Ransomware usually presents itself as an external, diffuse and difficult to locate threat, associated with criminal groups operating from other countries and hidden network infrastructures. However, the case reported by the United States Department of Justice breaks that story. Here we are not talking about a specific surveillance failure, but rather about professionals from the sector itself who, according to the accusation, used their training and position to attack American companies. The conclusion is as simple as it is alarming: the threat does not always come from outside, even in such a specialized field.
What is known about the case today is well defined in court documents and official statements. On December 30, 2025, the Department of Justice reported that the day before, a federal court in the Southern District of Florida accepted guilty pleas from two men for conspiring to extort in connection with ransomware attacks that occurred in 2023. Both men pleaded guilty to a federal crime involving obstructing or affecting commerce by extortion. Sentencing was set for March 12, 2026 and they face a maximum sentence of up to 20 years in prison.
Who they were and what role they played in the sector. According to the FBI, the defendants are Ryan Goldberg, 40, and Kevin Martin, 36. Both worked in the field of cybersecurity and had experience in incident management and processes linked to attacks with this type of malicious tool. Goldberg worked as an incident response manager in a multinational company in the sector, while Martin worked as a negotiator specialized in this type of extortion within a company dedicated to responding to cybercrime. This professional context placed them in an unusual place for this type of crime.
A ransomware model turned into a service. The case documents describe that the attacks relied on ALPHV, also known as BlackCat, a ransomware operated under a service model. In this scheme, developers maintain the malware and extortion infrastructure, while affiliated third parties execute attacks against selected victims. In exchange for that access, the defendants agreed to give 20% of any ransom obtained to the administrators. The rest was distributed among the participants, after moving the funds through different digital wallets to make them difficult to trace.
The investigation is not limited to a single incident. The documents include attacks and attempts directed against US companies between April and December 2023, with victims in sectors such as healthcare, pharmaceuticals, industrial and technological sectors. In the only successful case, the ransom paid was around $1.27 million in cryptocurrency at the time of payment, according to the file. In other episodes, the demands reflected in the case ranged from hundreds of thousands of dollars to around five million, always according to court documents.
The evidence that supports the accusation. The case is supported by a combination of technical records, financial analysis and statements collected by US federal forces. Among the elements cited are access to tools linked to the extortion infrastructure and the monitoring of cryptocurrency movements after the payment of the ransom. The file also mentions searches carried out before some attacks, including an inquiry about one of the victims on May 4, 2023, days before a subsequent incident. Added to this is a recorded interview in which one of the accused acknowledged his involvement, in addition to searches and other actions incorporated into the case.
Images | WorldOfSoftware with Gemini 3 Pro
In WorldOfSoftware | Gonzalo is the Army’s ChatGPT. Its challenge is colossal: turning AI into the great military ally of the 21st century
