Iranian Cybercriminal Pleads Guilty in $19 Million Ransomware Attack Targeting Baltimore’s Robbinhood Systems

An Iranian national has pleaded guilty in the United States for his role in an international ransomware and extortion operation involving the Robbinhood ransomware strain.

Sina Gholinejad, 37, and his co-conspirators are reported to have compromised the computer networks of multiple organizations across the U.S., encrypting essential files with Robbinhood ransomware and subsequently demanding Bitcoin payments as ransom.

Arrested in North Carolina in early January, Gholinejad pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces a maximum sentence of 30 years in prison and is scheduled for sentencing in August 2025.

These cyber attacks have resulted in significant disruptions and losses exceeding tens of millions of dollars, notably affecting the City of Greenville, North Carolina, and the City of Baltimore, Maryland. The Baltimore city government suffered losses exceeding $19 million due to damage inflicted on its computer networks, which disrupted several critical city services for extended periods, including online processing of property taxes, water bills, parking citations, and other revenue-generating functions.

Court documents reveal that from January 2019 to March 2024, Gholinejad and his associates maintained unauthorized access to their victims’ computer networks, during which sensitive information was extracted and stored on virtual private servers under their control before deploying the ransomware.

The illicit financial gains were laundered through cryptocurrency mixing services and by transferring assets across various cryptocurrencies, a method known as chain-hopping. To further obscure their identities and activities, the threat actors employed virtual private networks and servers.

Robbinhood emerged as a significant player in cybercrime, particularly noted for utilizing “bring your own vulnerable driver” (BYOVD) attacks, exploiting a legitimate but vulnerable driver (gdrv.sys) from Gigabyte to escalate privileges and evade security controls.

Acting U.S. Attorney Daniel P. Bubar for the Eastern District of North Carolina emphasized that cybercrime poses a genuine threat to communities, stating, “Gholinejad and his co-conspirators orchestrated a ransomware scheme that disrupted lives, businesses, and local governments, resulting in significant financial losses for unsuspecting victims and institutions.”