Iranian National Pleads Guilty in Robbinhood Ransomware Attacks on U.S. Cities

A major figure behind a years-long international ransomware operation targeting American cities and critical organizations has pleaded guilty in federal court. Sina Gholinejad, a 37-year-old Iranian national, faces decades in prison for his role in cyberattacks causing tens of millions in damages and crippling essential public services.

Gholinejad entered guilty pleas to charges of computer fraud and conspiracy to commit wire fraud. His arrest occurred earlier this year at Raleigh-Durham International Airport, leading to the recent court proceedings. Federal authorities confirmed he could receive a maximum sentence of 30 years, with sentencing scheduled for August.

According to an unsealed indictment, Gholinejad and unidentified accomplices orchestrated a series of ransomware strikes between early 2019 and March 2024. They specifically deployed the notorious Robbinhood ransomware variant to encrypt files on victim networks, demanding cryptocurrency payments to restore access. Their targets spanned healthcare providers, corporations, and multiple U.S. municipalities.

The attacks inflicted severe disruption. One high-profile victim was Baltimore, Maryland, suffering a debilitating ransomware assault in 2019. City officials reported damages exceeding $19 million due to network destruction and prolonged service outages. Critical functions like processing property taxes, water bills, and parking fines were paralyzed for months. Federal prosecutors revealed the conspirators even exploited the damage inflicted on cities like Baltimore to intimidate subsequent victims.

While court documents don't explicitly link Gholinejad to Iranian state actors, the case highlights ongoing concerns about cyber threats originating from Iran. U.S. agencies have repeatedly warned about Iranian government-affiliated hacking groups, including the Islamic Revolutionary Guard Corps, targeting American infrastructure. A separate incident in late 2023 involved the group "Cyber Av3ngers" compromising a Pennsylvania water authority's Israeli-made control systems.

The Justice Department detailed the group's methods. They used specialized hacking tools to infiltrate computer networks without authorization. Once inside, they exfiltrated sensitive data, storing it on servers they controlled. The Robbinhood ransomware was then activated to lock victims out of their own systems. Extortion demands followed, requiring Bitcoin payments in exchange for decryption keys.

Attempts to conceal their activities and profits were sophisticated. The conspirators allegedly used cryptocurrency mixing services and converted between different digital currencies to launder ransom payments. They also hid their identities using virtual private networks and private servers.

Beyond Baltimore, confirmed victims include the cities of Gresham, Oregon; Yonkers, New York; and Greenville, North Carolina. The Glenn-Colusa Irrigation District in California and the New York-based nonprofit Berkshire Farm Center and Services for Youth were also compromised.

Matthew R. Galeotti, head of the Justice Department's Criminal Division, emphasized the widespread harm: "Gholinejad and his overseas co-conspirators caused tens of millions in losses and disrupted essential public services by deploying Robbinhood ransomware against U.S. cities, healthcare providers, and businesses. The attack on Baltimore forced the city offline for months, preventing basic municipal functions."

This conviction marks a significant step in combating transnational cybercrime, underscoring the severe consequences for those who weaponize ransomware against critical infrastructure and public institutions.