On April 30, 2026, Ryan Goldberg and Kevin Martin were each sentenced to four years in federal prison. The charges: conspiracy to obstruct commerce through extortion, in connection with ransomware attacks carried out in 2023. Both men were cybersecurity professionals. Both had worked for established firms in the incident response space. And both had decided, at some point during their careers, that the money was better on the other side.

A third co-conspirator, Angelo Martino, who had separately pleaded guilty to passing confidential client information to BlackCat/ALPHV while working as a ransomware negotiator, is scheduled for sentencing in July. Together, the three represent something the industry rarely discusses openly: the insider threat that comes not from a disgruntled sysadmin or a careless contractor, but from people who were specifically hired because they understood how attacks work.

cover

That understanding, it turns out, is exactly what made them useful to the gang.

The case, reconstructed

The facts, as laid out in Department of Justice press releases and subsequent reporting, are worth stating plainly before we get into what they mean.

Between April and December 2023, Goldberg, Martin, and a third co-conspirator became affiliates of the ALPHV/BlackCat ransomware-as-a-service operation. The arrangement was standard for the RaaS model: affiliates handle the targeting and deployment, the developers take a 20% cut of any ransom received in exchange for access to the ransomware infrastructure and extortion platform. The remaining 80% goes to the affiliates, to split however they like.

The three men deployed BlackCat against multiple US-based victims. In one case, they successfully extorted approximately $1.2 million in Bitcoin, which they divided three ways and laundered through various means. The DOJ noted, with some emphasis, that “all three men worked in the cybersecurity industry, meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.”

Martino’s role was somewhat different and, in its own way, more disturbing. While employed by a Chicago-based incident response firm called DigitalMint, he worked as a ransomware negotiator on behalf of five victim organisations. During that time, according to the DOJ’s statement on his guilty plea, he provided BlackCat operators with confidential information about those clients: specifically, their insurance policy limits and their internal negotiation positions. BlackCat used that information to calibrate their demands and maximise payouts. Martino was paid for his collaboration.

Goldberg had been employed by Sygnia, the Israeli cybersecurity firm. Martin and Martino had both worked for DigitalMint. Both employers stated they had cooperated fully with law enforcement, that the employees had been terminated, and that their clients had not been directly affected. Those are the right things to say. They are also, in a sense, beside the point.

The access problem nobody wants to name

Incident response professionals occupy a position that is structurally unusual in any organisation they touch. They arrive during a crisis, are granted broad access to logs, endpoints, network traffic, and often to sensitive business data, and they are trusted to exercise that access with discretion. The entire engagement model is built on the assumption that the person holding the forensic image is not going to use it against you.

That assumption is not unreasonable. Most IR professionals are exactly what they appear to be: technically skilled people who find the work genuinely interesting and who take the ethical dimension of it seriously. The problem is that the assumption is also almost entirely unverified. As Daniel Tobok, CEO of Cypfer, observed in commentary on the Martino case: the negotiator had too much access to financial data and payment processes, which is what allowed him to pass specific information to BlackCat. His recommendation, which sounds obvious in retrospect, is that there should be a clear separation between the person doing the negotiations and the process of payment.

That separation did not exist. It rarely does. The IR engagement model often consolidates negotiation, forensics, and payment facilitation under a single firm, sometimes under a single individual, because clients under stress want a single point of contact who can handle everything. The efficiency argument is real. So is the conflict of interest it creates.

Think about what an IR professional actually has access to during a ransomware engagement. They can see the full scope of the compromise, which tells them how much leverage the attacker has. They often know the victim’s cyber insurance coverage, because it affects the negotiation ceiling. They understand the victim’s internal decision-making process, including the threshold at which management would rather pay than fight. They have visibility into which systems are most critical and which data would be most damaging if published. Every one of those pieces of information is precisely what a ransomware operator needs to maximise the ransom.

The Martino case is the clearest example of this being exploited deliberately. But even without deliberate betrayal, the structural concentration of that information in a single external party creates a surface that is much larger than most organisations realise when they sign the retainer agreement.

I have written before about what slows down incident response and about the always-on shift in DFIR practice. Both of those pieces assume that the responders are on your side. This case is a reminder that the assumption itself requires maintenance.

What the logs would have said

There is something almost poetic, in a grim way, about the forensic angle here. Incident response professionals are, among other things, people who read logs for a living. They know what suspicious activity looks like in a SIEM. They know which artefacts get left behind and which can be cleaned up. They know how to maintain operational security, because they have spent careers teaching clients about it.

Which means they also knew, presumably, that their own activities were leaving traces. The DOJ investigation involved the FBI Miami Field Office, with assistance from the US Secret Service, and clearly produced enough evidence to support guilty pleas from all three defendants. The cryptocurrency transactions were traceable. The communications between the conspirators and the BlackCat infrastructure were recoverable. The pattern of Martino’s information leaks could be correlated with subsequent changes in BlackCat’s negotiation behaviour toward his clients.

None of this is surprising if you know how ransomware investigations work. The irony is that these three men knew exactly how ransomware investigations work, and proceeded anyway. Whether that reflects overconfidence, financial desperation, ideological drift, or something else entirely is not clear from the public record. What is clear is that the knowledge that makes someone a good IR professional does not confer immunity from the cognitive biases that lead people to underestimate their own exposure.

