Iranian National Pleads Guilty in Robbinhood Ransomware Scheme

An Iranian national has pleaded guilty in a U.S. federal court for his role in a years-long ransomware and extortion campaign involving the Robbinhood ransomware strain. The campaign targeted U.S. cities and organizations, leading to widespread disruption of public services and millions of dollars in losses.

The defendant, Sina Gholinejad (also known as Sina Ghaaf), age 37, was arrested in North Carolina in January 2025. He pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces up to 30 years in prison, with sentencing scheduled for August 2025.

The Scope of the Attack

According to the U.S. Department of Justice (DoJ), Gholinejad and his co-conspirators orchestrated a series of cyber intrusions across multiple U.S. organizations between January 2019 and March 2024. These intrusions included:

• Unauthorized access to victim networks

• Deployment of Robbinhood ransomware

• Theft of sensitive data

• Demands for Bitcoin ransom payments

Notable Victims

Two high-profile victims illustrate the impact of the operation:

• City of Greenville, North Carolina

• City of Baltimore, Maryland

The Baltimore attack alone resulted in over $19 million in damages. It disrupted key public services, including:

• Online payments for property taxes and water bills

• Parking citation processing

• Other essential government functions

These services were down for months, causing not only financial loss but also public frustration and reduced civic operations.

Attack Methodology

Gholinejad’s group used a variety of advanced cybercrime tactics:

1. Initial Access and Persistence

The attackers gained initial access to systems through vulnerability exploitation or phishing, then maintained long-term unauthorized access.

2. Data Exfiltration

Before launching ransomware, data was exfiltrated and transferred to virtual private servers (VPS) under their control, increasing leverage in ransom negotiations.

3. BYOVD Exploitation

The attackers used a technique called Bring Your Own Vulnerable Driver (BYOVD). In particular, they deployed the Gigabyte gdrv.sys driver, which is known to have security flaws. This allowed them to:

• Escalate privileges

• Disable antivirus and endpoint protection systems

4. Ransomware Deployment

After disabling security controls, they launched Robbinhood ransomware, encrypting critical files and demanding cryptocurrency payments for decryption keys.

5. Anonymity and Evasion

To obscure their identities, the attackers relied on:

• Virtual Private Networks (VPNs)

• Cryptocurrency mixing services

• Chain-hopping, or converting one cryptocurrency into another to avoid detection

Financial Impact and Laundering

The campaign led to tens of millions of dollars in losses, according to DoJ estimates. Victims not only suffered direct financial theft but also operational downtime, data loss, and public service outages.

The attackers laundered stolen funds using cryptocurrency tumblers and conversion services, making it difficult for law enforcement to trace the flow of assets.

Legal and Social Consequences

Acting U.S. Attorney Daniel P. Bubar emphasized the real-world consequences of cybercrime:

The case reinforces the growing risk posed by international cybercrime groups, especially those who exploit software vulnerabilities to target critical infrastructure and municipal services.

Lessons and Mitigation

This case highlights the importance of proactive cybersecurity practices, especially for government agencies and public institutions. Recommended steps include:

• Regular patching of known vulnerabilities

• Network segmentation to limit lateral movement

• Employee training to identify phishing attempts

• Zero-trust architectures

• Behavioral monitoring tools for early detection

Conclusion

The guilty plea of Sina Gholinejad marks a significant step in the international fight against ransomware syndicates. The Robbinhood campaign serves as a stark reminder that ransomware attacks have real, lasting impacts on communities and public trust. Strengthening cybersecurity defenses and fostering global cooperation remain critical to preventing such attacks in the future.