When Cyber Defenders Go Rogue: Lessons from the BlackCat Insider Case

Reporting and court documents describe how two US security practitioners allegedly used their insider knowledge to deploy ALPHV/BlackCat ransomware against the very kind of organizations they were supposed to protect.

This case is not just another ransomware story. It is a clear illustration of insider risk inside the security function itself and a warning shot for any organization that outsources incident response, ransomware negotiation, or cyber crisis management.

The case in brief

Federal prosecutors have charged two US nationals, Ryan Clifford Goldberg of Georgia and Kevin Tyler Martin of Texas, along with an unnamed Florida-based co-conspirator, with a string of ransomware attacks against at least five US businesses.

Key facts from the indictment and follow-on reporting:

Roles and employers

Goldberg served as an incident response manager at Sygnia Cybersecurity Services.

Martin and the unnamed co-conspirator worked as ransomware threat negotiators for DigitalMint, a firm that facilitates cryptocurrency payments during ransomware incidents.

Timeline and targets

The conspiracy allegedly ran from May 2023 through at least late 2023, with related activity referenced into 2025.

Victims included a medical device company in Florida, a pharmaceutical firm in Maryland, a California doctor’s office, an engineering company in California, and a drone manufacturer in Virginia. 

Attack method

The group allegedly operated as affiliates of the ALPHV/BlackCat ransomware-as-a-service program, using stolen access and BlackCat encryptors to lock systems, exfiltrate data, and demand cryptocurrency ransoms. 

Ransom demands and payouts

Demands ranged from roughly $300,000 up to $10 million per victim.

Only one known victim, a Tampa-area medical device manufacturer, paid approximately $1.27 million in cryptocurrency after a $10 million demand. 

Legal exposure

Charges include conspiracy to interfere with interstate commerce by extortion, interference with commerce by extortion, and intentional damage to a protected computer. 

Combined, the counts expose the defendants to decades in federal prison if convicted. Some analyses peg the maximum exposure at up to 50 years.

Both Sygnia and DigitalMint have stated that the attacks did not leverage their corporate systems, that the individuals acted as rogue employees, and that the firms have cooperated with law enforcement.

How the scheme allegedly worked

The picture that emerges from public reporting and the indictment is straightforward and troubling:

The co-conspirators allegedly abused their professional vantage point in ransomware negotiations and incident response to learn how victims behave, how negotiations unfold, and how law enforcement tracks payments.

A DigitalMint employee allegedly obtained an affiliate account with the ALPHV/BlackCat program, giving the group access to tooling to deploy encryptors and receive profit shares from successful extortions.

The group then targeted organizations across healthcare, pharma, engineering, and aerospace, encrypting systems, stealing data, and threatening leaks if ransoms were not paid. 

Payments from the one successful extortion were allegedly split and laundered through multiple cryptocurrency wallets to obscure the money trail. 

This is the ransomware economy folding back on itself: professionals who routinely deal with ransomware groups allegedly decided to become the threat.

Why this case matters

This incident punctures several assumptions that many organizations quietly rely on.

“The defenders and vendors are always the good guys.”
Most security programs treat SOC analysts, IR consultants, and ransomware negotiators as trusted by default. This case shows that high-access roles can become high-impact insider threats, even when security awareness is high.

“Insider threat is mostly about disgruntled users or careless employees.”
Here, the alleged insiders understood playbooks, tooling, incident workflows, and negotiation dynamics from the inside. That knowledge can make detection harder and extortion more effective. 

“Third-party ransomware negotiation is a purely defensive function.”
Any function that regularly handles ransom logistics, cryptocurrency flows, or extortion messaging becomes an attractive pivot point for abuse, both inside providers and within victim organizations.

“Due diligence at onboarding is enough.”
Background checks and vendor assessments are point-in-time controls. The alleged attacks spanned months and involved individuals who were employed in good standing at reputable firms during part of the activity.

Operational lessons for security leaders

Use this case as a hard reference point to adjust your operating assumptions, not as an infosec curiosity.

1. Treat high-access security roles as privileged insider-risk positions

Classify incident responders, ransomware negotiators, forensics consultants, domain admins, and IR vendors as privileged access users.

Apply enhanced monitoring, least-privilege access, and separation of duties across these functions.

2. Tighten visibility around ransomware and extortion workflows

Centralize visibility of all ransomware-related communications, payment discussions, and decryption key handling in auditable systems.

Ensure no single individual or external partner can both negotiate, authorize, and technically execute a ransom payment end-to-end.

3. Harden cryptocurrency and payment governance

Require dual control for any wallet creation, key storage, and high-value transfers tied to incident response.

Log and regularly review crypto flows associated with incident handling, including those routed through third-party brokers. 

4. Elevate vendor risk scrutiny for IR, MDR, and negotiation partners

Extend third-party risk assessments to explicitly cover insider-risk controls, employee monitoring, and cooperation practices with law enforcement.

Require clear contract language around misconduct handling, employee termination reporting, and audit rights.

5. Assume insiders understand your playbooks and adjust detection

Build detections that assume an informed insider knows your standard incident-response and SOC workflows.

Incorporate anomaly detection on access patterns, off-hours activity, and data exfiltration for staff in high-trust security roles, not just general employees. 

6. Address human pressure as a genuine risk factor

Public reporting indicates financial pressure and personal debt played a role in at least one defendant’s alleged decision-making.

Factor financial stress, burnout, and job instability into insider-risk modeling, especially in high-stakes roles that regularly interact with extortion and crime.

Core takeaway

Insider threat is no longer limited to users clicking the wrong link or exfiltrating data on the way out the door. The BlackCat insider case shows how easily deep security expertise and access to crisis workflows can be repurposed into a criminal business model.

Rebuild assumptions so that even your most trusted defenders, partners, and negotiators are covered by continuous, objective controls—not just professional trust and role descriptions.

Source