Hack attacks carried out by rogue workers at Chicago firm tackling ransomware threats, FBI says

Rogue employees of a Chicago company that specializes in negotiating ransoms to mitigate cyber attacks were carrying out their own piracy in a plot to extort millions of dollars from a series of companies, prosecutors say.

Kevin Tyler Martin, a ransomware threat negotiator for River North-based DigitalMint at the time of the alleged conspiracy, was among two men indicted in the scheme. A suspected accomplice who wasn’t indicted was also employed at DigitalMint, court records show.

DigitalMint has denied any wrongdoing, fired both employees and cooperated with the investigation.

Also indicted was Ryan Clifford Goldberg, an incident response manager for the multinational company Sygnia Cybersecurity Services. Sygnia said it “is not the target of this investigation, however we continue to work closely with law enforcement.”

According to an affidavit filed in September by an FBI agent, the three men began using malicious software in May 2023 “to conduct ransomware attacks against victims,” first hitting a medical company in Florida by locking its servers and demanding $10 million to unlock the systems, court records say .

The FBI agent noted the men ultimately made off with $1.2 million, although it was apparently the only successful attack.

Ransomware attacks have become increasingly common and pose challenges for targetedcompanies, hospitals and universities. The malicious software can be unwittingly downloaded by simply opening an email attachment or following a link.

“Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there,” the FBI says. “More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers.”

To regain access, victims are can be pushed to pay a ransom.

Martin, Goldberg and the other unnamed suspect also are accused of targeting a pharmaceutical company from Maryland; demanding $5 million from a California doctor’s office; seeking $1 million from an engineering firm in California; and trying to extort $300,000 from a Virginia-based drone manufacturer.

Their scheme continued until April 2025, according to the FBI. Goldberg was interviewed by agents that June, “initially denying being involved in the ransomware attacks.” He claimed he was recruited by the third suspect, who wasn’t indicted, described in court records only as “Co-Conspirator 1.”

Goldberg said the $1.2 million the medical company paid in cryptocurrency was routed “through a mixing service and then through multiple cryptocurrency wallets” in an effort to hide the digital cash.

Goldberg told the FBI he engaged in the scheme to get out of debt and feared he was “going to federal prison for the rest of [his] life.”

He said Martin told him the FBI had raided the home of “Co-Conspirator 1” on April 3, according to the FBI affidavit.

The following month, Goldberg searched the name of “Co-Conspirator 1” along with “doj.gov,” the Justice Department’s website, records show. He also asked : “Why would somebody who was accused and admitted to an FBI agent be let go but later indicted?”

Ten days after his interview with the FBI, on June 27, Goldberg and his wife flew from Atlanta to Paris on a one-way flight. But at that time, officials believed that Goldberg and his wife were still in Europe.

Martin and Goldberg were indicted Oct. 2 on charges of conspiracy to interfere with interstate commerce by extortion; interference with interstate commerce; and intentional damage to a protected computer.

Records show Goldberg has been taken into custody and was ordered held pending trial, and Martin was freed in lieu of $400,000 bond. Their lawyers didn’t respond to questions and Martin declined to comment.

In May 2024, Martin spoke at the Technology Law Conference in Austin, Texas, where he was described as a current DigitalMint employee. He explained he worked on behalf of companies to help negotiate ransom payments — after allegedly stealing more than $1 million in such an attack.

Before Martin was indicted, he was described in the FBI affidavit as “Co-Conspirator 2, a United States citizen and resident of Texas” who “was employed as a ransomware negotiator for a cyber-incident response company” between May 2023 and April 2025.

“Co-Conspirator 1” was described in the affidavit as a Florida resident who was “employed as a ransomware negotiator for the same cyber-incident response company.”

The indictment noted that Martin lived in Roanoke, Texas, and “Co-Conspirator 1” resided in Land O’ Lakes Florida.

DigitalMint issued a statement in July saying the company was cooperating with an investigation involving an employee who had been fired amid accusations of “unauthorized conduct.” The company said it wasn’t targeted in the probe.

“Trust is earned every day. As soon as we were able, we began communicating the facts to affected stakeholders.” Grens said at the time. “This level of transparency is a key part of the culture that has driven DigitalMint’s success.”

When the indictment was handed up, DigitalMint issued a memo confirming an employee had been indicted and saying the company “continues to be a cooperating witness in the investigation and not an investigative target.”

The alleged crimes “took place outside of DigitalMint’s infrastructure and systems,” the company said, and the suspects “did not access or compromise client data as part of the charged conduct.”

“As expected, the indictment does not allege that the company had any knowledge of or involvement in the criminal activity,” the company said.