{ "id": "df8fd1ec-dc58-436d-8746-624057b478d2", "created_at": "2026-04-06T00:10:12.64704Z", "updated_at": "2026-04-10T03:33:49.098252Z", "deleted_at": null, "sha1_hash": "184a7367eaca99196262acaca14787856d196d7f", "title": "Nine Iranians Charged With Conducting Massive Cyber Theft Campaign on Behalf of the Islamic Revolutionary Guard Corps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45564, "plain_text": "Nine Iranians Charged With Conducting Massive Cyber Theft\r\nCampaign on Behalf of the Islamic Revolutionary Guard Corps\r\nPublished: 2018-03-23 · Archived: 2026-04-05 19:07:22 UTC\r\nAn Indictment charging Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, aka Vahid\r\nKarima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24;\r\nAbuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30, all citizens and residents of Iran, was unsealed today. \r\nThe defendants were each leaders, contractors, associates, hackers-for-hire or affiliates of the Mabna Institute, an\r\nIran-based company that, since at least 2013, conducted a coordinated campaign of cyber intrusions into computer\r\nsystems belonging to 144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign\r\nprivate sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of\r\nHawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.  Through the\r\ndefendants’ activities, the Mabna Institute stole more than 31 terabytes of academic data and intellectual property\r\nfrom universities, and email accounts of employees at private sector companies, government agencies, and non-governmental organizations.  The defendants conducted many of these intrusions on behalf of the Islamic\r\nRepublic of Iran’s (Iran) Islamic Revolutionary Guard Corps (IRGC), one of several entities within the\r\ngovernment of Iran responsible for gathering intelligence, as well as other Iranian government and university\r\nclients.  In addition to these criminal charges, today the Department of the Treasury’s Office of Foreign Assets\r\nControl (OFAC) designated the Mabna Institute and the nine defendants for sanctions for the malicious cyber-enabled activity outlined in the Indictment.\r\nThe charges were announced by Deputy Attorney General Rod J. Rosenstein; Assistant Attorney General for\r\nNational Security John C. Demers; U.S. Attorney Geoffrey S. Berman for the Southern District of New York; FBI\r\nDirector Christopher A. Wray; Assistant Director in Charge William F. Sweeney Jr. of the FBI’s New York Field\r\nDivision; and Treasury Under Secretary for Terrorism and Financial Intelligence Sigal Mandelker.\r\n“These nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140\r\nAmerican universities, 30 American companies, five American government agencies, and also more than 176\r\nuniversities in 21 foreign countries,” said Deputy Attorney General Rosenstein.  “For many of these intrusions, the\r\ndefendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard\r\nCorps.  The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit\r\nfrom America’s ideas by infiltrating our computer systems and stealing intellectual property.  This case is\r\nimportant because it will disrupt the defendants’ hacking operations and deter similar crimes.”\r\n“Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we\r\nhave unmasked criminals who normally hide behind the ones and zeros of computer code,” said U.S. Attorney\r\nBerman.  “As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities\r\nin 22 countries and dozens of private sector companies and governmental organizations was conducted on behalf\r\nof Iran’s Islamic Revolutionary Guard.  The hackers targeted innovations and intellectual property from our\r\ncountry’s greatest minds.  These defendants are now fugitives from American justice, no longer free to travel\r\nhttps://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary\r\nPage 1 of 4\n\noutside Iran without risk of arrest.  The only way they will see the outside world is through their computer screens,\r\nbut stripped of their greatest asset – anonymity.”   \r\n“This investigation involved a complex threat in a dynamic landscape, but today’s announcement highlights the\r\ncommitment of the FBI and our partners to vigorously pursue those that threaten U.S. property and security,” said\r\nDirector Wray.  “Today, not only are we publicly identifying the foreign hackers who committed these malicious\r\ncyber intrusions, but we are also sending a powerful message to their backers, the Government of the Islamic\r\nRepublic of Iran: your acts do not go unnoticed.  We will protect our innovation, ideas and information, and we\r\nwill use every tool in our toolbox to expose those who commit these cyber crimes.  Our memory is long; we will\r\nhold them accountable under the law, no matter where they attempt to hide.”\r\nAccording to the allegations contained in the Indictment unsealed today in Manhattan federal court:\r\nBackground on the Mabna Institute\r\nGholamreza Rafatnejad and Ehsan Mohammadi, the defendants, founded the Mabna Institute in approximately\r\n2013 to assist Iranian universities and scientific and research organizations in stealing access to non-Iranian\r\nscientific resources.  In furtherance of its mission, the Mabna Institute employed, contracted, and affiliated itself\r\nwith hackers-for-hire and other contract personnel to conduct cyber intrusions to steal academic data, intellectual\r\nproperty, email inboxes and other proprietary data, including Abdollah Karima, aka Vahid Karima, Mostafa\r\nSadeghi, Seyed Ali Mirkarimi, Mohammed Reza Sabahi, Roozbeh Sabahi, Abuzar Gohari Moqadam, and Sajjad\r\nTahmasebi.  The Mabna Institute contracted with both Iranian governmental and private entities to conduct\r\nhacking activities on their behalf, and specifically conducted the university spearphishing campaign on behalf of\r\nthe IRGC.  The Mabna Institute is located at Tehran, Sheikh Bahaii Shomali, Koucheh Dawazdeh Metri Sevom,\r\nPlak 14, Vahed 2, Code Posti 1995873351.