On April 30, 2026, two cybersecurity professionals were sentenced to four years in federal prison. Not for failing to stop an attack. For launching one. Ryan Goldberg, a former incident response manager, and Kevin Martin, a former ransomware negotiator, spent months deploying BlackCat ransomware against U.S. companies while simultaneously holding jobs at firms that were supposed to protect those same kinds of companies. They extorted a medical practice. They leaked patient data to force payment. They split $1.2 million in Bitcoin between themselves and a third accomplice.
I have been running Training Camp for over two decades. We have trained nearly 100,000 certification candidates. And I cannot recall a story that cuts closer to the uncomfortable truth about our industry: the same skills that make someone a great defender make them a dangerous attacker. The only difference is the decision they make about which side of the line to stand on.
The people who broke into those networks weren’t script kiddies or foreign operatives. They were credentialed, experienced cybersecurity professionals with incident response backgrounds.
What Happened in the BlackCat Insider Case
The Department of Justice announcement lays it out plainly. Between April and December 2023, Goldberg, Martin, and a third co-conspirator named Angelo Martino became affiliates of the ALPHV/BlackCat ransomware operation. All three worked in cybersecurity. Goldberg was an incident response manager at Sygnia, a well known IR firm. Martin was a ransomware negotiator at DigitalMint. Martino worked as a ransomware negotiator too and fed insider information to the group to inflate ransom demands.
They used ALPHV’s ransomware as a service platform, paid the developers a 20% cut, and kept the rest. Their victims included engineering firms and medical practices across the United States. In one case they extorted roughly $1.2 million in Bitcoin from a single target. When a doctor’s office refused to pay, they leaked patient records onto the dark web.
The DOJ emphasized something unusual in its press release. It pointed out that all three men “had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.” That phrasing was deliberate. Prosecutors wanted everyone to understand these were not outsiders. They were insiders who weaponized their expertise.
Goldberg apparently knew the walls were closing in. After the FBI disrupted the BlackCat network in December 2023, he fled through ten countries before agents caught him in Mexico City. Martin was arrested in Texas. Both pleaded guilty in December 2025 and were sentenced on April 30, 2026. Martino pleaded guilty in April 2026 and awaits sentencing in July.
Why This Case Should Concern Every Cybersecurity Employer
I fly airplanes. In aviation, we have a concept called the insider threat model. Every person with access to the flight deck has been screened, trained, checked, and rechecked. But the entire security architecture still accounts for the possibility that someone inside the cockpit could become the danger. Cybersecurity has been slower to accept that same reality.
Think about what an incident response professional knows. They know what forensic artifacts get left behind and which ones can be cleaned up. They know how SIEMs work, what triggers alerts, and what flies under the radar. They know how to maintain operational security because they’ve spent careers teaching clients about it. Give that knowledge to someone willing to cross the line and you have an attacker who is extremely difficult to catch.
The FBI eventually caught them anyway. The cryptocurrency transactions were traceable. The communications with BlackCat infrastructure were recoverable. Goldberg’s ten country run ended at a hotel in Mexico City. But the damage was already done. Over a thousand organizations were hit by ALPHV BlackCat globally, and these three men contributed to that total while collecting paychecks from companies that trusted them.
The FBI’s Special Agent in Charge said something worth repeating after the sentencing. He urged businesses to “exercise due diligence when engaging third parties for ransomware incident response, report suspicious or unethical behavior, and expeditiously report any ransomware attack to the FBI.” That first part about due diligence is the one that should keep CISOs up at night.
What This Means for Cybersecurity Careers and Hiring
If you’re building a career in cybersecurity, this case matters to you even if you would never consider crossing that line. It matters because it will change how employers vet candidates, how organizations structure access controls around their security teams, and how the industry thinks about trust.
Background checks for security roles are going to get more thorough. Continuous monitoring of privileged users, including the security team itself, is going to become standard practice rather than an uncomfortable conversation nobody wants to have. Organizations that hire third party IR firms will demand more transparency about who exactly is touching their systems during an incident. All of these things add friction to the hiring process and the job itself. But cases like this make the friction necessary.
For people working in SOC analyst roles or aspiring to incident response positions, there’s a practical takeaway here. Your reputation is your career. Cybersecurity is a smaller community than it looks from the outside. People talk. Firms share information about bad actors. And as this case proves, federal prosecutors have gotten very good at tracing cryptocurrency and piecing together digital evidence. Four years in federal prison and a permanent criminal record is the price Goldberg and Martin paid for roughly $400,000 each. That math doesn’t work for anyone with a functioning sense of self preservation.
The Ransomware as a Service Problem Isn’t Going Away
ALPHV/BlackCat was one of the most destructive ransomware operations in recent history. Before the FBI disrupted it in December 2023, the group had hit over 1,000 victims worldwide and collected at least $300 million in ransom payments. The FBI’s disruption saved victims roughly $99 million by providing decryption tools, but the damage was enormous. The February 2024 attack on Change Healthcare alone resulted in 6 terabytes of stolen health data and a $22 million ransom payment from UnitedHealth Group.
