An Iranian national has admitted to leading one of the most damaging ransomware attacks on U.S. infrastructure. His guilty plea marks a major step forward in the global fight against cybercrime.
Sina Gholinejad, 37, pleaded guilty in a North Carolina federal court on Tuesday. He faced charges of computer fraud, abuse, and conspiracy to commit wire fraud. Authorities say his actions caused tens of millions of dollars in losses across government and private networks.
Leader of RobbinHood Ransomware Campaign
Gholinejad was identified as a key figure behind the RobbinHood ransomware attacks. These began in January 2019 and continued through March 2024. The campaign mainly targeted critical infrastructure such as municipal governments, hospitals, and businesses.
One of the hardest-hit victims was the City of Baltimore. The Justice Department reported over $19 million in damages. The attack disrupted online services for property taxes, water bills, and parking tickets. City email and voicemail systems were also disabled. The attackers demanded 13 Bitcoins—around $76,000 at the time—to restore access.
Other cities impacted included Greenville, North Carolina; Gresham, Oregon; and Yonkers, New York. The widespread nature of the attacks exposed serious vulnerabilities in public sector cybersecurity.
Technical Sophistication of the Malware
RobbinHood gained notoriety for its advanced methods. It used a “bring-your-own-vulnerability” tactic to bypass security systems. This involved exploiting a legitimate but vulnerable Gigabyte driver (GDRV.SYS), tracked as CVE-2018-19320.
By gaining kernel-level access, the attackers were able to install an unsigned driver (RBNL.SYS). This secondary driver disabled antivirus programs, clearing the way for the ransomware to encrypt files without interruption.
Encryption Method and Network Disruption
The ransomware used two layers of encryption: AES to lock individual files and RSA-4096 to encrypt the AES keys. This made recovery nearly impossible without the attackers’ private keys.
Before encryption began, the malware disconnected all network shares with the command cmd.exe /c net use * /DELETE /Y. This ensured that each infected system was isolated and fully compromised.
International Arrest and Prosecution
Gholinejad was arrested at Raleigh-Durham International Airport on January 10, 2025, after a lengthy international investigation. The probe involved multiple federal agencies and highlighted the global nature of cybercrime.
According to officials, the RobbinHood group used complex tools to hide its tracks. These included VPNs, cryptocurrency mixers, and “chain-hopping” to launder ransom payments made in Bitcoin.
Bulgarian authorities played a key role in collecting evidence. The FBI’s Charlotte and Baltimore field offices led the investigation, with support from the Justice Department’s National Security Cyber Section.
Long-Term Impact
Gholinejad now faces a maximum prison sentence of 30 years. Prosecutors say the case sends a strong message that distance does not protect cybercriminals who target U.S. infrastructure.
The conviction marks a major milestone in efforts to dismantle ransomware networks that continue to threaten essential services nationwide.
