Okay, mi gente, grab a café and buckle in, this one is wild. Recently, the United States Department of Justice (DOJ) announced something that hits deep: three U.S. cybersecurity professionals, yes, the very people entrusted to defend, are alleged to have run a ransomware scheme targeting companies across the U.S. (Reuters, Nov 3 2025)
That’s right. The bad guys weren’t only the unknown masked hackers. Some of them wore the white-hat gear. And we’ve got to talk about what this means for everyone, from security teams to you as an individual. Vamos.
What happened?
Here are the facts, straight up, as reported by Reuters (source):
- The indictment, filed in Miami federal court, names two of the accused: Ryan Goldberg and Kevin Martin. They are accused of collaborating with the ransomware group ALPHV BlackCat to encrypt victim networks and demand cryptocurrency ransom.
- The victims were U.S. companies based in California, Florida, Virginia, and Maryland, the article notes that their names weren’t disclosed.
- Martin previously worked at cybersecurity firm DigitalMint, and Goldberg was an incident-response manager at Sygnia. Both companies stated they had no knowledge of the alleged activity and cooperated fully with investigators.
- A third conspirator remains unnamed in public filings but is believed to have also worked for a cybersecurity firm.
- Goldberg is currently in custody pending trial, while Martin pleaded not guilty.
So: people inside the fortress reportedly were opening the gates. Something that should worry every security-team, every business leader, and yes, every one of us.
Why this matters, big time
Let me break it down for you, porque esto es serio:
1. Trust gone wrong
When you hire or rely on someone as a cybersecurity pro, you’re trusting them to protect your data, systems, reputation. If that person uses that access to attack instead boom! your worst fear becomes real. The betrayal is massive.
2. Insider threat supersized
We talk a lot about phishing, external hackers, nation-state actors. That’s valid. But here, the insider angle is front and center. Someone with privileged access, technical knowledge, maybe even respected in the field, allegedly flips sides. That raises the stakes for how you vet, monitor, and manage your security talent.
3. Attack surface expands
An insider knows your architecture, your weak spots, your incident-response playbook, or at least more than a random hacker. That means the attack can be more precise and more devastating.
4. Reputation & supply-chain risk
If a vendor or responder you hired was implicated, your company’s reputation suffers by association. The ripple effects: clients lose faith, regulators look closer, insurance gets tricky.
5. A warning for all organisations
Whether you’re a small firm, a large enterprise, or just maintaining your personal data, this shows that threats can come from unexpected places. And the usual “external attacker” mindset might miss the mark.
What we can learn, actionable tips
I’ve been walking in this field for years, and sí, there are some basic but powerful defenses. So hear me out, familia, here are what I call the five pillars of trust & control you need to reinforce.
Pillar 1: Validate your people
- Background checks matter, especially for roles with system-level access.
- Monitor employment history and technical credentials.
- Keep access under the least privilege principle.
- Don’t assume “trusted” means “safe.”
Pillar 2: Monitor and audit access continuously
- Log everything privileged users do.
- Watch for behavioural anomalies, odd logins, unusual data transfers.
- Build automated alerts for “never-should-happen” events.
Pillar 3: Incident response with suspicion
- Train your team to handle scenarios where a responder might also be a suspect.
- Enforce dual control for high-risk changes.
- Run insider-threat red-team exercises regularly.
Pillar 4: Vendor & partner risk management
- Vet third-party security firms like you would vet your own staff.
- Contractually require audit rights and transparency.
- Have an emergency exit plan if your vendor gets compromised.
Pillar 5: Build culture of integrity and reporting
- Encourage open reporting of suspicious activity.
- Reward honesty and accountability.
- Keep cybersecurity ethics front and center, not just technical skill.
Final thoughts
Look, this isn’t about scaring you, it’s about sharpening you. When defenders become attackers, the system doesn’t just crack, it shatters trust. And as defenders, we’ve got to be ready for that twist.
If you remember one thing from this: don’t trust blindly, verify always. The adversary may wear your colours. Stay vigilant. Stay sharp. And most important: keep your systems, your data, and your people safe.
Hasta luego, mi gente. Stay safe.
References
- Reuters. (Nov 3 2025). U.S. prosecutors say cybersecurity pros ran cybercrime operation. Retrieved from https://www.reuters.com/legal/government/us-prosecutors-say-cybersecurity-pros-ran-cybercrime-operation-2025-11-03
Javiertech 
Leave a comment