In the landscape of cybercrime investigations, some cases take on particular significance not only because of the extent of the financial damage, but also because of the profile of the individuals involved . Ransomware investigations, often associated with foreign criminal groups and offshore operating infrastructures, increasingly reveal different dynamics, in which legitimate expertise is being misused for illicit purposes.
The legal proceedings involving two cybersecurity professionals associated with the ALPHV BlackCat ransomware fit into this context, offering a significant insight into the evolution of cybercrime and its operational methods in the United States.
What sets this case apart from many other cybercrime investigations is the profile of the defendants. The two men involved, along with a third individual, were professionals active in the field of cybersecurity. Instead of working to protect systems, they used the skills they acquired in their work for criminal purposes.
The Department of Justice emphasized that the defendants’ technical training was a central element of their illicit activities.
“These defendants leveraged their sophisticated cybersecurity training and expertise to commit ransomware attacks, precisely the type of crime they were supposedly trying to stop,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Internet extortion affects innocent citizens as much as directly taking money from them. The Department of Justice is committed to using all available tools to identify and apprehend the perpetrators of ransomware attacks wherever it has jurisdiction.”
The investigation also helps debunk a widespread belief that ransomware is a phenomenon confined to foreign criminal groups operating from Eastern Europe or Asia. According to Federal Prosecutor Jason A. Reding Quiñones, the threat can also originate within the United States, exploiting legitimate access and advanced skills to target victims domestically.
“Ransomware isn’t just a foreign threat; it can also come from within our borders,” said U.S. Attorney Jason A. Reding Quiñones for the Southern District of Florida. “Goldberg and Martin used reliable access and technical expertise to extort money from American victims and profit from digital coercion. Their guilty pleas make it clear that cybercriminals operating within the United States will be identified, prosecuted, and held accountable.”
Court documents reveal that, between April and December 2023, the two defendants acted as affiliates of the ALPHV BlackCat program, a leading ransomware-as-a-service platform. In this operating model, malware developers maintain the infrastructure and code, while affiliates are responsible for identifying targets, compromising networks, and distributing the ransomware.
The scheme involved a pre-arranged distribution of the proceeds: 20% of the ransoms went to BlackCat administrators, while 80% remained with affiliates. This arrangement, in at least one documented case, resulted in the extortion of approximately $1.2 million in Bitcoin . The defendants’ share was subsequently divided among the participants and subjected to laundering operations to make it more difficult to trace the funds.
In December 2023, the Department of Justice announced a large-scale operation against the ALPHV BlackCat network. The operation resulted in the seizure of numerous websites linked to the group and the distribution of a free decryption tool, allowing victims to avoid paying approximately $99 million in potential ransoms.
Goldberg and Martin pleaded guilty to one count of conspiracy to hinder, delay, or influence commerce by extortion. Sentencing has been set for March 12, 2026. Both face a maximum sentence of up to 20 years in prison.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
