The U.S. Department of Justice has announced guilty pleas from two U.S.-based cybersecurity professionals for their involvement in ransomware attacks linked to the BlackCat (also known as ALPHV) operation.

The defendants admitted to participating as ransomware affiliates while employed at respected cybersecurity and incident response firms. Their actions included unauthorized network access, data theft, and deployment of file-encrypting malware, blurring the line between defense and criminal exploitation.

The case underscores a rare but serious insider threat scenario within the cybersecurity industry itself.

Ransomware operations increasingly rely on affiliate models.

Under this structure, core ransomware developers provide malware and infrastructure, while affiliates conduct intrusions and extortion in exchange for a share of the proceeds. This model has enabled large-scale campaigns targeting hundreds of organizations globally.

BlackCat emerged as one of the most prolific ransomware groups between 2021 and 2023, known for sophisticated tooling, double extortion tactics, and high-value targets across healthcare, manufacturing, and professional services sectors.

Federal prosecutors charged three individuals in October for their alleged roles in BlackCat ransomware attacks against U.S.-based organizations.

Two of the defendants—Kevin Martin, 36, of Texas, and another unnamed individual—were employed as ransomware negotiators at DigitalMint, a company that assists victims during extortion events. The third defendant, Ryan Goldberg, 40, of Georgia, worked as an incident response manager at Sygnia.

Goldberg and Martin have now pleaded guilty to conspiracy to commit extortion. Sentencing is scheduled for March 12, 2026, and each faces up to 20 years in prison.

According to court filings, the defendants operated as BlackCat ransomware affiliates.

They allegedly gained unauthorized access to victim networks, exfiltrated sensitive data, and deployed ransomware to encrypt systems. In return for access to the malware and an extortion management platform, affiliates paid approximately 20% of collected ransoms to BlackCat administrators.

In at least one case cited by prosecutors, the defendants received $1.2 million in Bitcoin from a single victim, illustrating the high financial incentives driving affiliate participation.

The BlackCat operation targeted more than 1,000 organizations between November 2021 and December 2023.

Although the group was disrupted by law enforcement, it continued operating for several months and reportedly conducted an exit scam after receiving a $22 million ransom from Change Healthcare.

This case highlights the damage that trusted insiders can inflict when exploiting privileged knowledge of incident response workflows and victim behavior.

This prosecution sends a strong message to the cybersecurity community.

Organizations and clients place exceptional trust in security professionals, particularly those involved in breach response and ransom negotiations. Abuse of that trust undermines the credibility of the industry and introduces unique risks that traditional security controls may not detect.

The case also demonstrates that law enforcement scrutiny is increasingly extending beyond anonymous threat actors to individuals operating within legitimate security firms.

The DOJ emphasized that insider participation in ransomware schemes will be pursued aggressively, regardless of professional credentials.

The guilty pleas follow other recent prosecutions, including that of Artem Stryzhak, a ransomware affiliate linked to the Nefilim operation, signaling sustained pressure on affiliate networks rather than only ransomware developers.