Cybersecurity pros admit to moonlighting as ransomware scum
Summary
Two US-based cybersecurity professionals — a ransomware negotiator and a security incident response manager — have pleaded guilty to conspiring to use ALPHV (BlackCat) ransomware to extort organisations. According to the US Department of Justice, the pair and a third co-conspirator became ALPHV affiliates, agreeing to pay the gang 20% of ransom receipts in exchange for use of the malware.
The defendants are accused of deploying ransomware against five targets between May and November 2023: a medical device company, a pharmaceutical firm, a doctor’s office, an engineering company and a drone manufacturer. Only the medical device company paid, transferring about $1.2m in bitcoin, which the three defendants split and then attempted to launder. The two named defendants pleaded guilty to one count of conspiracy to obstruct, delay, or affect commerce by extortion and face sentencing in March, with potential sentences up to 20 years each.
Key Points
- Two cybersecurity professionals admitted guilt for running ransomware attacks as ALPHV/BlackCat affiliates.
- They agreed to pay ALPHV operators 20% of any ransom payments for access to the ransomware.
- Attacks targeted five US organisations from May–November 2023; only one victim (a medical device company) paid ~ $1.2m in bitcoin.
- The defendants used their infosec expertise to deliver and leverage ransomware — an acute example of insider-enabled cybercrime.
- The DOJ is prosecuting; sentencing is scheduled for March, with each defendant facing up to 20 years in prison.
- ALPHV/BlackCat remains a high-profile ransomware actor, notable for major incidents such as the 2024 Change Healthcare attack.
Why should I read this?
Because it’s bonkers: folks whose job is to stop attacks moonlighted as the attackers. If you care about security, risk or hiring — this story shows why background checks, separation of duties and monitoring matter. Also, it’s a neat snapshot of how organised ransomware operations recruit and monetise insider skills.
Context and relevance
This case underlines a growing and worrying trend: highly skilled defenders turning criminal or abetting ransomware gangs. Beyond the criminal charges, the incident highlights supply‑chain-style risks where trusted skills and access are weaponised. For security teams and leaders, it reinforces the need for stronger governance, insider-threat detection, and robust post‑incident reviews. It also shows how ransomware-as-a-service models (like ALPHV) monetise affiliates and enable rapid, targeted campaigns against critical sectors.