Two Cybersecurity Experts Were Secretly Running Ransomware Attacks on the Companies They Were Hired to Protect. The History of Double Agents Goes Back Centuries.
Ryan Goldberg and Kevin Martin worked at cybersecurity firms by day. At night, they deployed BlackCat ransomware against American businesses, causing $9.5M in losses. The betrayal pattern is 2,500 years old.
Key Takeaways
- โขRyan Goldberg was an incident response manager at Sygnia โ a company hired to clean up after ransomware attacks. He was simultaneously deploying ransomware
- โขKevin Martin was a ransomware negotiator at DigitalMint โ literally negotiating with the same criminal group he belonged to
- โขThe ALPHV/BlackCat ransomware-as-a-service model let affiliates (like Goldberg and Martin) deploy attacks and keep a percentage of the ransom
- โขThe double agent pattern dates to 480 BC when Ephialtes betrayed the Spartans at Thermopylae โ showing that insider threats predate computers by 2,500 years
Root Connection
From Ephialtes betraying the Spartans at Thermopylae (480 BC) to Aldrich Ames at the CIA (1994) to cybersecurity professionals running ransomware in 2023 โ the double agent is humanity's oldest security vulnerability.
Timeline
Ephialtes of Trachis betrays the Spartan defenders at Thermopylae, showing the Persian army a secret mountain path. 300 Spartans die. History's first famous double agent.
Benedict Arnold, a trusted American general, plots to hand West Point to the British during the Revolutionary War. His name becomes synonymous with treachery.
The Double Cross System (XX): British MI5 turns every single German spy in Britain into a double agent, feeding false intelligence that helps win D-Day.
Aldrich Ames, a 31-year CIA veteran, is arrested for spying for the Soviet Union since 1985. His betrayal caused the deaths of at least 10 CIA assets.
Ryan Goldberg (Sygnia incident response manager) and Kevin Martin (DigitalMint ransomware negotiator) begin deploying ALPHV/BlackCat ransomware against US businesses.
Both plead guilty. Sentencing set for March 12, 2026. They face up to 20 years in federal prison. Combined losses exceed $9.5 million.
By day, Ryan Goldberg was an incident response manager at Sygnia, a cybersecurity firm that helps companies recover from cyberattacks. His job was to be the person you call when everything goes wrong โ the digital firefighter who shows up, assesses the damage, and helps you get back on your feet.
By night, he was setting the fires.
Between April and December 2023, Goldberg, 40, from Georgia, and his co-conspirator Kevin Martin, 36, from Texas, deployed ALPHV/BlackCat ransomware against multiple American businesses. The combined losses exceeded $9.5 million. In March 2026, both pleaded guilty to conspiracy to commit extortion. They face up to 20 years in federal prison, with sentencing scheduled for March 12.
The details are almost comically villainous. Martin worked at DigitalMint, a company that helps ransomware victims negotiate with their attackers and pay ransoms in cryptocurrency. He was literally sitting on both sides of the negotiating table โ helping victims pay ransoms to a group he was part of. Goldberg was even worse: he was the person companies trusted to analyze the attack, identify how the hackers got in, and close the door behind them. He already knew how they got in. He left the door open.
A third co-conspirator, not yet publicly named, also worked at a cybersecurity firm. All three were employed in positions of trust while secretly operating as affiliates of one of the most notorious ransomware operations in history.
The worst part wasn't the ransomware. It was that the people we trusted to defend us were the ones holding the knife.
โ Anonymous victim company executive, via court documents
THE MODEL
ALPHV/BlackCat operates as ransomware-as-a-service (RaaS). The core developers build and maintain the ransomware tools. Affiliates โ independent operators like Goldberg and Martin โ deploy the ransomware against specific targets. The ransom payments are split: typically 80-90% to the affiliate, 10-20% to the core developers. It's a franchise model for cybercrime.
BlackCat was particularly sophisticated. Written in Rust (a rarity for malware at the time), it was fast, cross-platform, and difficult to detect. It could encrypt Windows, Linux, and VMware systems. It had built-in data exfiltration โ stealing files before encrypting them, giving attackers a double threat: pay us, or we'll leak your data publicly.
The FBI seized BlackCat's infrastructure in December 2023, but the group rebuilt within days and continued operations. By the time Goldberg and Martin were caught, BlackCat had hit hundreds of organizations worldwide, including hospitals, schools, and government agencies.
THE ROOT
The betrayal of trusted insiders is not a modern phenomenon. It's one of the oldest patterns in human conflict.
Every castle has a gate. Every gate has a guard. The most dangerous vulnerability in any fortress has always been the guard.
โ John le Carre, paraphrased
In 480 BC, the Greek city-states faced the full might of the Persian Empire under Xerxes I. King Leonidas of Sparta led 300 warriors to hold the narrow pass at Thermopylae โ a chokepoint where the Persians' numerical advantage was neutralized. For two days, the Spartans held. The pass seemed impregnable.
Then a local Greek named Ephialtes of Trachis, seeking a reward from Xerxes, revealed a secret mountain path that bypassed the pass entirely. The Persians poured through. Leonidas and his 300 died fighting. The word "ephialtes" became the Greek word for "nightmare."
The pattern repeats through history with remarkable consistency. In 1780, Benedict Arnold โ one of the most capable generals in the Continental Army โ plotted to hand the strategic fortress at West Point to the British. His motivations were personal: he felt underappreciated and underpaid. His plan was discovered only because British Major John Andre was captured carrying Arnold's letters. Arnold escaped and spent the rest of his life in exile. His name became the American word for traitor.
During World War II, the British MI5 pulled off perhaps the greatest double-agent operation in history: the Double Cross System (XX). Every single German spy sent to Britain was captured and turned into a double agent, feeding false intelligence back to Berlin. The system was so effective that it directly contributed to the success of D-Day โ the Germans expected the invasion at Calais, not Normandy, largely because of information from turned agents.
In 1994, Aldrich Ames, a 31-year CIA veteran who ran counterintelligence operations against the Soviet Union, was arrested for spying for Moscow since 1985. He had betrayed the identities of every CIA spy inside Russia, directly causing the deaths of at least ten people. His motivation was money โ the Soviets paid him $4.6 million. He was caught because his lifestyle (a $540,000 house, a Jaguar, expensive lunches) didn't match his $69,000 salary. The most expensive mole in CIA history was caught by an accountant.
THE DIGITAL SHIFT
What makes the Goldberg and Martin case uniquely modern is the ransomware-as-a-service model. In traditional espionage, double agents work for an enemy nation. In cybercrime, they work for a software platform. The ALPHV/BlackCat operation isn't a country โ it's a criminal startup with affiliates, revenue sharing, and a customer support portal for victims.
The cybersecurity industry has always known about insider threats. The CERT Insider Threat Center at Carnegie Mellon has studied them for decades. Their data shows that insiders cause roughly 25% of all data breaches, and that the average insider threat takes 77 days to detect. When the insider is a cybersecurity professional โ someone who knows exactly how detection systems work โ that number stretches dramatically.
Goldberg knew how incident response works because it was his job. He knew what forensic investigators look for, what logs they check, what traces to cover. Martin knew how ransom negotiations work because he conducted them daily. They weren't just insiders โ they were the most dangerous kind of insiders: the ones with expertise in the exact systems designed to catch them.
WHY IT MATTERS
AI-driven cyberattacks increased 89% in early 2026. Identity-based breaches now account for nearly two-thirds of all major incidents. Ransomware losses are on track to exceed $30 billion globally this year.
But no amount of AI detection, zero-trust architecture, or endpoint monitoring can fully protect against someone who was hired specifically because they know how all those systems work โ and who decides to use that knowledge for the other side.
The cybersecurity industry sells trust. Companies hire firms like Sygnia and DigitalMint precisely because they can't handle these threats alone. When the responders themselves are the threat, the entire model breaks.
Ephialtes showed the Persians a mountain path. Arnold offered the British a fortress. Ames sold the Soviets a list of names. Goldberg and Martin deployed ransomware from inside the house.
The technology changes. The betrayal pattern doesn't. It's 2,500 years old, and it still works.
How did this make you feel?
Recommended Gear
View all โDisclosure: Some links on this page may be affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in.
YubiKey 5 NFC
Hardware security key for phishing-resistant 2FA. Works with USB-A and NFC. The gold standard in account protection.
Hacking: The Art of Exploitation
The classic hands-on guide to understanding how exploits work. Covers C, assembly, networking, and shellcode.
Faraday Bag for Phones
Signal-blocking bag that prevents tracking, remote wiping, and wireless exploits. Essential for privacy-conscious users.
Keep Reading
Want to dig deeper? Trace any technology back to its origins.
Start Research