Fri 10 Jul 2026 / 14:39 ET
Kernel
Security 3 min read

Ryuk defendant pleads guilty as Blackcat fixer gets 70 months

U.S. prosecutors advanced two ransomware cases involving Ryuk and Blackcat, including a guilty plea in Oregon and a Florida prison sentence.

Dana Voss

By Dana Voss / Security Correspondent

Ryuk defendant pleads guilty as Blackcat fixer gets 70 months
img: The Record

U.S. prosecutors secured two ransomware case wins this week, one against an alleged Ryuk operator and another against a former ransomware negotiator who, according to the Justice Department, fed victim negotiation details to Blackcat attackers.

Karen Serobovich Vardanyan, a 34-year-old Armenian citizen, pleaded guilty Wednesday in federal court in Oregon to conspiracy and computer fraud. Prosecutors said Vardanyan spent roughly six months, starting in November 2019, breaking into corporate networks and installing Ryuk ransomware.

In a separate Florida case, Angelo Martino, 41, of Land O’Lakes, was sentenced to 70 months in federal prison for his role in extortion attacks tied to Blackcat, also known as AlphV. The Justice Department said Martino helped the gang pressure several victims beginning in April 2023.

Ryuk case reaches a guilty plea

Vardanyan was arrested in Kyiv in April and extradited from Ukraine to the United States in June 2025, according to prosecutors. He faces a maximum sentence of five years in prison and has agreed to pay more than $1.1 million in restitution. His sentencing is set for September 22.

The Justice Department said Vardanyan and unnamed co-conspirators attacked a Michigan company that paid 200 bitcoin, worth more than $1.1 million at the time, to regain access to its systems. Prosecutors also said the group hit a company in Wilsonville, Oregon, and a Texas school in February 2020.

Ryuk appeared in 2018 and became known for attacks against larger organizations with high ransom demands. Law enforcement agencies and cybersecurity researchers have linked Ryuk to broader cybercrime crews, including Conti and Trickbot. Those links matter because ransomware crews tend to rebrand, splinter and reuse infrastructure, while victims are left dealing with the same operational wreckage under new names.

U.S. authorities say Vardanyan’s prosecution sits alongside other pending cases. Armenian national Levon Georgiyovych Avetisyan has been charged with conspiracy, fraud and extortion, as have Ukrainian nationals Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko. Prosecutors said last year that Avetisyan was detained in France, while Lyulyava and Prykhodchenko were not in custody.

Negotiator becomes extortion defendant

Martino’s case has a different kind of ugliness. He had worked as a ransomware negotiator, a job built on limiting damage for victims. Prosecutors said he instead used that position to help Blackcat attackers extract larger payments.

According to the Justice Department, Blackcat operators paid Martino to hand over confidential information about victims’ negotiating positions and strategies. That gave the attackers a better read on what targeted organizations might pay, which is exactly the sort of inside information a victim hires a negotiator to protect.

Martino surrendered to U.S. Marshals in March and pleaded guilty in April to an extortion charge, prosecutors said. Two other men tied to the same matter, Ryan Goldberg and Kevin Martin, pleaded guilty to extortion charges earlier this year and received four-year prison sentences in May.

Martin and Martino worked as ransomware negotiators for DigitalMint, while Goldberg worked for incident response company Sygnia, according to prosecutors. DigitalMint has since added controls requiring negotiations to take place on cloud-based systems that can be logged and audited, and one of its founders is personally supervising negotiations.

The Justice Department’s announcements do not end either ecosystem. They do show prosecutors continuing to pursue not only malware operators and money movers, but also people inside the incident-response pipeline who allegedly turned victims’ emergency plans into leverage for the attackers.

This story draws on original reporting from The Record.

More Security/

view all ↗