UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK - UNITED STATES OF AMERICA SEALED INDICTMENT GHDLAMREZA RAFATNEJAD 18 Cr EHSAN MOHAMMADI AEDOLLAH KARIMA a k a Vahid Karima MUSTAFA SRDEGHI SEYED ALI MIRKARIMI MDHAMMED REZA SABAHI I ROOZBEH SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI Defendants COUNT ONE Conspiracy to Commit Computer Intrusions The Grand Jury charges 1 At all times relevant to this Indictment GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MDHAMMED REZA SABAHI ROOZBEH SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants all of whom were nationals of the Islamic Republic of Iran Iran living and working within Iran were leaders contractors associates hackers for hire and affiliates of the Mabna Institute an Iran based company that conducted massive coordinated cyber intrusions into computer systems belonging to at least approximately 144 United States based universities including two universities based in the Southern District of New York University 1 and In addition the defendants conducted cyber intrusions into computer systems belonging to at least 175 universities located in 21 foreign countries including Australia Canada China Denmark Finland Germany Ireland Israel Italy Japan Malaysia Netherlands Norway Poland Singapore South Korea Spain Sweden Switzerland Turkey and the United Kingdom The defendants conducted this activity at the behest of the government of Iran specifically the Islamic Revolutionary Guard Corps which is one of several entities within the Government of Iran responsible for gathering intelligence 2 Since at least approximately 2013 the members of the conspiracy compromised thousands of accounts belonging to professors at victim_universities and targeted academic data and intellectual property for theft which during the course of the conspiracy cost the affected United States-based universities at least approximately $3 4 billion dollars to procure and access The stolen data as well as access to compromised university accounts was used to benefit the IRGC and other Iranian customers including Iran-based universities 3 At the same time that the defendants were targeting compromising and stealing data from universities around the world they also compromised the computer systems of at least five U S federal and state government agencies at least 36 private sector companies and at least two non- governmental organizations MEANS AND METHODS OF THE CONSPIRACY University Hacking Campaign 4 In conducting their hacking attacks of university victims members of the conspiracy organized their activities into various phases generally summarized as follows a First members of the conspiracy conducted online reconnaissance of university professors including to determine these professors research interests and the academic articles they had published b Second customised spearphishing emails were created Spearphishing emails are emails sent to a target seeking to induce action that would allow the sender to obtain unauthorized access to the recipient victim's computer system- This can be accomplished in a number of ways including but not limited to tricking the target into unwittingly providing his or her account login credentials to allow the attacker to remotely log into and obtain unauthorized access to the victim s online accounts The spearphishing emails created by the conspiracy purported to be sent from professors at one university and were directed to victim professors at another university In general those spearphishing emails indicated that the sender had read an article the victim professor had recently published and expressed an interest in several other articles The sender provided links to those additional articles If the victim professor clicked on certain links he or she would be directed to a malicious Internet domain named to appear confusingly similar to the authentic domain of the recipient professor s university The malicious domain contained a webpage designed to appear to be the login webpage for the victim professor's university It was the conspirators intent that the victim professor would be led to believe that he or she had inadvertently been logged out of his or her university s computer system prompting the victim professor for his or her login credentials the username and password for his or her university account If a professor then entered his or her login credentials those credentials were then logged and captured by the hackers c Third the members of the conspiracy used stolen account credentials and obtained unauthorized access to victim professor accounts through which they then exfiltrated or transferred to themselves academic data and documents from the systems of compromised universities including among other things academic journals theses dissertations and electronic books The defendants targeted data across all fields of research and academic disciplines including science and technology engineering social sciences medical and other professional fields At least approximately 31 5 terabytes of academic