{ "id": "ec9b0508-0242-4413-b5e0-91c56f44dd9e", "created_at": "2026-04-06T15:53:31.017522Z", "updated_at": "2026-04-10T03:33:49.113651Z", "deleted_at": null, "sha1_hash": "1134753d30238723ca3ee11c2417f4339ae6a96b", "title": "Nine Iranians Charged With Conducting Massive Cyber Theft Campaign On Behalf Of The Islamic Revolutionary Guard Corps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49868, "plain_text": "Nine Iranians Charged With Conducting Massive Cyber Theft\r\nCampaign On Behalf Of The Islamic Revolutionary Guard Corps\r\nPublished: 2018-03-23 · Archived: 2026-04-06 15:26:14 UTC\r\nRod J. Rosenstein, the Deputy Attorney General of the United States, Geoffrey S. Berman, the United States\r\nAttorney for the Southern District of New York, William F. Sweeney Jr., the Assistant Director-in-Charge of the\r\nNew York Field Division of the Federal Bureau of Investigation (“FBI”), and John C. Demers, Assistant Attorney\r\nGeneral for National Security, announced today the unsealing of an indictment charging GHOLAMREZA\r\nRAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,” MOSTAFA\r\nSADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI, ABUZAR\r\nGOHARI MOQADAM, and SAJJAD TAHMASEBI.  The defendants were each leaders, contractors, associates,\r\nhackers-for-hire, and affiliates of the Mabna Institute, an Iran-based company that was responsible for a\r\ncoordinated campaign of cyber intrusions that began in at least 2013 into computer systems belonging to 144\r\nU.S.-based universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector\r\ncompanies, the United States Department of Labor, the Federal Energy Regulatory Commission, the State of\r\nHawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.  Through the activities\r\nof the defendants, the Mabna Institute conducted these intrusions to steal over 30 terabytes of academic data and\r\nintellectual property from universities, and email inboxes from employees of victim private sector companies,\r\ngovernment victims, and non-governmental organizations.  The defendants conducted many of these intrusions on\r\nbehalf of the Islamic Republic of Iran’s (“Iran”) Islamic Revolutionary Guard Corps (“IRGC”), one of several\r\nentities within the government of Iran responsible for gathering intelligence, as well as other Iranian government\r\nclients.  In addition to these criminal charges, today the Department of Treasury’s Office of Foreign Assets Control\r\n(OFAC) designated the Mabna Institute and the nine defendants for sanctions for the malicious cyber-enabled\r\nactivity outlined in the Indictment.\r\nDeputy Attorney General Rod J. Rosenstein said:  “These nine Iranian nationals allegedly stole more than 31\r\nterabytes of documents and data from more than 140 American universities, 30 American companies, five\r\nAmerican government agencies, and also more than 176 universities in 21 foreign countries.  For many of these\r\nintrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian\r\nRevolutionary Guard Corps.  The Department of Justice will aggressively investigate and prosecute hostile actors\r\nwho attempt to profit from America’s ideas by infiltrating our computer systems and stealing intellectual property. \r\nThis case is important because it will disrupt the defendants’ hacking operations and deter similar crimes.”\r\nManhattan U.S. Attorney Geoffrey S. Berman said:  “Today, in one of the largest state-sponsored hacking\r\ncampaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind\r\nthe ones and zeros of computer code.  As alleged, this massive and brazen cyber-assault on the computer systems\r\nof hundreds of universities in 22 countries, including the United States, and dozens of private sector companies\r\nand governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard.  The hackers\r\ntargeted innovations and intellectual property from our country’s greatest minds.  These defendants are now\r\nhttps://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nPage 1 of 5\n\nfugitives from American justice, no longer free to travel outside Iran without risk of arrest.  The only way they\r\nwill see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”     \r\nFBI Assistant Director William F. Sweeney Jr. said:  “The numbers alone in this case are staggering, over 300\r\nuniversities and 47 private sector companies both here in the United States and abroad were targeted to gain\r\nunauthorized access to online accounts and steal data.  An estimated 30 terabytes was removed from universities’\r\naccounts since this attack began, which is roughly equivalent of 8 billion double-sided pages of text.  It is hard to\r\nquantify the value on the research and information that was taken from victims but it is estimated to be in the\r\nbillions of dollars. The nine Iranians indicted today now find themselves wanted by the FBI and our partner law\r\nenforcement agencies around the globe – and like other cyber criminals they will soon learn their ability to freely\r\nmove was just limited to the virtual world only.” \r\nAccording to the allegations contained in the Indictment[1] unsealed today in Manhattan federal court:\r\nBackground on the Mabna Institute\r\nGHOLAMREZA RAFATNEJAD and EHSAN MOHAMMADI, the defendants, founded the Mabna Institute in\r\napproximately 2013 to assist Iranian universities and scientific and research organizations in stealing access to\r\nnon-Iranian scientific resources.  