You'd think the people hired to protect your data would be the last ones to steal it. But on December 30, 2024, two cybersecurity professionals pleaded guilty to doing exactly that—using their expertise to launch ransomware attacks for profit.
Ryan Goldberg, 40, and Kevin Martin, 36, weren't hackers in hoodies working from distant countries. They were American cybersecurity specialists who knew how to breach systems because they'd spent their careers defending them. Between April and December 2023, they used that knowledge to extort businesses across the United States, demanding up to $10 million per victim.
The Fox Guarding the Henhouse
Goldberg and Martin partnered with ALPHV BlackCat, a notorious ransomware operation that works like a criminal franchise. The BlackCat administrators provided the malware and infrastructure. The affiliates—in this case, our two security professionals—identified targets, launched attacks, and collected ransoms. BlackCat took a 20% cut. The attackers kept the rest.
The scheme worked. They successfully extorted approximately $1.2 million in Bitcoin from one victim alone, splitting it three ways with an unnamed third conspirator after paying BlackCat's share.
Assistant Attorney General A. Tysen Duva captured the irony perfectly: "These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks—the very type of crime that they should have been working to stop."
Both men now face up to 20 years in prison. Their sentencing is scheduled for March 12, 2026.
Why Insider Threats Are Getting Worse
This case isn't an isolated incident. It's part of a troubling trend that's accelerating across the cybersecurity landscape.
According to the 2024 Securonix Insider Threat Report, 76% of organizations reported that insider attacks had become more frequent over the past year. That's up from 66% in 2019—a significant jump in just five years.
The financial impact is staggering. The Ponemon Institute found that the average annual cost of insider incidents reached $17.4 million in 2025. That's more than double the $8.3 million recorded in 2018.
What's driving this surge? Follow the money. Financial motivation now leads insider threat concerns at 50%, with personal benefit close behind at 47%. That second figure is particularly striking—it jumped from just 15% in 2019.
The Detection Problem
Here's what keeps security teams up at night: 90% of organizations report that insider attacks are equally or more challenging to detect than external attacks. In 2019, only 50% felt this way.
Why are insiders so hard to catch? They already have legitimate access to systems. They know where valuable data lives. They understand security controls and how to avoid triggering alarms. When someone like Goldberg or Martin—trained security professionals—turns malicious, they possess an intimate understanding of exactly which defenses to bypass.
The average time to resolve an insider incident stood at 81 days in 2025. That's nearly three months during which an insider can continue causing damage, covering tracks, or extracting data.
Organizations are throwing more resources at the problem. Companies now dedicate 16.5% of their IT security budget to insider risk management—double the 8.2% allocated in 2023. That translates to about $402 per employee.
Yet only 16% of organizations consider themselves extremely effective at handling insider threats. And just 29% feel fully equipped with the right tools to protect against them.
Not All Insiders Are Villains
It's worth noting that most insider incidents aren't malicious. The Ponemon 2025 study found that non-malicious insiders accounted for 75% of incidents. Negligent employees caused 55% of problems, while external attackers exploiting employees accounted for another 20%.
That leaves 25% of incidents caused by truly malicious insiders—people who deliberately abuse their access for personal gain, revenge, or ideology.
But concern about malicious insiders is growing. The percentage of organizations worried about intentional insider attacks rose from 60% in 2019 to 74% in 2024.
The ALPHV BlackCat Connection
The ransomware operation that Goldberg and Martin partnered with represents the industrialization of cybercrime. ALPHV BlackCat operated as ransomware-as-a-service, providing criminal infrastructure to anyone willing to pay.
Before law enforcement disrupted it in December 2023, ALPHV BlackCat had targeted over 1,000 victims worldwide. The FBI developed a decryption tool that saved approximately $99 million in ransom payments and seized several BlackCat-operated websites.
But the disruption came too late for Goldberg and Martin's victims. And the ransomware-as-a-service model persists—other operations continue offering similar criminal franchises to would-be attackers.
New Vulnerabilities on the Horizon
The insider threat landscape is evolving in ways that make the problem even more complex.
