Ryan Clifford Goldberg and Kevin Tyler Martin were sentenced to four years in federal prison each on April 30, 2026, for their roles in deploying ALPHV/BlackCat ransomware against US victims β victims who, in several cases, had hired them to handle the very ransomware crises they were orchestrating.
The sentences close the criminal phase of a case that, when the charges were first unsealed, produced a reaction across the incident response industry somewhere between shock and grim recognition. We covered the charges and the scheme in detail when the pleas were entered. The sentencing is the end of that chapter β and the beginning of the accountability reckoning the IR sector now has to reckon with.
What They Did
Goldberg worked as an incident response manager. Martin worked as a ransomware negotiator. Together with a third co-conspirator, Angelo Martino, they exploited the trust that ransomware victims place in outside specialists during their worst moments.
The mechanics were straightforward and devastating. When a company got hit by ransomware and called for help, Goldberg and Martin came in as responders. In doing so, they gained access to the victimβs network, their negotiating position, their cyber insurance policy limits, their operational timelines, and their tolerance for downtime. They passed that intelligence to the ALPHV/BlackCat operators. The attackers used it to price ransoms at maximum extraction β knowing what the victim could pay, how long they could hold out, and what it would cost them to refuse.
In at least one confirmed instance, the attackers collected approximately $1.2 million in ransom. Across the scheme, demands reached as high as $10 million per victim.
This is not a case about rogue hackers who stumbled into the IR industry. It is a case about IR industry professionals who deliberately entered into a criminal enterprise against the clients who trusted them in a crisis.
What Four Years Means
Federal sentencing guidelines for computer fraud, wire fraud, and conspiracy charges at this scale typically yield significantly higher recommendations. Four years β 48 months β is a relatively moderate outcome given the financial harm caused and the aggravated nature of the insider betrayal involved.
The sentence will be served in a federal facility without parole eligibility under federal sentencing rules. Both Goldberg and Martin will also face supervised release after their prison terms β the conditions of which have not yet been made public β plus restitution obligations tied to the losses they caused.
For context: four years is the same sentence handed down to some first-time CFAA violators for far less financially damaging conduct. The insider nature of this offense β the deliberate exploitation of a professional trust relationship, the feeding of victim intelligence to criminal operators β arguably warrants a harder look at whether the sentencing guidelines as applied adequately capture the harm.
That question will be answered differently depending on whether the DOJ treats Goldberg and Martin as cautionary examples or whether this case catalyzes a broader look at the IR sectorβs accountability structures.
Angelo Martinoβs Sentencing: July 9, 2026
The third member of the conspiracy, Angelo Martino, was also a ransomware negotiator. His role was to feed victim intelligence to the attackers β knowing which clients would pay, what their limits were, what leverage the attackers had. His sentencing is scheduled for July 9, 2026.
Martinoβs plea agreement, like Goldbergβs and Martinβs, involved cooperation with federal investigators. The degree of that cooperation, and what it yielded β names, infrastructure, additional victims, connections to the broader ALPHV/BlackCat operation β has not been publicly disclosed. Sentencing judges consider cooperation in their determinations. Martinoβs July 9 date will provide the final data point in this case and may reveal whether any larger network was disrupted as a result.
What It Signals for the IR Industry
The incident response sector has operated for years on the basis of a largely unexamined trust relationship. A company in crisis calls outside specialists. Those specialists gain administrative access to production systems, review internal communications, understand financial exposure, and operate with a level of authority that in-house staff often donβt question because speed is everything when ransomware is spreading.
That trust relationship is now permanently on record as something that has been weaponized by the very professionals the relationship is built around.
The practical implications are not abstract. IR firms are now operating in an environment where clients β particularly sophisticated ones with active security programs β will want to know more about vetting, background checks, and oversight of the consultants who show up during a crisis. They will want to understand what access controls are in place. They will want to know whether the firm has malpractice or professional liability coverage that covers insider malfeasance, not just errors and omissions.
None of those questions were unreasonable before the Goldberg/Martin case. They are now non-negotiable for any IR engagement involving sensitive environments.
The ALPHV/BlackCat Connection
ALPHV/BlackCat β the ransomware-as-a-service operation that Goldberg and Martin affiliated with β was shut down by the FBI in December 2023 in a coordinated operation that seized the groupβs infrastructure and decryption keys were released to victims. The takedown was significant but did not eliminate all operators; affiliates dispersed to other RaaS platforms.
The timeline of the Goldberg/Martin scheme β 2023 β places it squarely in the window before the ALPHV takedown. Prosecutors have not indicated whether the two were identified through evidence gathered in the ALPHV takedown itself, through victim reporting, or through other investigative means. Given the DOJβs track record of building cases from evidence seized in infrastructure takedowns, the former is plausible.
What is clear is that ALPHVβs scale β which at its peak generated more than $300 million in ransom payments across hundreds of victims β created conditions in which insiders with access to victim organizations could find willing criminal partners quickly. The RaaS model is explicitly designed to onboard affiliates without requiring technical sophistication from the affiliate side. An IR professional with trusted network access is a more valuable affiliate than a technically capable one without access β and the ALPHV operation was structured to monetize exactly that kind of insider advantage.
The Bottom Line
Four years for Goldberg. Four years for Martin. Sentencing for Martino pending. Three IR professionals went to prison for exploiting the clients who trusted them most.
The immediate question for the industry is process: how do you screen for this, how do you structure access to limit it, and how do you create accountability frameworks that go beyond good intentions and non-disclosure agreements? Those are solvable problems. The harder question is cultural β how an industry that sells trust reconciles itself with the fact that trust, in this case, was the product being exploited.
Breached.company will report on the Martino sentencing on July 9 and any further DOJ action connected to this case.
Sources
- DOJ: βTwo Americans Who Attacked Multiple US Victims Using ALPHV/BlackCat Ransomware Sentencedβ (April 30, 2026)
- The Hacker News: βTwo Cybersecurity Professionals Get 4-Year Prison Sentences for ALPHV/BlackCat Ransomware Attacksβ
- Help Net Security: βCybersecurity Experts Sentenced for ALPHV/BlackCat Ransomware Attacksβ
- Breached.Company: βThe Fixers Who Became the Problemβ (April 29, 2026)
Breached.Company covers state-sponsored cyber and hybrid threats, breach disclosures, and signals intelligence for the security community. For threat intelligence retainers and vCISO consulting, CISO Marketplace connects you with vetted advisors.
