfbi-affidavit-re-ransomware-negotiatorsfbi-affidavit-re-ransomware-negotiators.pdf498\r\nKB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circleThe charges filed in the U.S. District Court for the Southern District of Florida are severe: conspiracy to\r\ninterfere with interstate commerce by extortion (18 U.S.C. § 1951(a)), interference with interstate commerce by\r\nextortion, and intentional damage to protected  computers (18 U.S.C. § 1030(a)(5)(A)). If convicted, Martin and\r\nGoldberg each face up to 20 years in prison for the extortion charges and 10 years for the  computer damage\r\ncharges, plus supervised release, fines up to $250,000 (or twice the gross gain or loss from the offense), and\r\nforfeiture of all proceeds from their criminal activity.\r\nWhat makes this case particularly troubling is the position of trust these individuals held. As ransomware\r\nnegotiators and incident responders, they had intimate knowledge of victim vulnerabilities, negotiation tactics, and\r\nthe psychological pressure points that make ransomware attacks so effective. They were the very people\r\ncompanies turned to in their most desperate hour—and they allegedly exploited that trust to identify and attack\r\nnew victims.\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 1 of 10\n\nindictment-of-ransomware-negotiatorsindictment-of-ransomware-negotiators.pdf384\r\nKB.a{fill:none;stroke:currentColor;stroke-linecap:round;stroke-linejoin:round;stroke-width:1.5px;}download-circle## The Alleged Crime Spree\r\nBetween May 2023 and April 2025, the defendants allegedly operated as ALPHV BlackCat affiliates,\r\nsystematically targeting companies across multiple states. The indictment filed on October 2, 2025, details a\r\ncoordinated campaign of extortion that left victims facing devastating choices between paying millions or losing\r\naccess to critical business data.\r\nThe Victims and Ransom Demands:\r\nComputer Hardware\r\nVictim 1 - Tampa Medical Device Manufacturer (May 13, 2023): Goldberg, Martin, and Co-Conspirator 1\r\nencrypted the company’s servers and demanded approximately $10 million to decrypt the data and prevent\r\npublication of stolen information. The attack caused immediate operational paralysis—employees living and\r\nworking in the Southern District of Florida were unable to work because their devices could not access data and\r\napplications necessary for their jobs, contributing to operational delays and lost business. Under duress, the\r\ncompany paid $1,274,781.23 in cryptocurrency. The conspirators then paid the ALPHV BlackCat administrators\r\ntheir percentage and split the remainder among themselves.\r\nVictim 2 - Maryland Pharmaceutical Company (May 2023): The group encrypted the pharmaceutical\r\ncompany’s servers and demanded a ransom payment. While the indictment doesn’t indicate whether this victim\r\npaid, the attack involved stealing sensitive data and threatening to publish it—a double extortion tactic designed to\r\nmaximize pressure on the victim.\r\nVictim 3 - California Doctor’s Office (July 2023): The conspirators encrypted the medical practice’s servers and\r\ndemanded approximately $5 million. The attack on a healthcare provider is particularly egregious, as medical\r\nfacilities often face life-or-death decisions about whether to pay ransoms to restore access to patient records and\r\noperational systems.\r\nVictim 4 - California Engineering Firm (October 2023): The group encrypted the engineering company’s\r\nservers and demanded approximately $1 million to decrypt the data and prevent data publication. Goldberg\r\nspecifically mentioned this victim in his FBI interview, acknowledging the attack though indicating they were\r\nunsuccessful in extracting payment.\r\nVictim 5 - Virginia Drone Manufacturer (November 2023): In their final documented attack, the conspirators\r\nencrypted the drone manufacturer’s servers and demanded approximately $300,000. As a manufacturer engaged in\r\ninterstate commerce—and potentially defense-related work—this victim’s compromise could have had broader\r\nnational security implications.\r\nHacking \u0026 Cracking\r\nThe ransom demands ranged from $300,000 to $10 million, demonstrating the group’s ability to calibrate their\r\nextortion based on the victim’s size and perceived ability to pay. According to FBI affidavits, the conspiracy\r\ncontinued until April 2025, suggesting there may be additional unreported victims.