Ryan Goldberg, 40, a former incident response manager at cybersecurity firm Sygnia, and Kevin Martin, 36, a former ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison for deploying ALPHV BlackCat ransomware against multiple U.S. companies between April and December 2023. Their co-conspirator, Angelo Martino, 41, of Land O’ Lakes, Florida, also a former DigitalMint ransomware negotiator, pleaded guilty in April 2026 and faces sentencing on July 9. All three men were employed in the cybersecurity industry when they committed the attacks, a fact prosecutors emphasized repeatedly at sentencing. The victims included a Florida medical device company, a Maryland pharmaceutical company, a California doctor’s office, a California engineering firm, and a Virginia drone manufacturer. Total losses across the attacks exceeded $9.5M. After successfully extorting one victim for approximately $1.2M in Bitcoin, the men split their 80% share three ways and laundered the proceeds. Goldberg fled to Europe on a one-way ticket when the FBI closed in, and was tracked through 10 countries before being arrested mid-flight from Amsterdam to Mexico City.
Both Men Worked at Cybersecurity Firms That Were Hired to Defend Against the Attacks They Were Committing
Goldberg worked as an incident response manager at Sygnia, a cybersecurity firm whose core business is helping organizations respond to and recover from cyberattacks including ransomware. Martin worked as a ransomware negotiator at DigitalMint, a company that helps ransomware victims communicate with attackers and negotiate down ransom payments. Both roles required deep knowledge of how ransomware operates, how victims respond, and what leverage attackers hold over their targets.
Prosecutors made the professional context central to their sentencing arguments. Assistant Attorney General A. Tysen Duva stated they “were supposed to be cybersecurity specialists who did good and helped businesses and people” and instead “used their high-level cyber skills to feed their greed.” Both Sygnia and DigitalMint have stated they were unaware of their employees’ activities and fired them immediately upon being notified by federal authorities. Neither company has been accused of wrongdoing.
Angelo Martino Negotiated Ransoms on Behalf of Companies He Had Already Attacked
Martino’s conduct added a layer that distinguished his case from his co-conspirators. In addition to participating in ransomware attacks alongside Goldberg and Martin, Martino used his position as a DigitalMint ransomware negotiator to take on cases involving companies he had already attacked as a BlackCat affiliate. This placed him simultaneously on both sides of the negotiation: advising victims on how to respond while sharing those same victims’ confidential information, including their internal negotiating positions and insurance policy limits, directly with the BlackCat attackers to maximize ransom payments.
According to the DOJ announcement, five of the companies Martino attacked subsequently hired DigitalMint for ransomware negotiations. DigitalMint assigned each of those negotiations to Martino. All five victims paid the ransom. Martino surrendered to U.S. Marshals in Miami in March 2026 and was released on a $500,000 bond. His sentencing on July 9 is expected to reflect the additional betrayal embedded in his negotiator role.
Ransom Demands Ranged from $300K to $10M Targeting Healthcare, Defense, and Engineering Firms
The five U.S. companies targeted included three healthcare-related organizations. The California doctor’s office had patient data leaked when it resisted payment, a tactic used to increase pressure by threatening the victim with regulatory and reputational consequences in addition to the operational disruption caused by encrypted systems. Ransom demands across the attacks ranged from $300,000 to $10M, according to court filings.
Total losses across all five targets exceeded $9.5M. Six of the 10 attacks included in the broader indictment resulted in payments totaling more than $75.25M, including two payments exceeding $25M each. Goldberg and Martin each agreed to forfeit $324,123.26 in traceable proceeds. The broader ALPHV BlackCat network, of which they were affiliates, is estimated to have collected over $300M from more than 1,000 victims globally before U.S. authorities disrupted it in December 2023.
Goldberg Fled to Paris on a One-Way Ticket and Was Arrested Flying from Amsterdam to Mexico City
Ten days after being interviewed by the FBI, Goldberg and his wife booked one-way tickets and flew from Atlanta to Paris on June 27, 2023. The FBI tracked him across Europe for nearly three months. When Goldberg flew from Amsterdam to Mexico City, he was arrested upon landing and deported to the United States. He was taken into custody on September 22 and ordered to remain in custody pending trial due to flight risk. Martin was arrested October 14 and released on a $400,000 bond. Both pleaded guilty in December 2025. FBI Assistant Director Brett Leatherman noted: “When Goldberg sought to flee abroad and escape prosecution, the FBI tracked him through 10 countries, demonstrating the lengths we will go to hold cyber criminals accountable.”
Conclusion
The Goldberg and Martin case is one of the most direct illustrations of insider betrayal in the ransomware era: professionals hired to protect organizations from attacks who used their access, knowledge, and industry relationships to execute those same attacks for profit. Martino deepened that betrayal further by sitting across the negotiating table from his own victims. The four-year sentences reflect both the financial scale of the scheme and the human cost to patients and businesses whose data was weaponized. Martino’s sentencing in July will close the active phase of a case that began when two professionals boarded a one-way flight to Paris and ended with all three facing federal prison.
