Double Agent: Florida Ransomware Negotiator Pleads Guilty to Aiding BlackCat/ALPHV Attacks
In a staggering breach of professional ethics, a third cybersecurity "expert" has admitted to operating as an inside man for one of the world's most prolific ransomware cartels, using his position to facilitate extortions instead of preventing them.
TAMPA, FL — The U.S. Department of Justice (DOJ) announced today that Pavel Goldberg, a Florida resident and professional ransomware negotiator, has pleaded guilty to conspiracy to commit computer fraud and extortion. Goldberg admitted to acting as a "double agent" for the notorious BlackCat (ALPHV) ransomware-as-a-service (RaaS) group, making him the third cybersecurity professional to fall in a sprawling federal investigation into Western collaborators aiding the Russian-linked gang.
The case has sent shockwaves through the incident response (IR) community, exposing a dark reality where the individuals hired to mitigate cyberattacks are sometimes the ones ensuring their success.
The Triple-Threat: U.S. Collaborators Plead Guilty
The "Inside Out" Extortion Strategy
Goldberg’s role was uniquely insidious. Working as a third-party negotiator for victimized companies, he was tasked with lowering ransom demands. Instead, according to court documents and The Register, Goldberg used his "behind-the-scenes" access to victim networks to feed sensitive information back to the BlackCat operators.
By revealing a victim's insurance limits, financial liquidity, and critical data locations to the hackers, Goldberg ensured that BlackCat could maintain maximum pressure. In several instances, he allegedly coached the attackers on how to respond to his own "negotiation" tactics to justify a higher final payout — of which he took a significant commission.
A Pattern of Professional Betrayal
Goldberg is not an isolated case. His plea follows those of two other U.S.-based cybersecurity professionals — Charles Onwuneme and Ifeanyi Eke — who previously admitted to similar roles within the BlackCat ecosystem.
- Access Brokerage: The trio allegedly helped identify high-value U.S. targets in the healthcare and critical infrastructure sectors.
- Credential Sharing: In some cases, the "professionals" used their authorized access to install backdoors that the ransomware gang would later use to deploy encryption payloads.
- Financial Laundering: The DOJ has already seized over $10 million in cryptocurrency linked to this specific "insider" cell.
"The betrayal of trust in this case is profound," a DOJ official stated. "These individuals were the 'firefighters' who were secretly pouring gasoline on the buildings they were paid to save."
The CyberSignal Analysis
Signal 01 — The Professional "Vetting" Crisis
This incident is a definitive "Signal" for third-party risk. If your incident response firm is compromised, your entire recovery strategy is a liability. For B2B leaders, this case highlights a desperate need for negotiator vetting. It is no longer enough to hire a firm based on a brochure; you must require transparency regarding their internal audits and background checks. This is the ultimate "Shadow Supply Chain" risk — where the risk is the human in the loop.
Signal 02 — The Identity of the "Insider" has Changed
This is a critical "Signal" for Threat Actors. Traditionally, "insider threats" were disgruntled employees. In 2026, the "insider" is a third-party contractor with high-level permissions. This case reinforces the necessity of zero trust security — specifically the principle of "Trust but Verify" for external IR teams. Even the people saving your network must be monitored by automated audit logs that they cannot delete or modify.
