Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

IR staff pleaded guilty to using ALPHV

3 min read
08:16UTC

Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.

TechnologyAssessed
Key takeaway

Incident-response vendor diligence now has to cover the vendor's own personnel as a threat class.

The US Department of Justice (DOJ) secured guilty pleas from two cybersecurity professionals for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023 1. Ryan Goldberg, 40, worked at Israeli incident-response firm Sygnia. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a firm whose product is helping victims buy their way out of exactly this kind of attack. Both pleaded guilty to conspiracy to obstruct commerce by extortion. Sentencing was scheduled for 12 March 2026. ALPHV/BlackCat is the ransomware-as-a-service family that US Treasury previously sanctioned and that operated the Colonial Pipeline-era model of breach, encrypt and extort.

The surprise was not that external attackers compromised incident-response firms. It was that the incident responders and the negotiator used their own privileged access, including pre-existing victim relationships, to extort the organisations they were paid to help. A ransomware negotiator sits in the middle of a client's worst week: privy to the executive committee's willingness to pay, the internal assessment of what was actually encrypted, and the addresses of the wallets. Those are the data points a ransomware affiliate would otherwise spend weeks collecting.

For buyers of Incident Response (IR) services, the due-diligence conversation has now shifted. "Does this vendor have the technical skills" is no longer the difficult question. The difficult question is whether the vendor has the personnel controls, background checks, privilege segmentation and activity monitoring, to stop its own staff from using their access against the client. That is a different kind of audit than the one cyber insurance underwriters and general counsels have been running to date.

Deep Analysis

In plain English

Ransomware is a type of criminal attack where hackers lock a victim's computer files and demand money to unlock them. When this happens to a company, they often hire specialist firms: incident responders who investigate the attack, and negotiators who bargain with the criminals about the ransom amount. Ryan Goldberg worked at Sygnia, an incident response firm. Kevin Martin worked at DigitalMint, a ransomware negotiation company. Between April and December 2023, the two men conducted ransomware attacks against US businesses using a tool called ALPHV or BlackCat. They then, in some cases, appeared in a professional capacity in the aftermath. Both pleaded guilty in early 2026. The case is significant because the perpetrators were meant to be the defenders, and they used their professional access and knowledge to identify and attack targets.

Deep Analysis
Root Causes

Incident response and ransomware negotiation firms obtain pre-existing relationship access to victim organisations during legitimate engagements: they may have standing access to client networks, knowledge of backup infrastructure locations, and awareness of existing cyber insurance policy limits, all of which are operationally useful for conducting a subsequent ransomware attack.

The ransomware negotiation sector in the US has grown rapidly since 2019 with no regulatory framework. DigitalMint, where Martin worked, is a cryptocurrency payments facilitator that expanded into negotiation; Sygnia, where Goldberg worked, is a well-regarded Israeli IR firm with US operations. Neither firm had mechanisms to detect that their own employees were conducting the ransomware attacks they were subsequently paid to negotiate.

What could happen next?
  • Risk

    Any organisation that engaged incident response or ransomware negotiation services during 2023 should verify whether Goldberg or Martin had any involvement and whether those firms have audited their personnel controls following the convictions.

  • Precedent

    The convictions will drive cyber insurance underwriters to add personnel background-check and conflict-of-interest disclosure requirements to IR vendor panels, paralleling how financial services regulators require fitness-and-propriety checks for authorised persons.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Department of Justice· 17 Apr 2026
Read original
Causes and effects
This Event
IR staff pleaded guilty to using ALPHV
The due-diligence question on incident-response vendors shifts from technical capability to personnel controls.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.