Cybersecurity Insiders Turned Criminals: How Three Industry Professionals Conducted Ransomware Attacks While Employed as Security Experts

Representational Image

U.S. prosecutors have unveiled allegations that three employees from cybersecurity firms secretly operated as criminal hackers while maintaining their day jobs. These individuals allegedly conducted ransomware attacks designed to extort millions from businesses nationwide.

Ryan Clifford Goldberg, former incident response director at Sygnia Consulting Ltd., and Kevin Tyler Martin, a ransomware negotiator at DigitalMint, face charges of collaborating to breach five businesses beginning in May 2023. Court documents reveal that they, along with a third collaborator, received nearly $1.3 million in cryptocurrency from a Tampa-based medical device company.

The accused worked in the cybersecurity sector specializing in ransomware negotiation—ironically helping companies deal with the very type of attacks they were allegedly perpetrating. Prosecutors claim they shared their illegal profits with developers of the ransomware they deployed against victims.

According to documentation viewed by Bloomberg News, DigitalMint notified certain clients about these charges last week.

Court records indicate that while the third alleged conspirator also worked as a ransomware negotiator at Martin's company, this individual hasn't been charged. The court documents don't explicitly identify the companies where the defendants previously worked.

Sygnia has confirmed Goldberg's former employment with their organization. Martin was previously identified as a DigitalMint employee during a law school presentation he delivered last year.

Goldberg remains in federal custody in Florida. His attorney, federal public defender MaeAnn Renee Dunker, declined to comment, and court records don't indicate whether he has entered a plea yet.

Martin, who has been released on bond, has pleaded not guilty. His attorney, Tor Ekeland, also declined to comment on the case.

The Chicago Sun-Times was the first to report on these charges.

DigitalMint President Marc Jason Grens stated that Martin's alleged criminal activities were "completely outside the scope of his employment." While acknowledging the third alleged conspirator "may have also been a company employee," Grens emphasized that the indictment doesn't suggest the Chicago-based company had "any knowledge of or involvement in the criminal activity."

Grens confirmed that DigitalMint is not under investigation, is fully cooperating with authorities, and that the "co-conspirators did not access or compromise client data as part of the charged conduct." He added, "No one potentially involved in the charged scheme has worked at the company in over four months."

Andrea MacLean, a spokesperson for Sygnia, confirmed the Israel-headquartered company isn't a target of the investigation and is cooperating closely with investigators. She stated that Sygnia terminated Goldberg's employment "immediately upon learning of the situation."

Ransomware attacks involve hackers extorting victims by freezing computer systems, encrypting data, or threatening to release sensitive information unless paid. These extortion payments can reach tens of millions of dollars, with global annual losses estimated in the billions.

According to prosecutors, beginning in May 2023, Goldberg and Martin allegedly accessed multiple companies' computer systems, installing ALPHV BlackCat ransomware to steal and encrypt victim data. Beyond the Tampa company, the group allegedly targeted a Maryland pharmaceutical company, a Virginia-based drone manufacturer, and both an engineering firm and doctor's office in California. Court records do not identify these companies by name.

Neither the FBI nor the U.S. attorney's office in Miami, which is prosecuting the case, responded to requests for comment.