\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 2 of 10\n\nThe BlackCat Connection: A Ransomware Empire\r\nUnderstanding the scope of this case requires understanding ALPHV BlackCat itself and how the defendants\r\nintegrated into its criminal infrastructure. For more background, see our comprehensive profile of\r\nBlackCat/ALPHV ransomware and our coverage of the DOJ’s disruption campaign against the group.\r\nThe Ransomware-as-a-Service Model\r\nALPHV BlackCat operated as a sophisticated ransomware-as-a-service (RaaS) operation. In this model,\r\n“developers” created and updated the ransomware, then recruited and vetted “affiliates” who would identify and\r\nattack victims using the malware. The developers provided affiliates with the ransomware through a password-protected “panel” available on the dark web via the Tor network, customized to each affiliate.\r\nIn May 2023, Co-Conspirator 1 obtained an affiliate account on the ALPHV BlackCat panel and shared access\r\nwith Goldberg and Martin. This gave the trio access to BlackCat’s ransomware toolkit and criminal infrastructure.\r\nThe three conspirators agreed to use the ALPHV BlackCat ransomware and panel to attack and extort victims,\r\nsharing the ransom proceeds among themselves and paying a percentage to the ALPHV BlackCat administrators.\r\nAntivirus \u0026 Malware\r\nThe Attack Methodology\r\nThe typical ALPHV BlackCat attack followed a standard pattern that the defendants replicated:\r\nThe affiliate gained unauthorized access to the victim’s network\r\nThey stole sensitive data before deploying the ransomware\r\nThey deployed the encryption malware, locking the victim out of their systems\r\nThey left a ransom note directing victims to an ALPHV BlackCat panel on the dark web\r\nVictims could communicate with the attackers through this panel to negotiate ransom\r\nOnce payment was agreed upon, the attackers provided Bitcoin or Monero cryptocurrency addresses\r\nRansom payments were split up and moved through various cryptocurrency addresses via multiple\r\ntransactions to obscure the source before cashing out to fiat currency\r\nThe Scale of BlackCat Operations\r\nAs of September 2023, ALPHV BlackCat affiliates had compromised over 1,000 entities—nearly 75 percent in the\r\nUnited States and approximately 250 outside the U.S. The operation demanded over $500 million and received\r\nnearly $300 million in ransom payments. There were over twenty ALPHV BlackCat ransomware victims in the\r\nSouthern District of Florida alone, where this case was prosecuted.\r\nThe FBI identified ALPHV/Blackcat actors as having compromised prominent government entities including\r\nmunicipal governments, defense contractors, and critical infrastructure organizations. The ransomware attacks\r\ncaused tens of millions in cryptocurrency ransom payments, major disruptions in ongoing operations, and large\r\nlosses of proprietary information.\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 3 of 10\n\nSince mid-December 2023, of the nearly 70 leaked victims, the healthcare sector was the most commonly\r\nvictimized—likely in response to ALPHV BlackCat administrators encouraging affiliates to target hospitals after\r\nlaw enforcement action against the group in early December 2023.\r\nHow the Investigation Unfolded\r\nOn June 17, 2025, the FBI conducted a consensual recorded interview of Ryan Clifford Goldberg. After initially\r\ndenying involvement in ransomware attacks, Goldberg confessed that he was recruited by Co-Conspirator 1 (the\r\nunnamed Florida-based DigitalMint employee) to “try and ransom some companies.”\r\nIn his confession, Goldberg admitted that he, Co-Conspirator 1, and Martin “successfully ransomed” the Tampa\r\nmedical device company (Victim 1). He also acknowledged conducting attacks on other companies, including the\r\nCalifornia engineering firm (Victim 4), though those attacks were unsuccessful. Goldberg confirmed they used\r\nALPHV BlackCat ransomware to conduct the attacks.\r\nMost damning was Goldberg’s admission about their money laundering operation. After Victim 1 paid the ransom,\r\nthey routed the cryptocurrency through a mixing service and then through multiple cryptocurrency wallets,\r\nbelieving this would make the funds harder to trace. Goldberg told FBI agents he conducted the attacks to get out\r\nof debt and that he feared he was “going to federal prison for the rest of [his] life.”\r\nThe investigation also revealed that Goldberg learned about the FBI’s actions against his co-conspirators.