In furtherance of its mission, the Mabna Institute employed, contracted, and\r\naffiliated itself with hackers-for-hire and other contract personnel to conduct cyber intrusions to steal academic\r\ndata, intellectual property, email inboxes and other proprietary data, including ABDOLLAH KARIMA, a/k/a\r\n“Vahid Karima,” MOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI,\r\nROOZBEH SABAHI, ABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI.  The Mabna Institute\r\ncontracted with both Iranian governmental and private entities to conduct hacking activities on their behalf, and\r\nspecifically conducted the university spearphishing campaign on behalf of the IRGC.  The Mabna Institute is\r\nlocated at Tehran, Sheikh Bahaii Shomali, Koucheh Dawazdeh Metri Sevom, Plak 14, Vahed 2, Code Posti\r\n1995873351.\r\nUniversity Hacking Campaign\r\nThe Mabna Institute, through the activities of the defendants, targeted over 100,000 accounts of professors around\r\nthe world.  They successfully compromised approximately 8,000 professor email accounts across 144 U.S.-based\r\nuniversities, and 176 universities located in foreign countries, including Australia, Canada, China, Denmark,\r\nFinland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea,\r\nSpain, Sweden, Switzerland, Turkey, and the United Kingdom.  The campaign started in approximately 2013, and\r\nhas continued through at least December 2017, and broadly targeted all types of academic data and intellectual\r\nproperty from the systems of compromised universities, including, among other things, academic journals, theses,\r\ndissertations, and electronic books.  Through the course of the conspiracy, U.S.-based universities spent over\r\napproximately $3.4 billion to procure and access such data and intellectual property.\r\nThe hacking campaign against universities was conducted across multiple stages.  First, the defendants conducted\r\nonline reconnaissance of university professors, including to determine these professors’ research interests and the\r\nacademic articles they had published.  Second, using the information collected during the reconnaissance phase,\r\nthe defendants created and sent spearphishing emails to targeted professors, which were personalized and created\r\nso as to appear to be sent from a professor at another university.  In general, those spearphishing emails indicated\r\nhttps://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nPage 2 of 5\n\nthat the purported sender had read an article the victim professor had recently published, and expressed an interest\r\nin several other articles, with links to those additional articles included in the spearphishing email.  If the targeted\r\nprofessor clicked on certain links in the email, the professor would be directed to a malicious Internet domain\r\nnamed to appear confusingly similar to the authentic domain of the recipient professor’s university.  The malicious\r\ndomain contained a webpage designed to appear to be the login webpage for the victim professor’s university.  It\r\nwas the defendants’ intent that the victim professor would be led to believe that he or she had inadvertently been\r\nlogged out of his or her university’s computer system, prompting the victim professor for his or her login\r\ncredentials.  If a professor then entered his or her login credentials, those credentials were then logged and\r\ncaptured by the hackers.\r\nFinally, the members of the conspiracy used stolen account credentials to obtain unauthorized access to victim\r\nprofessor accounts, through which they then exfiltrated intellectual property, research, and other academic data\r\nand documents from the systems of compromised universities, including, among other things, academic journals,\r\ntheses, dissertations, and electronic books.  The defendants targeted data across all fields of research and academic\r\ndisciplines, including science and technology, engineering, social sciences, medical, and other professional fields. \r\nAt least approximately 31.5 terabytes of academic data and intellectual property from compromised universities\r\nwere stolen and exfiltrated to servers under the control of members of the conspiracy located in countries outside\r\nthe United States.\r\nIn addition to stealing academic data and login credentials for university professors for the benefit of the\r\nGovernment of Iran, the defendants also sold the stolen data through two websites, Megapaper.ir (“Megapaper”)\r\nand Gigapaper.ir (“Gigapaper”).  Megapaper was operated by Falinoos Company (“Falinoos”), a company\r\ncontrolled by ABDOLLAH KARIMA, a/k/a “Vahid Karima,” the defendant, and Gigapaper was affiliated with\r\nKARIMA.  Megapaper sold stolen academic resources to customers within Iran, including Iran-based public\r\nuniversities and institutions, and Gigapaper sold a service to customers within Iran whereby purchasing customers\r\ncould use compromised university professor accounts to directly access the online library systems of particular\r\nUnited States-based and foreign universities.\r\nPrior to the unsealing of the Indictment, the FBI provided foreign law enforcement partners with detailed\r\ninformation regarding victims within their jurisdictions, so that victims in foreign countries could be notified and\r\nso that foreign partners could assist in remediation efforts.