From Ransomware Negotiator to Cybercriminal: Inside the $1.27M BlackCat Heist

Helping companies negotiate with ransomware gangs has always seemed like a peculiar business. In theory, one mediates with cybercriminals, attempting to lower ransom demands so that victims can resume operations more swiftly. In practice, however, such work inevitably assists the criminals in collecting their payments — sustaining their infrastructure and making future attacks all the more likely.

The FBI recently described a case in which this moral dilemma reached its predictable conclusion. Several professionals working in ransomware response — people who had seen firsthand the vast sums of cryptocurrency flowing to extortionists — decided to try their own hand at the game. They understood exactly how modern ransomware operations functioned: how ransomware-as-a-service programs allowed developers to supply ready-made malware and infrastructure, while affiliates sought out victims and shared profits. At some point, one of these experts reportedly asked himself a simple question: why should others reap the rewards, when I could orchestrate the attack myself?

According to the FBI, that is precisely what three U.S.-based cybersecurity specialists did. They crossed to the other side and began deploying ransomware in corporate networks, hoping for quick financial gain. Reality, however, proved less accommodating. Only one ransom was ever paid; all other victims refused, and investigators soon traced the activity back to the perpetrators.

Among those named in court filings is Kevin Martin, an employee of the Chicago-based firm DigitalMint, which assists ransomware victims by assessing demands, purchasing legal cryptocurrency, and facilitating secure transfers to restore operations as swiftly as possible. The FBI alleges that in 2023, Martin decided to affiliate himself with the BlackCat ransomware group — known for providing partners with prebuilt encryption software and darknet infrastructure in exchange for a cut of the ransom. Having seen the system in action, Martin reportedly recruited two others. One of them, according to investigators, was Ryan Goldberg of Georgia, who worked on incident response at Sygnia. Goldberg told agents that Martin had invited him to “make some easy money off a few companies.”

In May 2023, the trio selected their first victim — a medical organization in Tampa, Florida. They infiltrated its network, deployed BlackCat, encrypted corporate data, and demanded $10 million for the decryption key. The company eventually agreed to pay part of the ransom, transferring $1.27 million in cryptocurrency. A portion went to the BlackCat developers; the remainder was split among Martin, Goldberg, and the unnamed third accomplice.

Encouraged by this success, they attempted to replicate the scheme. Over the course of 2023, the group targeted a pharmaceutical firm in Maryland, a doctor’s office, an engineering company in California, and a drone manufacturer in Virginia, demanding sums ranging from $300,000 to $5 million. Yet unlike the first victim, none of the others agreed to pay. Their brief “business venture” quickly unraveled, and soon drew the attention of the FBI.

By spring 2025, the investigation was in full swing. In April, agents searched Martin’s residence, prompting panic among the third conspirator. By May, Goldberg was searching the internet for Martin’s name alongside the U.S. Department of Justice domain, trying to discern what had become of the case. On June 17, agents raided Goldberg’s home and seized his devices. Initially, he denied involvement, but later confessed and identified Martin as the organizer. He explained that he had joined the extortion scheme to pay off debts and now feared he might “spend the rest of his life in federal prison.”

Goldberg was not arrested immediately. On June 24, prosecutors formally notified him that he was a subject of the investigation. The following day, he and his wife purchased one-way tickets to Paris. On June 27, they departed; by the time charges were filed, Goldberg was already in Europe. In September, he returned to North America — though not to the United States — flying from Amsterdam to Mexico City, where he was detained and deported. The court deemed his travel an attempt to flee, and unlike Martin, who was released on $400,000 bail, Goldberg was denied pretrial release. If he pleads guilty, he faces 78 to 97 months in prison; if convicted at trial, the sentence could be even longer.

The story borders on tragic farce, given that, according to court documents, Goldberg had already been earning a comfortable $214,000 per year. After his dismissal, he lost his income, defaulted on his mortgage, and effectively destroyed his family’s stability — all for one successful ransom and several failed attempts. Now, he and his loved ones must live with the consequences for years to come.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy