Former Cybersecurity Pros Charged in Ransomware Schemes
How trusted defenders allegedly crossed the line into high-stakes digital crime
In the field of cybersecurity, one thing matters more than your position, role, or niche: your integrity.
Last week, three cybersecurity professionals were charged with violating data-privacy rights and reportedly hacking five U.S. businesses using ransomware since May 2023.
The defendants include Ryan Clifford Goldberg, a former incident-response manager at Sygnia Consulting Ltd., and Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, as well as a third unnamed co-conspirator. Among the alleged targets: a Florida-based medical-device company that paid nearly US $1.3 million in cryptocurrency following a ransom demand; a Maryland pharmaceutical firm; and a Virginia-based drone-manufacturing company. 1.
This case is striking for what it reveals about insider threat: professionals whose day job was defending networks allegedly leveraged that very expertise to mount the attacks. These individuals are accused of deploying the well-known ransomware variant ALPHV/BlackCat, and of exploiting deep knowledge of incident-response operations and negotiations to facilitate their scheme.
For organisations, this episode should serve as a wake-up call: even the most trusted roles—incident-response specialists, ransomware negotiators, cybersecurity consultants—cannot automatically be assumed to carry low risk. You must apply the same rigorous access controls, monitoring and vendor governance to these roles as you do elsewhere in your environment. Integrity doesn’t get a pass simply because someone holds a prestigious title; in fact, the higher the trust, the higher the stakes.
As you review your upcoming incident-response engagements, vendor agreements and privileged-access logs, ask yourself: Are we only planning for external threats? Or are we equally prepared for the possibility that insiders with expertise and elevated access could become the adversary?
If you’re responsible for cybersecurity, vendor oversight or board-level risk, now is the time to pause, reassess and act. Review your incident-response and cyber-negotiation partnerships, verify that audit trails for privileged access are intact and effective, and ensure you have a clear path to detect when the defender becomes the attacker. Don’t wait for a headline to become your investigation.
https://news.bloomberglaw.com/privacy-and-data-security/ex-cybersecurity-staffers-charged-with-moonlighting-as-hackers
It’s hard not to feel a sense of betrayal reading about cybersecurity experts allegedly turning into cybercriminals. These were people trusted to protect sensitive systems, now accused of using that very trust to exploit and extort. It’s a chilling reminder that titles and credentials don’t guarantee integrity. When defenders become attackers, the damage runs deeper than financial loss it shakes the foundation of trust. Organisations must look beyond résumés and reputations, and build cultures where ethics are non-negotiable. Monitoring and accountability aren’t signs of mistrust they’re safeguards against misplaced faith. This case isn’t just about crime; it’s about the human cost of broken trust.