\r\nAccording to his statement, Co-Conspirator 2 (Martin) contacted him after the FBI raided Co-Conspirator 1’s\r\nhome on April 3, 2025. Martin was “freaking out about the FBI raiding [Co-Conspirator 1].”\r\nForensic analysis of devices used by Goldberg and seized pursuant to search warrant revealed digital breadcrumbs\r\nof the conspiracy. On or about May 4, 2023—approximately six days before the attack on the Maryland\r\npharmaceutical company—Goldberg used a search engine to look up Victim 2’s name. The next day, May 5, 2023,\r\nGoldberg conducted multiple internet searches, including one for Co-Conspirator 1’s name followed by “doj.gov.”\r\nCourt records show that Martin spoke at the Technology Law Conference in Austin, Texas in May 2024, where he\r\nwas described as a current DigitalMint employee explaining how he worked to negotiate ransom payments on\r\nbehalf of companies—all while allegedly having stolen more than $1 million in such an attack just a year earlier.\r\nFlight to Europe: A Desperate Escape\r\nTen days after his FBI interview, on June 27, 2025, Ryan Clifford Goldberg and his wife boarded a one-way flight\r\nfrom Atlanta, Georgia to Paris, France. The tickets were purchased just two days before travel—on June 25, 2025\r\n—suggesting a hasty departure following his confession to federal agents.\r\nAs of the date of the criminal complaint filed in September 2025, the FBI believed Goldberg and his wife were\r\nstill in Europe. The Bureau was unaware of any flights purchased by Goldberg to return to the United States,\r\nindicating he may be attempting to avoid prosecution by remaining overseas.\r\nThis flight to Europe adds another layer of complexity to the case and demonstrates Goldberg’s apparent\r\nconsciousness of guilt. His decision to leave the country shortly after admitting to federal crimes suggests he\r\nunderstood the severity of the charges he would face.\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 4 of 10\n\nGoldberg was eventually taken into federal custody in September 2023 and has remained detained since then,\r\nwhile Martin was released on $400,000 bond after his arrest.\r\nCompany Responses: Damage Control Mode\r\nBoth DigitalMint and Sygnia moved quickly to distance themselves from the accused.\r\nDigitalMint stated that Martin acted “completely outside the scope of his employment” and emphasized that the\r\nindictment does not allege the company had any knowledge of or involvement in the criminal activity. The\r\ncompany confirmed it has been cooperating with the investigation and noted that the charged conduct took place\r\noutside of DigitalMint’s infrastructure and systems, with the co-conspirators not accessing or compromising client\r\ndata.\r\nSygnia CEO Guy Segal confirmed that Goldberg was terminated after the company learned of his alleged\r\ninvolvement with the ransomware attacks. The company declined further comment, citing the ongoing FBI\r\ninvestigation.\r\nAntivirus \u0026 Malware\r\nA Pattern of Questionable Ethics in Ransomware Recovery\r\nWhile shocking, this case is not occurring in a vacuum. The ransomware negotiation industry has long faced\r\nquestions about transparency and ethics—and this isn’t even the first time DigitalMint has been under federal\r\ninvestigation.\r\nThe Earlier DOJ Investigation\r\nIn July 2024, the Department of Justice launched a criminal investigation into a former DigitalMint employee over\r\nallegations that the individual secretly coordinated with BlackCat/ALPHV hackers to receive kickbacks from\r\nransom payments. That investigation, first reported by Bloomberg, focused on whether the employee violated\r\nfederal laws including conspiracy, wire fraud, and money laundering by allegedly receiving a cut of ransoms while\r\nfacilitating cryptocurrency payments to the very threat actors who conducted the attacks.\r\nThe ProPublica Exposé: A Broader Industry Problem\r\nA landmark 2019 ProPublica investigation revealed systematic deception across the ransomware recovery\r\nindustry. The investigation uncovered that prominent U.S. data recovery firms, including Proven Data Recovery\r\n(based in Elmsford, New York) and Florida-based MonsterCloud, secretly paid ransomware gangs while claiming\r\nto use proprietary “high-tech” decryption solutions—and charged clients substantial fees on top of the ransom\r\namounts.