data and intellectual property from compromised universities was stolen and exfiltrated to servers under the control of members of the conspiracy located in countries outside the United States 5 Over the course of this hacking conspiracy the defendants and their co conspirators targeted over 100 000 professor accounts worldwide with spearphishing messages approximately half of which targeted professors at United States based universities As a result of those spearphishing attacks the conspiracy successfully compromised at least approximately 7 998 accounts worldwide of which at least approximately 3 768 belonged to professors at United States based victim universities 6 The exfiltrated data and the stolen login credentials of university professors were obtained for the benefit of the IRGC and were also sold within Iran including through two websites Megapaper ir Megapaper and Gigapaper-ir Gigapaper Megapaper was operated by Falinoos Company Falinoos a company controlled by ABDOLLAH KARIMA an a Vahid Karima the defendant and Gigapaper was affiliated with KARIMA Megapaper sold stolen academic resources to customers within Iran including Iranrbased public universities and institutions and Gigapaper sold a service to customers within Iran whereby purchasing customers could use compromised university professor accounts to directly access the online library Systems of particular United States-based and foreign universities Private Sector Hacking Victims 7 In addition to targeting and compromising universities the Mabna Institute defendants targeted and compromised employee email accounts for at least approximately 36 United States based private companies and at least approximately eleven private companies based in Germany Italy Switzerland Sweden and the United Kingdom and exfiltrated entire email mailboxes from compromised employees accounts Among the United States- based private sector victims were the following a Three academic publishers b Two media and entertainment companies c One law firm d Eleven technology companies e Five consulting firms f Four marketing firms g Two banking and or investment firms h Two online car sales companies i One healthcare company j One employee benefits company k One industrial machinery company 1 One biotechnology company m One food and beverage company and n One stock images company 8 In order to compromise accounts of private sector victims members of the conspiracy used a technique known as password spraying whereby they first collected lists of names and email accounts associated with the intended victim company through open source Internet searches Then they attempted to gain access to those accounts with commonly-used passwords such as frequently used default passwords in order to attempt to 7 obtain unauthorized access to as many accounts as possible Once they obtained access to the victim accounts members of the conspiracy among other things exfiltrated entire email mailboxes from the victims In addition in many cases the defendants established automated forwarding rules for compromised accounts that would prospectively forward new outgoing and incoming email messages irom the compromised accounts to email accounts controlled by the conspiracy U S Government and NGO Hacking Victims 9 In the same time period as the university and private sector hacking campaigns described above the Mabna Institute also conducted a computer hacking campaign against various governmental and non governmental organisations within the United States During the course of that campaign employee login credentials were stolen by members of the conspiracy through password spraying Among the victims were the following all based in the United States a United States Department of Labor b Federal Energy Regulatory Commission c State of Hawaii d State of Indiana e State of Indiana Department of Education f United Nations and g United Nations Children s Fund RELEVANT PERSONS AND ENTITIES 10 At all times relevant to this Indictment the Mabna Institute was an organization founded in or about 2013 and was set up in order to assist Iranian universities as well as scientific and research organizations to obtain access to non Iranian scientific resources The Mabna Institute contracted with Iranian governmental and private entities to conduct hacking activities on their behalf The Mabna Institute conducted the university spearphishing campaign specifically on behalf of the IRGC The Mabna Institute logo appears below 11 At all times relevant to this Indictment GHOLAMREZA RAFATNEJAD the defendant was a founding member of the Mabna Institute Among other things RAFATNEJAD organised the Mabna Institute hacking campaign which targeted universities sent and received compromised credentials belonging to victim professors to and from co conspirators organized stolen professor credentials and controlled malicious domains that were used to target university victims RAFATNEJAD had the contact with the IRGC that funded certain aspects of the Mabna Institute hacking campaign that targeted universities 12 At all