The U.S. Department of Justice indicted Kevin Tyler Martin, an employee of DigitalMint, and an unnamed former DigitalMint employee last month on three counts of computer hacking and extortion. Prosecutors charged them and Ryan Clifford Goldberg, a former incident-response manager at Sygnia, with conducting ransomware attacks against at least five U.S. companies by hacking systems, stealing sensitive data, and deploying malware from the ALPHV/BlackCat group.

Martin and the unnamed individual worked as ransomware negotiators at DigitalMint, a cybersecurity company that assists victims in negotiating payments to hackers. Goldberg served in incident response at Sygnia, another cybersecurity firm. The indictments stem from a scheme where these individuals allegedly turned against their professional roles to perpetrate the attacks themselves. They targeted corporate networks to infiltrate and extract confidential information, then encrypted the data using ransomware tools provided by ALPHV/BlackCat.

The ALPHV/BlackCat group functions through a ransomware-as-a-service model. In this arrangement, the gang creates the file-encrypting malware designed to steal and scramble victims’ data. Affiliates, including the indicted individuals, execute the intrusions and install the ransomware on affected systems. Once ransoms are paid, the gang collects a portion of the proceeds, distributing the remainder to the affiliates who performed the operations.

An FBI affidavit submitted in September details that the perpetrators obtained more than $1.2 million in ransom payments from a single victim, identified as a medical device manufacturer located in Florida. This payment resulted from the successful deployment of the ransomware, which locked access to critical data until the ransom was transferred. The affidavit outlines the technical methods used, including unauthorized access to the company’s servers and the subsequent data exfiltration before encryption.

Additional targets included a drone manufacturer based in Virginia and a pharmaceutical company headquartered in Maryland. These attacks followed a similar pattern, involving initial network penetration, data theft, and ransomware deployment. The Virginia firm specializes in unmanned aerial vehicles for various industries, while the Maryland company develops medications and conducts research operations. The scheme affected at least three other U.S.-based companies, though specific details on those remain undisclosed in the public filings.

The Chicago Sun-Times initially reported the indictment on Sunday, bringing public attention to the case. This reporting prompted further disclosures from the involved companies. Sygnia chief executive Guy Segal confirmed to TechCrunch that Goldberg had been an employee and was terminated after the company learned of his alleged involvement with the ransomware attacks. Segal stated that Sygnia declined to comment further due to the FBI’s ongoing investigation into the matter.

DigitalMint president Marc Grens told TechCrunch that Martin was employed at the time of the alleged hacks but was acting completely outside the scope of his employment. Grens also confirmed that the unnamed individual may be a former employee. He added that DigitalMint is cooperating with the government’s investigation, providing relevant information and access as required by authorities.

Featured image credit