\r\nThe ProPublica investigation documented how these firms:\r\nDeceived Clients About Their Methods: Firms promised to unlock files using “the latest technology” and\r\n“proprietary software” when they were actually just paying the ransoms. Some firms used “canned responses”\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 5 of 10\n\noffering clients two options—pay the ransom or use the firm’s technology—when the second option didn’t\r\nactually exist.\r\nDeveloped Relationships with Hackers: Former Proven Data employee Jonathan Storfer revealed that the\r\ncompany developed such close relationships with ransomware operators like SamSam that the hackers would\r\nrecommend victims work with Proven Data. The SamSam attackers would tell victims: “If you need assistance\r\nwith this, contact Proven Data.” Storfer described having to “almost befriend” cybercriminals to negotiate better\r\nprices, maintaining a list of hackers who could supply decryption keys quickly and cheaply.\r\nUsed Aliases to Hide Their Activities: Both companies used pseudonyms for employees when communicating\r\nwith victims. Proven Data used the alias “Brad Miller” for overseas freelancers, while MonsterCloud employee\r\n“Zack Green”—who held titles including “Ransomware Recovery Expert” and “Cyber Counterterrorism\r\nExpert”—was revealed to be using an alias. When asked about this, MonsterCloud’s CEO Zohar Pinhasi said, “We\r\ngo based on aliases, because we’re dealing with cyberterrorists.”\r\nMisled Law Enforcement: Multiple police departments that hired MonsterCloud believed the firm had unlocked\r\ntheir files without paying ransoms. Chief Deputy Ward Calhoun of Mississippi’s Lauderdale County Sheriff’s\r\nOffice told ProPublica: “The danger is, even if you give money to hackers, you don’t know you’re gonna be able\r\nto unlock your data anyway. We decided we weren’t going to do that. We went with MonsterCloud instead.”\r\nMonsterCloud had actually paid the ransom but never disclosed it.\r\nPotentially Funded Sanctioned Entities: ProPublica traced bitcoin payments from Proven Data to SamSam\r\nransomware attackers who were later identified as Iranian nationals and indicted by the DOJ. The payments\r\ncontinued until those bitcoin wallets were sanctioned by the U.S. Treasury Department for supporting the Iranian\r\nregime. Between 2017 and 2018, Proven Data made numerous payments to SamSam, continuing until twelve days\r\nbefore the Iranian hackers were indicted in November 2018.\r\nThe FBI’s Investigation: The FBI’s 2018 investigation of Proven Data, triggered by a victim in Anchorage,\r\nAlaska, revealed the extent of the deception. An FBI affidavit stated: “Subsequent investigation by the FBI\r\nconfirmed that PDR was only able to decrypt the victim’s files by paying the subject the ransom amount.” The\r\nvictim, real estate broker Leif Herrington, had been told Proven Data had “proprietary software they developed to\r\nunencrypt” when the firm had simply paid the $1,680 ransom and charged him $6,000.\r\nIndustry-Wide Testing Exposes the Practice: Security researcher Fabian Wosar conducted “Operation Bleeding\r\nCloud” in 2016, creating fake ransomware and posing as a victim to test multiple data recovery firms. He found\r\nthat firms including MonsterCloud and Proven Data “all claimed to be able to decrypt ransomware families that\r\ndefinitely weren’t decryptable and didn’t mention that they paid the ransom. Quite the contrary actually. They all\r\nseemed very proud not to pay ransomers.” Soon after, the anonymous email addresses Wosar had set up for his\r\nimaginary attacker received offers to pay the ransom from these same firms.\r\nAntivirus \u0026 Malware\r\nThe fundamental issue is this: ransomware negotiation exists in a moral gray area. On one hand, these\r\nprofessionals help victims recover from devastating attacks and often reduce ransom demands. On the other,\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 6 of 10\n\npaying ransoms can be seen as funding criminal activities, perpetuating the ransomware business model, and\r\npotentially financing terrorism and other forms of cybercrime.\r\nThe Current Case: History Repeating\r\nThe current indictment of Martin, Goldberg, and their co-conspirator represents an escalation—not just paying\r\nransoms secretly, but actually conducting the attacks themselves. This progression from questionable business\r\npractices to alleged criminal conspiracy demonstrates how the lack of regulation and oversight in the ransomware\r\nnegotiation industry can enable increasingly brazen misconduct.