times relevant to this Indictment EHSAN MOHAMMADI the defendant was a founding member of the Mabna Institute and served as the Mabna Institute's Managing Director Along with GHOLAMREZA RAFATNEJAD the defendant MOHAMMADI also helped organize the Mabna Institute campaign which targeted universities and received compromised credentials to victim professors' accounts from co conspirators MOHAMMADI was also responsible for managing the finances of the Mabna Institute including with respect to the Mabna Institute s computer hacking and exploitation operations l3 At certain times relevant to this Indictment ABDOLLAH KARIMA a k a Vahid Karima the defendant was an Iran-based_businessman who owned and operated Falinoos a company operating in Iran that sold access to academic materials Through Falinoos KARIMA entered into contracts with multiple Iranian public universities to sell them access to academic materials that had been stolen from U S and foreign universities through computer intrusions KARIMA contracted 10 with the Mabna Institute to direct certain of the hacking activities described in this Indictment and sold academic materials that had been stolen through the computer intrusions targeting united States based and foreign universities through various websites operated by Falinoos including Megapaper and exchanged stolen professor credentials with the operators of the Gigapaper website KARIMA was regularly provided with compromised login credentials for professors at various victim universities from other members of the conspiracy 14 At all times relevant to this Indictment MOSTAFA SADEGHI the defendant was a prolific Iran based computer hacker who was an affiliate of the Mabna Institute SADEGHI personally compromised over approximately 1 000 victim professor accounts through the course of the spearphishing campaign SADEGHI exchanged credentials for compromised professor accounts with GHOLAMREZA RAFATNEJAD and ABDOLLAH KARIMA afkfa Vahid Karima the defendants and provided training to RAFATNEJAD on computer hacking techniques specifically focused on compromising university-based accounts SADEGHI was also involved in the operation of and maintained a financial interest in the Megapaper website 15 At certain times relevant to this Indictment SEYED ALI MIRKARIMI the defendant was an Iran based hacker and 11 contractor for the Mabna Institute MIRKARIMI participated in a wide range of Mabna Institute hacking projects including the spearphishing campaign that targeted universities and hacking efforts that targeted private sector companies government organizations and NGOs MIRKARIMI was involved in many aspects and phases of the hacking activity including but not limited to crafting and testing spearphishing emails registering malicious domains that were used to target victim universities compiling targeting lists and organizing stolen credentials 16 At certain times relevant to this Indictment MOHAMMED REZA SABAHI the defendant was an Iranebased contractor for the Mabna Institute MOHAMMAD REZA SABAHI helped carry out the spearphishing campaign which targeted universities by among other things conducting online reconnaissance of victim university systems creating targeting lists of victim professors and cataloging academic databases at victim universities that were targeted by the hacking campaign 17 At certain times relevant to this Indictment ROOZBEH SAEAHI the defendant was an Iran-based contractor for the Mabna Institute ROOZBEH SABAHI helped carry out the various hacking activities of the Mabna Institute by among other things organizing stolen credentials obtained by Mabna Institute hackers including credentials for accounts belonging 12 to victim professors and accounts belonging to employees of private sector government and NGD victims of the Mabna Institute 18 At certain times relevant to this Indictment ABUZAR GDHARI MOQADAM the defendant was an Iran-based professor and affiliate of the Mabna Institute who exchanged credentials for compromised accounts with Mabna Institute founders GHOLAMREZA RAFATNEJAD and EHSAN MOHAMMADI the defendants 19 At certain times relevant to this Indictment SAJJAD TAHMASEBI the defendant was an Iran-based contractor for the Mabna Institute TAHMASEBI helped facilitate the spearphishing campaign which targeted universities by among other things conducting online network surveillance of victim university computer systems and maintaining lists of credentials stolen from victim professors STATUTORI ALLEGATIONS 20 From at least in or about 2013 through at least in or about December 2017 in the Southern District of New York and elsewhere GHDLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABRHI ROOZBEH SABRHI ABUZAR GOHARI 13 MOQADAM and SAJJAD TAHMASEBI the defendants and others known and unknown willfully and knowingly combined conspired confederated and agreed together and with each other to commit computer intrusion offenses in violation of Title 18 United States Code Sections 1030 a 2 1030 a 6 and 1030 c 2 A 21 It was a part and an object of the conspiracy that GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABAHI ROOZEEH SAEAHI ABUZAR GOHARI MDQADAM and SAJJAD TAHMASEBI the defendants and others known and unknown would and did intentionally access computers without authorization and exceed authorized access and thereby would and did obtain information from protected computers for purposes of commercial advantage and private financial gain and the value of the information obtained would and did exceed $5 000 in violation of Title 18 United States Code Sections and 22 It was further a part and an object of the conspiracy that GHOLAMREZA RAFATNEJAD EHSAN MOHAIVMADI ABDOLLAH KARIMA an a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED SAEAHI ROOZBEH SABAHI AEUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants and others known 14 and unknown knowingly and with the intent to defraud would and did traffic in passwords and similar information through which computers may be accessed without authorization in transactions affecting interstate and foreign commerce and involving computers used by and for the Government of the United States in violation of Title 18 United States Code Sections 1030 a 5 and Title 18 United States Code Section COUNT TWO Conspiracy to Commit Wire Fraud The Grand Jury further charges 23 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein 24 From at least in or about 2013 through at least in or about December 2017 in the Southern District of New York and elsewhere GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA afk a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABRHI ROOZBEH SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants and others known and unknown willfully and knowingly did combine conspire confederate and agree together and with each other to commit 15 wire fraud in violation of Title 18 United States Code Section 1343 25 It was a part and object of the conspiracy that GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI AEDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MDHAMMED REZA SABAHI ROOZBEI-I SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEEI the defendants and others known and unknown willfully and knowingly having devised and intending to devise a scheme and artifice to defraud and for obtaining money and property by means of false and fraudulent pretenses representations and promises would and did transmit and cause to be transmitted by means of wire radio and television communication in interstate and foreign commerce writings signs signals pictures and sounds for the purpose of executing such scheme and artifice in violation of Title 18 United States Code Section 1343 Title 18 united States Code Section 1349 16 COUNT THREE Computer Fraud Unauthorized Access for Private Financial Gain The Grand Jury further charges 26 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein From_at least in or about May 2014 through at least in or about April 2017 in the Southern District of New York and elsewhere GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI REZA ROOZBEH SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants willfully and intentionally accessed a computer without authorization and exceeded authorized access and thereby would and did obtain information from a protected computer for purposes of commercial advantage and private financial gain and the value of which exceeded $5 000 to wit RAFATNEJAD MOHAMMADI KARIMA SADEGHI MIRKARIMI REZA SABAHI ROOZBEH SARAHI GOHARI MOQADAM and TAHMASEBI conducted and aided and abetted in conducting computer intrusions to gain unauthorized access to the computer systems of University l and obtained and sold academic resources stolen from University 1 as well as access to compromised University l professor accounts 17 Title 18 United States Code Sections 1030 a 2 and 2- COUNT FOUR Wire Fraud The Grand Jury further charges 28 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein 29 From at least in or about May 2014 through in or about April 2017 in the Southern District of New York and elsewhere GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MDHAMMED REZA SABAHI ROOZBEH GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants willfully and knowingly having devised and intending to devise a scheme and artifice to defraud and for obtaining money and property by means of false and fraudulent pretenses representations and promises did transmit and cause to be transmitted by means of wire radio and television communication in interstate and foreign commerce writings signs signals pictures and sounds for the purpose of executing such scheme and artifice to wit MDHAMMADI KARIMA SADEGHI MIRKARIMI MOHAMMED-REZA SABAHI ROOZBEH SABAHI GOHARI MOQADAM and TAHMASEBI obtained 18 University-l professor login credentials through misrepresentations including by among other means sending spearphishing messages and directing University 1 professors to fake login pages and then using and aiding and abetting others in using those login Credentials to access university 1's computer systems without authorization Title 