29MAY

IR staff pleaded guilty to using ALPHV

3 min read

14:17UTC

Ryan Goldberg worked at Sygnia. Kevin Martin negotiated ransoms at DigitalMint. Both admitted to using ALPHV/BlackCat against the organisations they were hired to defend.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyAssessed

Key takeaway

Incident-response vendor diligence now has to cover the vendor's own personnel as a threat class.

The US Department of Justice (DOJ) secured guilty pleas from two cybersecurity professionals for using the ALPHV/BlackCat ransomware family against US victims between April and December 2023 ¹. Ryan Goldberg, 40, worked at Israeli incident-response firm Sygnia. Kevin Martin, 36, was a ransomware negotiator at DigitalMint, a firm whose product is helping victims buy their way out of exactly this kind of attack. Both pleaded guilty to conspiracy to obstruct commerce by extortion. Sentencing was scheduled for 12 March 2026. ALPHV/BlackCat is the ransomware-as-a-service family that US Treasury previously sanctioned and that operated the Colonial Pipeline-era model of breach, encrypt and extort.

The surprise was not that external attackers compromised incident-response firms. It was that the incident responders and the negotiator used their own privileged access, including pre-existing victim relationships, to extort the organisations they were paid to help. A ransomware negotiator sits in the middle of a client's worst week: privy to the executive committee's willingness to pay, the internal assessment of what was actually encrypted, and the addresses of the wallets. Those are the data points a ransomware affiliate would otherwise spend weeks collecting.

For buyers of Incident Response (IR) services, the due-diligence conversation has now shifted. "Does this vendor have the technical skills" is no longer the difficult question. The difficult question is whether the vendor has the personnel controls, background checks, privilege segmentation and activity monitoring, to stop its own staff from using their access against the client. That is a different kind of audit than the one cyber insurance underwriters and general counsels have been running to date.

Deep Analysis

In plain English

Ransomware is a type of criminal attack where hackers lock a victim's computer files and demand money to unlock them. When this happens to a company, they often hire specialist firms: incident responders who investigate the attack, and negotiators who bargain with the criminals about the ransom amount. Ryan Goldberg worked at Sygnia, an incident response firm. Kevin Martin worked at DigitalMint, a ransomware negotiation company. Between April and December 2023, the two men conducted ransomware attacks against US businesses using a tool called ALPHV or BlackCat. They then, in some cases, appeared in a professional capacity in the aftermath. Both pleaded guilty in early 2026. The case is significant because the perpetrators were meant to be the defenders, and they used their professional access and knowledge to identify and attack targets.

Deep Analysis

Root Causes

Incident response and ransomware negotiation firms obtain pre-existing relationship access to victim organisations during legitimate engagements: they may have standing access to client networks, knowledge of backup infrastructure locations, and awareness of existing cyber insurance policy limits, all of which are operationally useful for conducting a subsequent ransomware attack.

The ransomware negotiation sector in the US has grown rapidly since 2019 with no regulatory framework. DigitalMint, where Martin worked, is a cryptocurrency payments facilitator that expanded into negotiation; Sygnia, where Goldberg worked, is a well-regarded Israeli IR firm with US operations. Neither firm had mechanisms to detect that their own employees were conducting the ransomware attacks they were subsequently paid to negotiate.

What could happen next?

Risk
Any organisation that engaged incident response or ransomware negotiation services during 2023 should verify whether Goldberg or Martin had any involvement and whether those firms have audited their personnel controls following the convictions.
Precedent
The convictions will drive cyber insurance underwriters to add personnel background-check and conflict-of-interest disclosure requirements to IR vendor panels, paralleling how financial services regulators require fitness-and-propriety checks for authorised persons.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2020 SolarWinds breach, in which the attackers' most actionable intelligence was obtained through FireEye's own IR tools published in the public breach disclosure. The Goldberg and Martin case is a more direct version of the same abuse vector: the incident responders themselves, rather than their tools, were turned against victims.

Counter-parallel: The 2019 Wipro breach, in which an attacker compromised Wipro IT systems and then moved laterally to Wipro's managed security service clients. In that case the threat came from outside the IR vendor; here it came from within. The Wipro case drove security controls on vendor-to-client lateral movement; the Goldberg and Martin case drives controls on the humans who have those access rights.

Consensus view: Coveware's Bill Siegel, who tracks ransomware negotiation practice, assessed after the Goldberg and Martin indictments that the incident represents the most serious integrity failure in the Incident Response industry since its commercial expansion post-2020, because both defendants used pre-existing victim relationships from legitimate professional work to select and execute ransomware targets, making their actions structurally undetectable through normal vendor due diligence.

Counter-view: ENISA's annual threat reports have consistently noted that the ransomware negotiation market is essentially unregulated in the EU and US, with no professional licensing, no background check requirements, and no ongoing financial-interest disclosure obligations; the Goldberg and Martin case is the predictable outcome of a market structure that created the opportunity and provided cover, not an aberration.

Key tension: Whether the appropriate regulatory response is professional licensing of ransomware negotiators and incident responders, or whether licensing creates a regulated oligopoly that raises costs without addressing the insider-threat problem, which licensing does not inherently solve.

Sources:US Department of Justice

Mentions:Ryan Goldberg →Kevin Martin →Sygnia →DigitalMint →ALPHV →Wipro →Prima →ENISA →Israel →US Treasury →ALPHV/BlackCat →SolarWinds →Incident Response →Department of Justice →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

US Department of Justice· 17 Apr 2026

Read original →

Causes and effects

This Event

IR staff pleaded guilty to using ALPHV

The due-diligence question on incident-response vendors shifts from technical capability to personnel controls.

Led to

Scattered Spider's Bouquet arrested in Helsinki

Stokes arrest extends the cybercrime-accountability pattern established by OFAC PAIPA Operation Zero sanctions in ID:2552.

Occurred 28 Apr 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.