He ransomware It usually presents itself as an external threat, diffuse and difficult to locate, associated with criminal groups that operate from other countries and to hidden infrastructures on the network. However, the case that has communicated the United States Department of Justice breaks that narrative. Here we are not talking about a specific surveillance failure, but about professionals from the sector itself who, according to the accusation, used their training and position to attack American companies. The conclusion is as simple as it is alarming: the threat does not always come from outside, even in such a specialized field.
What is known about the case today is well defined in court documents and official statements. On December 30, 2025, the Department of Justice reported thatthe day before, a federal court in the Southern District of Florida accepted guilty pleas from two men for conspiring to extort in connection with ransomware attacks that occurred in 2023. Both pleaded guilty to a federal crime related to obstructing or affecting commerce by extortion. Sentencing was set for March 12, 2026 and they face a maximum sentence of up to 20 years in prison.
Who they were and what role they played in the sector. According to the FBIthe accused are Ryan Goldberg, 40, and Kevin Martin, 36. Both worked in the field of cybersecurity and had experience in incident management and in processes linked to attacks with this type of malicious tool. Goldberg worked as an incident response manager in a multinational company in the sector, while Martin worked as a negotiator specialized in this type of extortion within a company dedicated to responding to cybercrime. This professional context placed them in an unusual place for this type of crime.
A ransomware model turned into a service. The case documents describe that the attacks relied on ALPHV, also known as BlackCata ransomware operated under a service model. In this scheme, developers maintain the malware and extortion infrastructure, while affiliated third parties execute attacks against selected victims. In exchange for that access, the defendants agreed to give 20% of any ransom obtained to the administrators. The rest was distributed among the participants, after moving the funds through different digital wallets to make them difficult to trace.
The investigation is not limited to a single incident. The documents include attacks and attempts directed against US companies between April and December 2023, with victims in sectors such as healthcare, pharmaceuticals, industrial and technological sectors. In the only successful case, the ransom paid was around $1.27 million in cryptocurrency at the time of payment, according to the file. In other episodes, the demands reflected in the case ranged from hundreds of thousands of dollars to around five million, always according to court documents.
The evidence that supports the accusation. The case is supported by a combination of technical records, financial analysis and statements collected by US federal forces. Among the elements cited are access to tools linked to the extortion infrastructure and the monitoring of cryptocurrency movements after the payment of the ransom. The file also mentions searches carried out before some attacks, including an inquiry about one of the victims on May 4, 2023, days before a subsequent incident. Added to this is a recorded interview in which one of the accused acknowledged his involvement, in addition to searches and other actions incorporated into the case.
Images | Xataka with Gemini 3 Pro
GIPHY App Key not set. Please check settings