Iranian National Pleads Guilty in Baltimore Robbinhood Ransomware Attack

WILMINGTON, N.C. — A 37-year-old Iranian man, Sina Gholinejad, also known as “Sina Ghaaf,” has pleaded guilty in federal court for his involvement in a ransomware scheme that struck multiple U.S. municipalities, including a high-profile 2019 attack on the City of Baltimore. Prosecutors say Gholinejad was part of a group that used Robbinhood ransomware to extort millions of dollars from local governments, hospitals, and nonprofits over a five-year span.

Scope of the Attack

Federal investigators revealed that the ransomware campaign operated from January 2019 through March 2024. It was designed to exploit vulnerable public-sector networks, locking out users and demanding cryptocurrency ransoms under threat of data exposure. Among its most disruptive targets was the City of Baltimore.

• Timeline: The ransomware campaign spanned from January 2019 to March 2024.
• Key Victims: This included municipal networks in Baltimore, Greenville (N.C.), Gresham (Ore.), and Yonkers (N.Y.), as well as healthcare providers and nonprofit entities.
• Baltimore Fallout: The 2019 attack forced hundreds of city computers offline, disrupted essential services—such as property tax, water billing, and parking citation processing—and inflicted over $19 million in losses after city officials refused a $76,000 ransom demand.

Modus Operandi

According to court documents, Gholinejad and others gained access to targeted systems by exploiting known software vulnerabilities and using stolen administrator credentials. Once inside, they initiated a pattern of data theft followed by file encryption, all while pressuring victims through threats of public exposure.

• Gholinejad and his overseas associates infiltrated victim networks through compromised administrator accounts or unpatched vulnerabilities.
• They then copied sensitive data to virtual private servers they controlled.
• Next, they encrypted files using the Robbinhood ransomware.
• The attackers demanded ransoms through Tor-based portals and threatened to leak stolen data if not paid in Bitcoin.
• Laundered proceeds were moved using cryptocurrency mixing services and “chain-hopping” techniques to obscure financial trails.

Legal Proceedings

The Department of Justice charged Gholinejad with conspiracy to commit wire fraud and computer intrusion offenses. His guilty plea marks a significant win in efforts to hold international ransomware operators accountable.

• Gholinejad pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud.
• He faces up to 30 years in prison, with sentencing scheduled for August 2025.
• The case was brought by the U.S. Department of Justice and prosecuted in North Carolina, with investigative support from the FBI’s Charlotte and Baltimore offices, DOJ cybercrime units, and international partners.

Impact and Broader Significance

The Robbinhood case highlights the growing sophistication and geographic reach of ransomware actors. The financial and operational damage inflicted on local governments underscores the real-world consequences of these cyber threats.

• Disruption of Public Services: The Baltimore attack exemplifies how ransomware can fundamentally disable critical urban infrastructure.
• Financial Consequences: Tens of millions in losses—and prolonged service outages—highlight the serious, real-world effects of such cyberattacks.
• Global Investigation: The case underscores international collaboration in tracking and prosecuting cybercriminals operating overseas.
• Security Lessons: Ongoing vigilance is essential—patch management, network monitoring, and incident response capabilities remain vital for public-sector entities.

What Comes Next

Sentencing is expected in August 2025. Authorities continue to investigate potential co-conspirators and are working with international partners to identify others involved in similar attacks. The outcome of this case may influence future cybercrime prosecutions involving foreign nationals.

Read more here:

• Indictment