17APR

IR staff pleaded guilty to using ALPHV

3 min read

13:56UTC

Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyAssessed

Key takeaway

Incident-response vendor diligence now has to cover the vendor's own personnel as a threat class.

The US Department of Justice (DOJ) secured guilty pleas from two cybersecurity professionals for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023 ¹. Ryan Goldberg, 40, worked at Israeli incident-response firm Sygnia. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a firm whose product is helping victims buy their way out of exactly this kind of attack. Both pleaded guilty to conspiracy to obstruct commerce by extortion. Sentencing was scheduled for 12 March 2026. ALPHV/BlackCat is the ransomware-as-a-service family that US Treasury previously sanctioned and that operated the Colonial Pipeline-era model of breach, encrypt and extort.

The surprise was not that external attackers compromised incident-response firms. It was that the incident responders and the negotiator used their own privileged access, including pre-existing victim relationships, to extort the organisations they were paid to help. A ransomware negotiator sits in the middle of a client's worst week: privy to the executive committee's willingness to pay, the internal assessment of what was actually encrypted, and the addresses of the wallets. Those are the data points a ransomware affiliate would otherwise spend weeks collecting.

For buyers of Incident Response (IR) services, the due-diligence conversation has now shifted. "Does this vendor have the technical skills" is no longer the difficult question. The difficult question is whether the vendor has the personnel controls, background checks, privilege segmentation and activity monitoring, to stop its own staff from using their access against the client. That is a different kind of audit than the one cyber insurance underwriters and general counsels have been running to date.

Deep Analysis

In plain English

Ransomware is a type of criminal attack where hackers lock a victim's computer files and demand money to unlock them. When this happens to a company, they often hire specialist firms: incident responders who investigate the attack, and negotiators who bargain with the criminals about the ransom amount. Ryan Goldberg worked at Sygnia, an incident response firm. Kevin Martin worked at DigitalMint, a ransomware negotiation company. Between April and December 2023, the two men conducted ransomware attacks against US businesses using a tool called ALPHV or BlackCat. They then, in some cases, appeared in a professional capacity in the aftermath. Both pleaded guilty in early 2026. The case is significant because the perpetrators were meant to be the defenders, and they used their professional access and knowledge to identify and attack targets.

Deep Analysis

Root Causes

Incident response and ransomware negotiation firms obtain pre-existing relationship access to victim organisations during legitimate engagements: they may have standing access to client networks, knowledge of backup infrastructure locations, and awareness of existing cyber insurance policy limits, all of which are operationally useful for conducting a subsequent ransomware attack.

The ransomware negotiation sector in the US has grown rapidly since 2019 with no regulatory framework. DigitalMint, where Martin worked, is a cryptocurrency payments facilitator that expanded into negotiation; Sygnia, where Goldberg worked, is a well-regarded Israeli IR firm with US operations. Neither firm had mechanisms to detect that their own employees were conducting the ransomware attacks they were subsequently paid to negotiate.

What could happen next?

Risk
Any organisation that engaged incident response or ransomware negotiation services during 2023 should verify whether Goldberg or Martin had any involvement and whether those firms have audited their personnel controls following the convictions.
Precedent
The convictions will drive cyber insurance underwriters to add personnel background-check and conflict-of-interest disclosure requirements to IR vendor panels, paralleling how financial services regulators require fitness-and-propriety checks for authorised persons.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds breach, in which the attackers' most actionable intelligence was obtained through FireEye's own IR tools published in the public breach disclosure. The Goldberg and Martin case is a more direct version of the same abuse vector: the incident responders themselves, rather than their tools, were turned against victims.

Counter-parallel: The 2019 Wipro breach, in which an attacker compromised Wipro IT systems and then moved laterally to Wipro's managed security service clients. In that case the threat came from outside the IR vendor; here it came from within. The Wipro case drove security controls on vendor-to-client lateral movement; the Goldberg and Martin case drives controls on the humans who have those access rights.

Consensus view: Coveware's Bill Siegel, who tracks ransomware negotiation practice, assessed after the Goldberg and Martin indictments that the incident represents the most serious integrity failure in the Incident Response industry since its commercial expansion post-2020, because both defendants used pre-existing victim relationships from legitimate professional work to select and execute ransomware targets, making their actions structurally undetectable through normal vendor due diligence.

Counter-view: ENISA's annual threat reports have consistently noted that the ransomware negotiation market is essentially unregulated in the EU and US, with no professional licensing, no background check requirements, and no ongoing financial-interest disclosure obligations; the Goldberg and Martin case is the predictable outcome of a market structure that created the opportunity and provided cover, not an aberration.

Key tension: Whether the appropriate regulatory response is professional licensing of ransomware negotiators and incident responders, or whether licensing creates a regulated oligopoly that raises costs without addressing the insider-threat problem, which licensing does not inherently solve.

Sources:US Department of Justice

Mentions:Department of Justice →Ryan Goldberg →Kevin Martin →Sygnia →DigitalMint →ALPHV →Wipro →Prima →ENISA →Israel →US Treasury →ALPHV/BlackCat →SolarWinds →Incident Response →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Department of Justice· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.