A 37-year-old Iranian national has pleaded guilty to his involvement in a significant international ransomware scheme that resulted in tens of millions of dollars worth of damages and disrupted essential public services throughout the United States.
Sina Gholinejad entered a guilty plea on Tuesday, May 27, 2025, for his participation in the deployment of Robbinhood ransomware, a malicious software that compromised various entities, including municipalities, businesses, and healthcare organizations, by locking their computer systems and demanding ransom payments.
Commencing in January 2019, Gholinejad and his accomplices, based outside the United States, exploited vulnerabilities to gain unauthorized access to the targeted networks. Upon infiltration, they siphoned off sensitive data and used Robbinhood ransomware to encrypt critical files, rendering them inaccessible. The perpetrators typically requested payment in Bitcoin to restore system access.
To obfuscate their activities, the criminals employed tactics such as cryptocurrency mixing services, which anonymize the flow of funds, in addition to chain-hopping among various digital currencies and utilizing virtual private networks for added anonymity.
The ramifications of these cyber incidents have been considerable, with Baltimore, Maryland, incurring losses exceeding $19 million due to the extensive damage and sustained interruption of vital services. For a prolonged period, residents faced challenges in online processing of property taxes, water bills, and parking citations.
Other cities, including Greenville, North Carolina; Gresham, Oregon; and Yonkers, New York, also experienced severe disruptions. Furthermore, the attackers leveraged the chaos they caused in cities like Baltimore to intimidate potential future victims, using their notoriety as a tactic to extort further payments.
The link between the Baltimore incident and other similar attacks has implications for broader cybersecurity concerns. The exploits utilized, such as the infamous EternalBlue, originated from a tool developed by the US National Security Agency (NSA) for breaching systems. The Shadow Brokers group leaked this powerful exploit in 2017, leading to widespread global cyberattacks like WannaCry and NotPetya. Notably, attackers involved in ransomware campaigns targeted cities like Baltimore—situated near the NSA headquarters—by employing this very tool.
The Justice Department has reaffirmed its dedication to prosecuting cybercriminals regardless of their geographic location, emphasizing that such cyberattacks represent a serious threat to local communities by disrupting lives and undermining local governance. Gholinejad’s guilty plea is considered a pivotal move toward delivering justice to the numerous affected entities.
As a result of his actions, Gholinejad faces charges of computer fraud and conspiracy to commit wire fraud, with a potential maximum sentence of 30 years in federal prison. His sentencing is set for August.
The investigation was spearheaded by the FBI’s Charlotte Field Office, with essential contributions from the FBI Baltimore Field Office and international partners in Bulgaria who played a critical role in evidence collection.
This case underscores the ongoing commitment of law enforcement to identify and prosecute individuals who exploit digital infrastructures for illicit gain, highlighting the pressing need for vigilance and robust cybersecurity measures among businesses and organizations.