Hybrid work has created new vulnerabilities. With 70% of organizations expressing concern about insider risks in distributed environments, the traditional security perimeter has essentially dissolved. Employees access sensitive systems from home networks, coffee shops, and coworking spaces. Monitoring becomes harder. Context gets murkier.
Emerging technologies present another challenge. Seventy-five percent of organizations worry about AI amplifying insider threat capabilities. Artificial intelligence could help malicious insiders automate data exfiltration, evade detection systems, or identify high-value targets more efficiently.
What Organizations Are Watching For
The top concerns reveal what keeps security teams vigilant. Information disclosure leads at 56%—the fear that insiders will leak sensitive data. Unauthorized data operations follow at 48%, with credential and account abuse at 47%.
These aren't abstract worries. Each percentage point represents real incidents where trusted employees or contractors betrayed that trust.
Seventy-one percent of organizations consider themselves at least moderately vulnerable to insider threats. That's a majority acknowledging they're not adequately protected against attacks from within.
The Trust Paradox
Cybersecurity depends on trust. Organizations must trust employees with access to sensitive systems. They must trust contractors and third parties who help manage infrastructure. They must trust security professionals like Goldberg and Martin to protect rather than exploit vulnerabilities.
But trust creates opportunity for betrayal. The more access someone has, the more damage they can cause if they turn malicious. Security professionals occupy a particularly sensitive position—they possess both elevated privileges and deep knowledge of defensive measures.
FBI Special Agent in Charge Brett Skiles emphasized this point when warning businesses to "exercise due diligence when engaging third parties for ransomware incident response" and to "report suspicious or unethical behavior."
U.S. Attorney Jason A. Reding Quiñones made the broader point clear: "Ransomware is not just a foreign threat—it can come from inside our own borders."
Beyond Technology
The insider threat problem can't be solved with technology alone. Organizations need multiple layers of defense.
Background checks help but aren't foolproof. People change. Financial pressures mount. Grievances develop. Someone who was trustworthy when hired might become a risk years later.
Monitoring tools can detect anomalous behavior, but they generate false positives and raise privacy concerns. How much surveillance is too much? Where's the line between security and employee rights?
Cultural factors matter enormously. Organizations that treat employees poorly, ignore grievances, or create toxic environments breed insider threats. Disgruntled employees are more likely to steal data or sabotage systems.
Clear policies, regular training, and ethical leadership all play roles in reducing insider risk. So does limiting access based on actual job requirements rather than organizational hierarchy.
The Human Element
What makes someone cross the line from defender to attacker? The Goldberg and Martin case suggests financial motivation played a key role. The potential for millions of dollars in cryptocurrency proved too tempting.
But money isn't the only driver. Some insiders act out of ideology, seeking to expose what they view as organizational wrongdoing. Others are motivated by revenge after perceived mistreatment. Some simply see an opportunity and take it.
The rise in personal benefit as a motivating factor—from 15% in 2019 to 47% in 2024—suggests that more insiders are making calculated decisions that their personal gain outweighs the risks of getting caught.
They're not always wrong about the risks. Detection remains difficult, and many insider attacks go unnoticed or unreported. Even when caught, prosecution can be challenging if the insider covered their tracks effectively.
Looking Forward
The insider threat problem will likely get worse before it gets better. Remote work, cloud computing, and AI are expanding both the attack surface and the tools available to malicious insiders.
Organizations are increasing their investments in insider risk management, but most still feel inadequately prepared. The gap between threat sophistication and defensive capability continues to widen.
The Goldberg and Martin case serves as a stark reminder that credentials and expertise don't guarantee trustworthiness. The people best positioned to protect systems are also best positioned to compromise them.
Their guilty pleas send a message that insider attacks carry serious consequences. Twenty years in federal prison is a steep price for $1.2 million in Bitcoin.
But deterrence only works if potential attackers believe they'll get caught. With 90% of organizations struggling to detect insider attacks, and with the average incident taking 81 days to resolve, the odds might still look favorable to someone contemplating betraying their employer's trust.
The cybersecurity industry faces an uncomfortable truth: it must defend not only against external threats but also against its own members. The fox isn't just in the henhouse—sometimes the fox is the one you hired to guard it.