\r\nThe Insider Threat Amplified\r\nWhat makes this case particularly alarming for the cybersecurity industry is the nature of the insider threat it\r\nrepresents. These weren’t ordinary employees—they were trusted specialists with:\r\nDeep knowledge of victim psychology: Understanding exactly what pressures make victims pay\r\nTechnical expertise: Knowing how to deploy ransomware and cover their tracks\r\nAccess to victim information: Through their legitimate work, potentially identifying vulnerable targets\r\nNegotiation experience: Understanding how to extract maximum payments\r\nCryptocurrency expertise: Knowing how to receive and launder ransom payments\r\nThis case demonstrates how insider threats can emerge even in cybersecurity firms themselves. The defenders\r\nwho understand attack methodologies can become the most dangerous attackers.\r\nIndustry Implications and Trust Erosion\r\nThe ramifications extend far beyond these three individuals:\r\nComputer Security\r\nFor Incident Response Firms: This case will likely trigger enhanced background checks, monitoring of\r\nemployee activities, and stricter controls around access to sensitive information. Trust but verify will become the\r\nnew normal.\r\nFor Victims: Organizations now face an additional layer of concern when engaging ransomware negotiators. How\r\ncan you be certain the person helping you isn’t also the one who attacked you—or won’t become your next\r\nattacker?\r\nFor the Insurance Industry: Cyber insurance carriers, already tightening ransomware coverage, may impose\r\nadditional scrutiny on approved incident response vendors.\r\nFor Law Enforcement: This case provides a template for investigating insider threats within the cybersecurity\r\nindustry itself, an area that has received relatively little attention.\r\nThe Broader Context: Ransomware’s Unstoppable Growth\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 7 of 10\n\nOver the past 18 months before December 2023, ALPHV/Blackcat emerged as the second most prolific\r\nransomware-as-a-service variant in the world based on the hundreds of millions of dollars in ransoms paid by\r\nvictims.\r\nThe FBI developed a decryption tool that allowed them to work with dozens of victims, saving multiple victims\r\nfrom ransom demands totaling approximately $68 million. In December 2023, the Department of Justice\r\nsuccessfully disrupted BlackCat’s operations, seizing several websites and providing decryption tools to over 500\r\nvictims.\r\nHowever, despite law enforcement disruption campaigns against major operations like LockBit and\r\nALPHV/BlackCat, a representative for BlackCat announced the group was shutting down in March 2024\r\nfollowing the Change Healthcare ransomware attack. This was likely part of a rebranding strategy common among\r\nmajor ransomware operations—when one brand becomes too hot due to law enforcement attention, operators\r\nsimply rebrand and continue.\r\nThe 2025 cybersecurity landscape shows that following these major disruptions, the ransomware ecosystem has\r\nbecome more fragmented, with 70-80 active groups now identified. While this creates a more complex threat\r\nenvironment, attacks continue at unprecedented levels—Q1 2025 saw a 126% increase in ransomware incidents\r\ncompared to Q1 2024.\r\nLegal and Ethical Questions for Negotiators\r\nThe indictment raises critical questions for the ransomware negotiation industry:\r\nAntivirus \u0026 Malware\r\nShould negotiators be licensed or regulated? Currently, almost anyone can become a ransomware\r\nnegotiator. Should there be formal qualifications, background checks, or oversight?\r\nWhat level of transparency is required? Should negotiators be required to disclose when they’re paying\r\nransoms versus using other recovery methods?\r\nAre conflicts of interest adequately managed? How do firms ensure negotiators aren’t cultivating\r\nrelationships with threat actors that cross ethical lines?\r\nShould there be industry standards? Organizations like the Ransomware Task Force have proposed\r\nframeworks, but adoption remains voluntary.\r\nLessons for Organizations\r\nFor organizations relying on incident response firms, this case offers several critical lessons:\r\nVet Your Vendors Thoroughly: Don’t just look at technical capabilities. Examine ethical frameworks, employee\r\nvetting processes, and internal controls.