Iranian pleads guilty to launching Baltimore ransomware attack, faces 30 years behind bars

The hacker behind a ransomware attack on the city of Baltimore pleaded guilty on Tuesday to multiple hacking charges. 

Iranian national Sina Gholinejad, 37, admitted to using the Robbinhood ransomware variant to extort ransom payments from dozens of victims that included municipalities in New York and Oregon. Gholinejad was also behind a ransomware attack on the city of Greenville, North Carolina. 

Matthew Galeotti, head of the Justice Department’s Criminal Division, said Gholinejad and his overseas co-conspirators caused tens of millions of dollars in losses and disrupted essential public services by deploying the ransomware “against U. S. cities, health care organizations, and businesses.” 

The ransomware attack on Baltimore in May 2019 was one of the first to hit a notable U.S. city. Baltimore officials refused to pay the alleged $76,000 ransom. 

“The ransomware attack against the City of Baltimore forced the city to take hundreds of computers offline and prevented the city from performing basic functions for months,” Galeotti said. “There will be no impunity for these destructive attacks.”

The Justice Department said the attack on Baltimore caused $19 million worth of damage to the city and disrupted critical services for months, damaging a variety of municipal functions that generated revenue for the government.

Prosecutors noted that the hackers used their attack on Baltimore as an added extortion tactic, threatening other U.S. governments with a similar fate if they did not pay ransoms. 

Gholinejad pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He is now facing a maximum penalty of 30 years in prison, with sentencing scheduled for August.  

According to court documents, Gholinejad and others began using Robbinhood ransomware in January 2019, and hacked into dozens of victim networks before extorting them for Bitcoin ransoms. 

In addition to Baltimore and Greenville, prosecutors said the hackers targeted the cities of Gresham, Oregon, and Yonkers, New York. Gholinejad and his co-conspirators continued their attacks until March 2024. 

Gholinejad was detained in North Carolina in early January, the DOJ said. The Justice Department thanked Bulgarian officials for their assistance in the investigation.

Correction: A previous version of this article said Gholinejad was arrested on January 30. He was actually detained earlier in the month.