\r\nPrivate Sector Hacking Victims\r\nIn addition to targeting and compromising universities, the Mabna Institute defendants targeted and compromised\r\nemployee email accounts for at least approximately 36 United States-based private companies, and at least\r\napproximately 11 private companies based in Germany, Italy, Switzerland, Sweden, and the United Kingdom, and\r\nexfiltrated entire email mailboxes from compromised employees’ accounts.  Among the United States-based\r\nprivate sector victims were three academic publishers, two media and entertainment companies, one law firm, 11\r\ntechnology companies, five consulting firms, four marketing firms, two banking and/or investment firms, two\r\nonline car sales companies, one healthcare company, one employee benefits company, one industrial machinery\r\ncompany, one biotechnology company, one food and beverage company, and one stock images company.\r\nhttps://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nPage 3 of 5\n\nIn order to compromise accounts of private sector victims, members of the conspiracy used a technique known as\r\n“password spraying,” whereby they first collected lists of names and email accounts associated with the intended\r\nvictim company through open source Internet searches.  Then, they attempted to gain access to those accounts\r\nwith commonly-used passwords, such as frequently used default passwords, in order to attempt to obtain\r\nunauthorized access to as many accounts as possible.  Once they obtained access to the victim accounts, members\r\nof the conspiracy, among other things, exfiltrated entire email mailboxes from the victims.  In addition, in many\r\ncases, the defendants established automated forwarding rules for compromised accounts that would prospectively\r\nforward new outgoing and incoming email messages from the compromised accounts to email accounts controlled\r\nby the conspiracy.\r\nU.S. Government and NGO Hacking Victims\r\nIn the same time period as the university and private sector hacking campaigns described above, the Mabna\r\nInstitute also conducted a computer hacking campaign against various governmental and non-governmental\r\norganizations within the United States.  During the course of that campaign, employee login credentials were\r\nstolen by members of the conspiracy through password spraying.  Among the victims were the following, all\r\nbased in the United States:  the United States Department of Labor, the Federal Energy Regulatory Commission,\r\nthe State of Hawaii, the State of Indiana, the State of Indiana Department of Education, the United Nations, and\r\nthe United Nations Children’s Fund.  As with private sector victims, the defendants targeted for theft email\r\ninboxes of employees of these organizations.\r\n*                *                *\r\nGHOLAMREZA RAFATNEJAD, EHSAN MOHAMMADI, ABDOLLAH KARIMA, a/k/a “Vahid Karima,”\r\nMOSTAFA SADEGHI, SEYED ALI MIRKARIMI, MOHAMMED REZA SABAHI, ROOZBEH SABAHI,\r\nABUZAR GOHARI MOQADAM, and SAJJAD TAHMASEBI, the defendants, are citizens and residents of Iran.\r\n Each is charged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence\r\nof five years in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20\r\nyears in prison; two counts of unauthorized access of a computer, each of which carries a maximum sentence of\r\nfive years in prison; two counts of wire fraud, each of which carries a maximum sentence of 20 years in prison;\r\nand one count of aggravated identity theft, which carries a mandatory sentence of two years in prison.  The\r\nmaximum potential sentences in this case are prescribed by Congress and are provided here for informational\r\npurposes only, as any sentencings of the defendants will be determined by the assigned judge.\r\nMr. Berman praised the outstanding investigative work of the FBI, the assistance of the United Kingdom’s\r\nNational Crime Agency (NCA), and the support of the OFAC.  The case is being handled by the Office’s Complex\r\nFrauds and Cybercrime Unit.  Assistant United States Attorneys Timothy T. Howard, Jonathan Cohen, and\r\nRichard Cooper are in charge of the prosecution, with assistance provided by Heather Alpino and Jason\r\nMcCullough of the National Security Division’s Counterintelligence and Export Control Section.\r\nThe charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless\r\nand until proven guilty.   \r\n \r\nhttps://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nPage 4 of 5\n\n[1] As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the\r\nIndictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.\r\nSource: https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nhttps://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic\r\nPage 5 of 5\n\n https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic \n[1] As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the\nIndictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.\nSource: https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic \n Page 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic" ], "report_names": [ "nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic" ], "threat_actors": [ { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490811, "ts_updated_at": 1775792029, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1134753d30238723ca3ee11c2417f4339ae6a96b.pdf", "text": "https://archive.orkl.eu/1134753d30238723ca3ee11c2417f4339ae6a96b.txt", "img": "https://archive.orkl.eu/1134753d30238723ca3ee11c2417f4339ae6a96b.jpg" } }