\r\nUnderstand the Process: Ask explicit questions about how your incident response firm operates. Will they pay\r\nthe ransom? How do they handle negotiations? What reporting do they provide?\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 8 of 10\n\nMaintain Your Own Oversight: Even when working with external negotiators, maintain internal oversight of the\r\nprocess. Don’t outsource your responsibility entirely.\r\nPrioritize Prevention: The best ransomware defense remains strong cybersecurity hygiene: regular backups,\r\nnetwork segmentation, multi-factor authentication, and employee training.\r\nHave a Pre-Breach Plan: Identify and vet incident response partners before you need them. During a crisis is not\r\nthe time to evaluate whether you can trust your negotiator.\r\nThe Path Forward\r\nThis case should serve as a wake-up call for the cybersecurity industry. While the vast majority of incident\r\nresponders and ransomware negotiators operate ethically, the potential for abuse is real and the consequences\r\ndevastating.\r\nComputer Security\r\nThe industry needs:\r\nGreater transparency about how ransomware recovery actually works\r\nProfessional standards and codes of ethics for negotiators\r\nBetter vetting of personnel in sensitive positions\r\nEnhanced monitoring to detect insider threats\r\nClear regulatory frameworks that balance victim needs with crime prevention\r\nConclusion: Trust But Verify\r\nRyan Clifford Goldberg has been in federal custody since September 2023 and remains detained pending trial.\r\nKevin Tyler Martin was released on $400,000 bond. Both have pleaded not guilty, and their trials will ultimately\r\ndetermine their guilt or innocence. Co-Conspirator 1, whose identity has not been publicly disclosed, has not been\r\nindicted as of the time of this writing, though the investigation remains ongoing.\r\nThe case number 25-CR-20443-MOORE/D’ANGELO in the U.S. District Court for the Southern District of\r\nFlorida is expected to take approximately five days for trial, according to court filings. The indictment was filed\r\non October 2, 2025, following a criminal complaint and FBI affidavit submitted in September 2025.\r\nRegardless of the trial outcomes, this case has already achieved one thing: it has forced the cybersecurity industry\r\nto confront uncomfortable questions about insider threats, ethical standards, and the sometimes-murky world of\r\nransomware negotiation.\r\nFor organizations facing the growing threat of ransomware, the message is clear: your defenders must be above\r\nreproach. When those who promise to protect you become the attackers themselves, everyone loses—except the\r\nransomware gangs who continue to profit from fear, desperation, and broken trust.\r\nThe cybersecurity industry must do better. The stakes are simply too high for anything less.\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 9 of 10\n\nCase Details:\r\nCase Number: 25-CR-20443-MOORE/D’ANGELO\r\nCourt: U.S. District Court, Southern District of Florida\r\nIndictment Filed: October 2, 2025\r\nCharges: 18 U.S.C. § 1951(a) (Conspiracy to Interfere with Interstate Commerce by Extortion), 18 U.S.C.\r\n§ 1951(a) (Interference with Interstate Commerce by Extortion), 18 U.S.C. § 1030(a)(5)(A) (Intentional\r\nDamage to a Protected  Computer)\r\nMaximum Penalties: Up to 20 years for extortion charges, 10 years for  computer damage, plus fines\r\nand forfeiture\r\nAs this case develops through the legal system, it will likely establish precedents for how insider threats within\r\ncybersecurity firms are prosecuted and may lead to significant changes in how the ransomware negotiation\r\nindustry operates. Organizations should stay informed about developments and reassess their incident response\r\npartnerships accordingly.\r\nComputer Hardware\r\nSource: https://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operatio\r\nns/\r\nhttps://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://breached.company/when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations/" ], "report_names": [ "when-the-defenders-become-the-attackers-cybersecurity-experts-indicted-for-blackcat-ransomware-operations" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439059, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f38787c00c0da4deeeccbe57f37fbccc5ba42046.pdf", "text": "https://archive.orkl.eu/f38787c00c0da4deeeccbe57f37fbccc5ba42046.txt", "img": "https://archive.orkl.eu/f38787c00c0da4deeeccbe57f37fbccc5ba42046.jpg" } }