\r\nUniversity Hacking Campaign\r\nThe Mabna Institute, through the activities of the defendants, targeted more than 100,000 accounts of professors\r\naround the world.  They successfully compromised approximately 8,000 professor email accounts across 144\r\nU.S.-based universities, and 176 universities located in foreign countries, including Australia, Canada, China,\r\nDenmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore,\r\nSouth Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.  The campaign started in\r\napproximately 2013, continued through at least December 2017, and broadly targeted all types of academic data\r\nand intellectual property from the systems of compromised universities.  Through the course of the conspiracy,\r\nU.S.-based universities spent more than approximately $3.4 billion to procure and access such data and\r\nintellectual property.\r\nThe members of the conspiracy used stolen account credentials to obtain unauthorized access to victim professor\r\naccounts, which they used to steal research, and other academic data and documents, including, among other\r\nthings, academic journals, theses, dissertations, and electronic books.  The defendants targeted data across all\r\nfields of research and academic disciplines, including science and technology, engineering, social sciences,\r\nmedical, and other professional fields.  The defendants stole at least approximately 31.5 terabytes of academic\r\ndata and intellectual property, which they exfiltrated to servers outside the United States that were under the\r\ncontrol of members of the conspiracy.\r\nhttps://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary\r\nPage 2 of 4\n\nIn addition to stealing academic data and login credentials for the benefit of the Government of Iran, the\r\ndefendants also sold the stolen data through two websites, Megapaper.ir (Megapaper) and Gigapaper.ir\r\n(Gigapaper).  Megapaper was operated by Falinoos Company, a company controlled by Abdollah Karima, aka\r\nVahid Karima, the defendant, and Gigapaper was affiliated with Karima.  Megapaper sold stolen academic\r\nresources to customers within Iran, including Iran-based public universities and institutions, and Gigapaper sold a\r\nservice to customers within Iran whereby purchasing customers could use compromised university professor\r\naccounts to directly access the online library systems of particular U.S.-based and foreign universities.\r\nAccompanying Mitigation Efforts\r\nPrior to the unsealing of the Indictment, the FBI provided foreign law enforcement partners with detailed\r\ninformation regarding victims within their jurisdictions, so that victims in foreign countries could be notified and\r\nforeign partners could assist in remediation efforts.\r\nAlso, in connection with the unsealing of the Indictment, today the FBI provided private sector partners detailed\r\ninformation regarding the vulnerabilities targeted and the intrusion vectors used by the Mabna Institute in their\r\ncampaign against private sector companies.  This information will assist the public in its network defense and\r\nmitigation efforts.\r\n*                *                *\r\nRafatnejad, Mohammadi, Karima, Sadeghi, Mirkarimi, Sabahi, Sabahi, Moqadam and Tahmasebi was each is\r\ncharged with one count of conspiracy to commit computer intrusions, which carries a maximum sentence of five\r\nyears in prison; one count of conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in\r\nprison; two counts of unauthorized access of a computer, each of which carries a maximum sentence of five years\r\nin prison; two counts of wire fraud, each of which carries a maximum sentence of 20 years in prison; and one\r\ncount of aggravated identity theft, which carries a mandatory sentence of two years in prison.  The maximum\r\npotential sentences in this case are prescribed by Congress and are provided here for informational purposes only,\r\nas any sentencings of the defendants will be determined by the assigned judge.\r\nMr. Rosenstein and Mr. Berman praised the outstanding investigative work of the FBI, the assistance of the United\r\nKingdom’s National Crime Agency (NCA), and the support of the OFAC.  Assistant U.S. Attorneys Timothy T.\r\nHoward, Jonathan Cohen and Richard Cooper are in charge of the prosecution, with assistance provided by Trial\r\nAttorneys Heather Alpino and Jason McCullough of the National Security Division’s Counterintelligence and\r\nExport Control Section.\r\nThe charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless\r\nand until proven guilty.\r\nhttps://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary\r\nPage 3 of 4\n\nFor the U.S. Department of Treasury’s press release announcing corresponding sanctions click here\r\n.\r\nSource: https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary\r\nhttps://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary" ], "report_names": [ "nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary" ], "threat_actors": [ { "id": "42e41377-c64c-4be9-87a0-ee903e4b9055", "created_at": "2023-01-06T13:46:38.950322Z", "updated_at": "2026-04-10T02:00:03.158476Z", "deleted_at": null, "main_name": "Silent Librarian", "aliases": [ "Mabna Institute", "TA407", "TA4900", "Yellow Nabu", "COBALT DICKENS" ], "source_name": "MISPGALAXY:Silent Librarian", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7ba9e3e3-1cef-4e20-be7e-95f05e8295d7", "created_at": "2022-10-25T16:07:23.821494Z", "updated_at": "2026-04-10T02:00:04.759302Z", "deleted_at": null, "main_name": "Mabna Institute", "aliases": [ "Academic Serpens", "Cobalt Dickens", "G0122", "Mabna Institute", "Silent Librarian", "TA407", "TA4900", "Yellow Nabu" ], "source_name": "ETDA:Mabna Institute", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434212, "ts_updated_at": 1775792029, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/184a7367eaca99196262acaca14787856d196d7f.pdf", "text": "https://archive.orkl.eu/184a7367eaca99196262acaca14787856d196d7f.txt", "img": "https://archive.orkl.eu/184a7367eaca99196262acaca14787856d196d7f.jpg" } }