Two former cybersecurity professionals have received prison sentences for their involvement in the ALPHV/BlackCat ransomware operation, which targeted organizations across the United States and globally.

Kevin Tyler Martin, 36, from Texas, and Ryan Clifford Goldberg, 40, from Georgia, each received four-year prison sentences after pleading guilty in December 2025. Prosecutors said that the two men collaborated to deploy the ALPHV/BlackCat ransomware in attacks carried out between April and December 2023, extracting substantial ransom payments from multiple victims.

They worked together with a third accomplice, Angelo Martino, 41, of Florida, who is set to be sentenced in July 2026. Authorities said the group leveraged their professional cybersecurity expertise to execute the attacks more effectively and increase ransom amounts.

At the time, Martin and Martino were employed by DigitalMint, a company focused on ransomware negotiation services, while Goldberg worked as an incident response manager at Sygnia. The ransomware used in the attacks was part of a now-defunct ransomware-as-a-service operation believed to have impacted over 1,000 victims worldwide.

In one instance, the group extorted about $1.2 million in Bitcoin from a single target. Authorities said Martin and Goldberg shared 80% of the proceeds with Martino and then attempted to conceal the funds through laundering.

Martino, who had previously worked as a ransomware negotiator, is accused of exploiting his role by providing attackers with confidential details about victims’ cyber insurance limits, allowing them to demand higher ransoms. He pleaded guilty last month.

A former pharmacist charged in years-long spyware scheme targeting co-workers

A former pharmacist at the University of Maryland Medical Center has been charged in a cyber intrusion case involving the alleged surveillance and hacking of more than 200 colleagues over nearly a decade.

Prosecutors say Matthew Bathula, 41, of Clarksville, carried out a sophisticated scheme between July 2016 and September 2024 while working as a pharmacy clinical specialist. He faces two counts of unauthorized access to protected computers and one count of aggravated identity theft.

Authorities allege Bathula used a variety of tools and methods to gain access to workplace computers and victims’ personal accounts, including keyloggers, cookie theft, mailbox rule manipulation, and other means to harvest usernames, passwords, images, videos, and other sensitive data from victims. This allowed him access to a wide range of online services, including Google Photos, iCloud, Gmail, Microsoft 365, and social media accounts. In some cases, he allegedly created email rules that automatically deleted cybersecurity alerts.

Bathula is also accused of installing spyware on company computers to conduct covert video surveillance, recording people without their consent, including female staff members in private situations such as undressing, pumping breast milk, and engaging in intimate activities at home.

If convicted, Bathula faces up to 10 years in prison for one count of unauthorized computer access, an additional five years for a second count, and a mandatory two-year sentence for aggravated identity theft.

Karakurt ransomware gang negotiator sentenced to 8.5 years in $56M case

A Latvian man who worked as a negotiator for a ransomware group has been sentenced to 8.5 years in a US federal prison. Deniss Zolotarjovs, 35, received a 102-month sentence after admitting to conspiracy involving money laundering and wire fraud.

Authorities say he played an important role in ransomware operations linked to a group called Karakurt (aka Conti, TommyLeaks, Royal, Akira, and SchoolBoys Ransomware), which was led by former leaders of the Akira and Conti ransomware gangs. He is the first known member of the Karakurt group to be extradited to the United States to face charges.

The organization operated from Russia’s St. Petersburg and had a hierarchical structure and multiple front companies across several countries to hide its activities. It engaged in corruption, exploited public resources for profit, and included former law enforcement officers who used their connections to access government data, intimidate critics, and recruit members. Its leaders also evaded taxes and paid bribes to secure privileges, including exemptions from military service for members, according to the US Department of Justice.

Zolotarjovs was arrested in Georgia in December 2023 and brought to the US in August 2024. Between June 2021 and March 2023, he was involved in cyber-attacks targeting at least 53 victims, causing more than $56 million in losses.

Although he did not carry out the attacks himself, he reviewed stolen data and handled ransom negotiations. He often communicated directly with victims and advised his crew on how to pressure victims into paying. In one case, he allegedly threatened to release sensitive patient records from a pediatric healthcare provider on the Dark Web.

Prosecutors said he earned about 10% of the ransom payments, which were made in cryptocurrency and later moved through several digital wallets before being converted into Russian rubles.

Two US nationals sentenced in scheme aiding North Korean IT fraud

Two American men have been sentenced to prison for their roles in a scheme that helped generate revenue for the Democratic People’s Republic of Korea (DPRK) through fraudulent remote IT work arrangements.

Matthew Issac Knoot of Nashville, Tennessee, and Erick Ntekereze Prince of New York were each sentenced to 18 months in prison. Prosecutors said the pair helped a network of overseas IT workers by receiving and hosting company-issued laptops at their US residences.

According to court documents, the defendants allowed the devices to be shipped to their homes by US companies that believed the workers they had hired were based domestically. Knoot and Prince then installed remote desktop software on the laptops, enabling foreign co-conspirators to access the systems and perform work while appearing to operate from within the United States.

Authorities said the schemes were part of a broader effort to funnel money to North Korea. In total, the operations generated more than $1.2 million in revenue and affected nearly 70 US companies.

In an unrelated case, Marlon Ferro, aka 'GothFerrari,' was sentenced in the US to 78 months in prison for his role in a nationwide crypto theft operation that stole more than $250 million via social engineering schemes. Ferro helped the group by burglarizing victims’ homes to steal hardware wallets, including a 2024 theft of 100 bitcoin worth over $5 million. In addition to the prison sentence, he was ordered to pay $2.5 million in restitution and serve three years of supervised release.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

A Romanian citizen extradited to the US to face charges over hacking

Romanian citizen Gavril Sandu, 53, has been extradited to the United States in connection with an international hacking and bank fraud scheme that dates back nearly 17 years. Sandu was indicted in 2017 on charges of bank fraud and conspiracy, arrested in Romania on January 9, 2026, and transferred to US custody on April 30, 2026.

According to prosecutors, between May 2009 and October 2010, Sandu and his co-conspirators allegedly hacked into the VoIP systems of small businesses and used them to place spoofed phone calls impersonating banks. The scheme, commonly known as “vishing,” tricked victims into disclosing debit card numbers and PINs, which were then used to access bank accounts and steal funds.

Authorities say Sandu collected the stolen banking credentials, encoded them onto forged magnetic stripe cards, and withdrew cash from compromised ATMs and bank accounts. Prosecutors also allege he acted as a money mule, distributing the proceeds among members of the criminal operation.

Following his extradition from Romania, Sandu was placed in federal custody pending trial. If convicted, he faces a maximum sentence of 30 years in prison.