In a significant development in the fight against cybercrime, 37-year-old Iranian national Sina Gholinejad has pleaded guilty in a U.S. federal court to charges stemming from a series of ransomware attacks that targeted multiple American municipalities and organizations. These cyberattacks, executed using the RobbinHood ransomware, resulted in substantial financial losses and operational disruptions across the United States.
The Cyberattack Campaign
Between January 2019 and March 2024, Gholinejad and his unidentified co-conspirators orchestrated a sophisticated cyberattack campaign. They infiltrated the computer networks of various entities, including city governments and private organizations, encrypting critical files and demanding ransom payments in Bitcoin. The RobbinHood ransomware was their tool of choice, known for its ability to disable security measures and encrypt data, rendering systems inoperable until a ransom was paid.
Impact on Baltimore and Other Cities
One of the most notable victims was the City of Baltimore, Maryland. In May 2019, Baltimore’s computer systems were compromised, leading to the encryption of numerous files and the disruption of essential city services. The attackers demanded a ransom of approximately $76,000 in Bitcoin. Baltimore officials refused to pay, resulting in prolonged service outages and recovery efforts that cost the city over $19 million. Services affected included the processing of property taxes, water bills, and parking citations, causing significant inconvenience to residents and financial strain on the city’s operations.
Other municipalities targeted in this campaign included Greenville, North Carolina; Gresham, Oregon; and Yonkers, New York. Each of these cities faced similar challenges, with encrypted data leading to service disruptions and substantial recovery costs.
Legal Proceedings and Charges
Gholinejad was apprehended at Raleigh-Durham International Airport in North Carolina in January 2025. Following his arrest, he faced multiple charges, including computer fraud and abuse, and conspiracy to commit wire fraud. In May 2025, he pleaded guilty to these charges in a North Carolina federal court. He now faces a maximum sentence of 30 years in prison, with sentencing scheduled for August 2025.
Modus Operandi
The cybercriminals employed a range of tactics to execute their attacks. They gained unauthorized access to victim networks, often through phishing campaigns or exploiting vulnerabilities in software. Once inside, they deployed the RobbinHood ransomware, which encrypted files and disabled security features. To conceal their identities and evade detection, the attackers utilized virtual private networks (VPNs) and virtual private servers (VPSs). The ransom payments, demanded in Bitcoin, were laundered through cryptocurrency mixing services and by converting funds between different cryptocurrencies, a technique known as chain-hopping.
Broader Implications and Responses
This case underscores the growing threat posed by international cybercriminals and the significant impact such attacks can have on public services and infrastructure. Acting U.S. Attorney Daniel P. Bubar for the Eastern District of North Carolina emphasized the severity of these crimes, stating, Cybercrime is not a victimless offense – it is a direct attack on our communities. He highlighted the extensive disruptions and financial losses caused by Gholinejad and his co-conspirators, affecting lives, businesses, and local governments.
The Federal Bureau of Investigation (FBI) played a crucial role in investigating these attacks. James Barnacle Jr., Acting Special Agent in Charge of the FBI’s Charlotte Field Office, noted that the perpetrators believed they could conduct their illegal activities safely from overseas. He affirmed the FBI’s commitment to pursuing cybercriminals, regardless of their location, to protect U.S. citizens and institutions.
International Context
While this case does not allege direct state sponsorship, it highlights the broader context of cyber activities linked to Iranian nationals. In recent years, U.S. authorities have identified and sanctioned individuals and entities associated with Iran’s Islamic Revolutionary Guard Corps (IRGC) for conducting cyberattacks targeting U.S. infrastructure and private sector entities. These actions reflect a growing concern over state-affiliated cyber operations and their potential to disrupt critical services and compromise sensitive information.
Conclusion
The guilty plea of Sina Gholinejad marks a significant milestone in addressing international cybercrime. It serves as a reminder of the persistent threats posed by ransomware attacks and the importance of robust cybersecurity measures. As cybercriminals continue to evolve their tactics, collaboration between international law enforcement agencies and proactive defense strategies remain essential in safeguarding public and private sector entities from such malicious activities.