The ransomware as a service model is what made the Goldberg and Martin situation possible. RaaS lowers the barrier to entry. You don’t need to build ransomware from scratch. You don’t need to maintain infrastructure or run a leak site. You sign up, deploy the tool against a target, and split the proceeds with the developers. For cybersecurity professionals who already know how to find vulnerabilities and move through networks, RaaS turns malicious intent into operational capability with almost no technical overhead.
That’s what makes this case different from the usual ransomware story. The technical barrier was already gone courtesy of RaaS. And the knowledge barrier was gone because these guys literally did incident response for a living. The only barrier left was ethical, and they cleared that one willingly.
How Organizations Should Respond
If you run a security team or hire third party incident response firms, this case should trigger a review of your vetting processes. Not because most cybersecurity professionals are potential criminals. They’re not. The overwhelming majority of people in this industry chose it because they want to protect organizations and people. But the same logic applies here that applies everywhere else in security: trust, but verify. CISA’s Stop Ransomware guidance covers organizational defenses, but it assumes the threat is external. This case shows why internal controls matter just as much.
Vet your IR providers the same way you’d vet any vendor with privileged access to your environment. Ask who specifically will be on the engagement. Run background checks. Require that IR personnel operate under the same monitoring and access controls as your internal staff. And build your incident response retainer agreements with provisions that address what happens if the responders themselves become compromised or act maliciously.
Internally, apply the principle of least privilege to your security team just as rigorously as you apply it to everyone else. SOC analysts don’t need domain admin credentials. IR team members don’t need persistent access to systems they’re not actively investigating. These are basic hygiene items that too many organizations skip because the security team is “trusted.” Goldberg and Martin were trusted too.
Ethics Aren’t Optional in Cybersecurity Careers
Every major cybersecurity certification includes an ethics component. ISC2 has its Code of Ethics. ISACA has its Professional Ethics. CompTIA’s Security+ and CySA+ exams test candidates on ethical conduct and legal requirements. These sections get treated as the easy points on exam day, the questions you breeze through on your way to the technical material. This case is a reminder that those ethics sections exist for a reason.
Goldberg and Martin had the credentials. They had the experience. They had the skills. What they did not have was the professional integrity that separates a cybersecurity professional from a cybercriminal who happens to know how networks work. That distinction is not academic. It is the whole point.
For anyone getting started in cybersecurity, pay attention to that ethics material. Not because it will be on the exam, though it will. Pay attention because the industry is watching cases like this very carefully, and the standards for who gets trusted with privileged access are going to get higher. That’s a good thing, even if it makes the path a little harder.
Frequently Asked Questions
Who were the cybersecurity professionals sentenced in the BlackCat ransomware case?
Ryan Goldberg, a 40 year old former incident response manager from Georgia, and Kevin Martin, a 36 year old former ransomware negotiator from Texas, were each sentenced to four years in federal prison on April 30, 2026. A third co-conspirator, Angelo Martino, pleaded guilty in April 2026 and awaits sentencing in July.
What is ALPHV/BlackCat ransomware?
ALPHV, also known as BlackCat, was a ransomware as a service operation that targeted over 1,000 victims worldwide and collected at least $300 million in ransom payments before the FBI disrupted it in December 2023. Affiliates would deploy the ransomware against targets and split ransom proceeds with the developers.
How did incident response professionals become ransomware attackers?
The ransomware as a service model removed the technical barriers. Goldberg and Martin already had deep knowledge of how organizations detect and respond to attacks from their day jobs. They signed up as BlackCat affiliates, deployed the ransomware against U.S. companies, and used their professional knowledge to avoid detection while collecting ransom payments.
What does this case mean for cybersecurity hiring and vetting?
Organizations should expect more rigorous background checks for security roles, continuous monitoring of privileged security staff, and stricter vetting of third party IR firms. The FBI specifically urged businesses to exercise due diligence when engaging third parties for incident response.
How were the BlackCat insider attackers caught?
The FBI traced Bitcoin transactions across wallets and international borders. When the Bureau disrupted BlackCat’s infrastructure in December 2023, investigators were able to identify the affiliates. Goldberg fled through ten countries before being arrested in Mexico City. Martin was arrested in Texas.
Do cybersecurity certifications cover ethics and legal requirements?
Yes. ISC2’s CISSP includes a Code of Ethics requirement, ISACA certifications require adherence to Professional Ethics standards, and CompTIA Security+ and CySA+ exams both test candidates on ethical conduct, legal frameworks, and professional responsibilities. These components exist specifically because the skills taught in cybersecurity training can be misused.
CEO | Training Camp
Christopher D. Porter is a dynamic marketing executive and visionary leader, celebrated as an early adopter of internet technologies for innovative lead generation strategies. Continuing his career as the CEO of one of the leading IT and Cybersecurity Certification Training companies, he has consistently harnessed digital innovation to drive business growth and market transformation.