The logs always tell a story. Sometimes the person who wrote the log analysis playbook ends up in it.

The structural conflict of interest in the IR industry

The Martino case is not an isolated failure of individual ethics. It points to something more structural: the ransomware response industry has grown very quickly, under significant financial pressure, in a market where the incentives are not always well-aligned.

Consider the economics. A ransomware negotiator typically earns a percentage of the ransom paid, or a flat fee that scales with the complexity of the engagement. That fee is often contingent on resolution, which in practice means payment. The negotiator’s financial interest is not perfectly aligned with the victim’s interest in paying as little as possible, or ideally nothing at all. This is not unique to cybersecurity; similar conflicts exist in other advisory relationships. But in the ransomware context, the stakes are higher and the oversight is weaker.

The RaaS model that BlackCat operated under is itself a form of structured incentive misalignment at scale. The gang targeted more than 1,000 victims before the FBI disrupted its infrastructure in late 2023, offering affiliates a generous revenue split in exchange for handling the operational risk of deployment. That model is explicitly designed to attract people with the skills to execute attacks, and it pays well enough to compete with legitimate employment.

The question of what draws people across that line is genuinely complicated. The DOJ’s framing, that these defendants “used their sophisticated cybersecurity training and experience to commit ransomware attacks, the very type of crime that they should have been working to stop,” carries a moral weight that is appropriate. It also somewhat sidesteps the structural conditions that make the transition possible. The skills are genuinely portable. The financial gap between legitimate IR work and affiliate ransomware revenue can be significant. The perceived risk of detection, at least until it materialises, may feel manageable to someone who understands how investigations work.

None of that is an excuse. It is, however, a description of a problem that the industry has not taken seriously enough. The privileged access question that dominates internal security discussions applies with equal force to external responders. Least privilege, separation of duties, and monitoring of access are not just principles for employees. They are principles for anyone who touches your systems during a crisis.

What this means for vetting and trust in IR engagements

The practical implications of this case are uncomfortable to enumerate, because they push against the way the industry currently operates. But they are worth stating.

The first implication is that background checks for IR professionals need to be more rigorous than they typically are. This is not a novel observation in the security industry, but it has historically been applied more to government and cleared contractor contexts than to commercial IR firms. The Goldberg, Martin, and Martino case suggests that the commercial IR market has a gap here. Sygnia and DigitalMint both appear to have acted in good faith, but neither detected the activities of their respective employees until law enforcement became involved.

The second implication is structural: the consolidation of negotiation, forensics, and payment facilitation under a single engagement model creates a concentration of sensitive information that should be treated as a risk in its own right. Tobok’s recommendation of separation between negotiation and payment is a start. More broadly, organisations should consider whether the single-vendor IR model that offers convenience in a crisis also creates a single point of failure for trust.

The third implication concerns monitoring. It is deeply ironic to suggest that IR firms should monitor their own professionals the way they advise clients to monitor privileged users. It is also correct. The same principle that zero trust architectures apply to internal users applies here: trust should be continuous and verified, not extended once at the point of hiring and then assumed indefinitely.

The fourth implication is about transparency in the engagement model itself. Victims engaging IR firms during a ransomware incident should ask explicit questions about how client information is handled, who has access to insurance and financial data, and what controls exist to prevent that information from being used against them. These are not comfortable questions to ask when the attackers are already in your network and the clock is running. They are, however, the right questions.

The ethics of a profession built on asymmetric knowledge

There is a broader point here that goes beyond the specific mechanics of this case. Incident response is a profession built on asymmetric knowledge. The IR professional knows things about the victim’s environment, vulnerabilities, and decision-making that the victim cannot fully audit or verify. That asymmetry is inherent to the work; you cannot respond effectively to an incident without it. It is also, structurally, a form of power that can be abused.

Most professions that involve this kind of asymmetry have developed formal ethical frameworks, licensing requirements, and accountability mechanisms over time. Medicine, law, and accounting all have professional bodies, ethical codes with enforcement mechanisms, and legal liability structures that create incentives for ethical behaviour beyond individual conscience. The cybersecurity industry, and the IR sector within it, has relatively weak versions of most of these. Certifications exist, but they are primarily technical rather than ethical. Professional associations publish codes of conduct, but enforcement is limited.

The Goldberg, Martin, and Martino case is an argument for taking that gap more seriously. Not because the industry is full of people waiting to defect to ransomware gangs, but because the structural conditions that made this case possible have not changed. The knowledge asymmetry is still there. The financial incentives on the criminal side are still there. The oversight mechanisms are still weak.

What changed, in this case, was that three people made choices that most of their colleagues would not make, and then got caught because the FBI is better at following cryptocurrency transactions than the defendants apparently expected. That is a useful outcome. It is not a systemic solution.

The insider threat literature has long distinguished between malicious insiders, who deliberately exploit their access, and negligent insiders, who create risk through carelessness. This case adds a third category worth naming explicitly: the credentialed outsider who becomes a malicious insider at the moment of engagement. The access is temporary. The damage is not.

Goldberg and Martin will serve four years. Martino’s sentence is pending. The victims they targeted have already paid, in ransom, in operational disruption, and in the more diffuse cost of discovering that the people they called for help were working against them. That is the part of this story that does not resolve cleanly when the sentencing hearing ends.