18 United States Code Sections 1343 and COUNT FIVE Computer Fraud Unauthorized Access for Private Financial Gain The Grand Jury further charges 30 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein 31 From at least in or about June 2014 through at least in or about November 2016 in the Southern District of New York and elsewhere GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABAHI RODZBEH SARAHI ABUZAR GOHARI MDQADAM and SAJJAD TAHMASEBI the defendants willfully and intentionally accessed a computer without authorization and exceeded authorized access and thereby would and did obtain information from a protected computer for purposes of 19 commercial advantage and private financial gain and the value of which exceeded $5 000 to wit RAFATNEJAD MOHAMMADI KARIMA SADEGHI MIRKARIMI MOHAMMED REZA SAEAHI ROOZBEH SABAHI GOHARI MOQADAM and TAHMASEBI conducted and aided and abetted in conducting computer hacking attacks to gain unauthorized access to the computer systems of University-2 and obtained and sold academic resources stolen from university 2 as well as access to compromised University 2 professor accounts Title 18 United States Code Sections 1030 a 2 and 2 COUNT SIX Wire Fraud The Grand Jury further charges 32 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein 33 From at least in or about June 2014 through at least in or about November 2016 in the Southern District of New York and elsewhere GHOLAMREZA RAFATNEJAD EHSAN MOHAMMADI KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABAHI ROOZBEH SABAHI ABUZAR GDHARI MOQADAM and SAJJAD TAHMASEBI the defendants willfully and knowingly having devised and intending to devise a scheme 20 and artifice to defraud and for obtaining money and property by means of false and fraudulent pretenses representations and promises did transmit and cause to be transmitted by means of wire radio and television communication in interstate and foreign commerce writings signs signals pictures and sounds for the purpose of executing such scheme and artifice to wit RAFATNEJAD MOHAMMADI KARIMA MIRKARIMI MOHAMMED REZA ROOZBEH SABAHI GOHARI MOQADAM and TAHMASEBI obtained Universitysz professor login credentials through misrepresentations including by among other means sending spearphishing messages and directing Universityrz professors to fake login pages and then using and aiding and abetting others in using those login credentials to access UniversitYFZ's computer systems without authorization Title 18 United States Code Sections 1343 and 2 COUNT SEVEN Aggravated Identity Theft The Grand Jury further charges 34 The allegations contained in paragraphs 1 through 19 of this Indictment are repeated and realleged as if fully set forth herein 35 From at least in or about 2013 through at least in or about December 2017 in the Southern District of New York 21 and elsewhere GHDLAMREZA RAFATNEJAD EHSAN MOHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SAEAHI ROOZBEH SABAHI ABUZAR GDHARI MDQADAM and SAJJAD TAHMASEBI the defendants knowingly transferred possessed and used without lawful authority a means of identification of another person during and in relation to a felony violation enumerated in Title 18 United States Code Section 1028A c and aided and abetted the same to wit RAFATNEJAD MOHAMMADI KARIMA SADEGHI MIRKARIMI MOHAMMED REZA SABRHI RDOZBEH SABAHI GDHARI MOQADAM and TAHMASEBI transferred possessed and used and aided and abetted the transfer possession and use of the login credentials including usernames and passwords of various professors at United States universities during and in relation to the wire fraud and computer fraud offenses charged in Counts One through Six of this Indictment Title 18 United States Code Sections 1028A a 1 and 2 FORFEITURE ALLEGATION AS TO COUNTS ONE THREE AND FIVE 35 As a result of committing one or more of the offenses alleged in Counts One Three and Five of this Indictment RAFATNEJAD EHSAN MOHAMMADI 22 KARIMA a k a Vahid Karima MOSTAFA SADEGHI ALI MIRKARIMI MOHAMMED REZA SABAHI ROOZEEH SABAHI AEUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants shall forfeit to the United States pursuant to Title 18 United States Section Section 1030 i any and all property real or personal constituting or derived from any proceeds obtained directly or indirectly as a result of said offenses and any and all personal property that was used or intended to be used to commit or to facilitate the commission of said offenses including but not limited to a sum of money in United States currency representing the amount of proceeds traceable to the commission of said offenses that the defendant personally obtained FORFEITURE ALLEGATION AS TO COUNTS TWO FOUR AND SIX As a result of committing the offenses alleged in Counts Two Four and Six of this Indictment GHDLAMREZA RAFATNEJAD EHSAN MOHAMMADI KARIMA a k a Vahid Karima MOSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABAHI ROOZBEH SABAHI ABUZAR GOHARI MOQADAM and SAJJAD TAHMASEBI the defendants shall forfeit to the united States pursuant to Title 18 United States Code Section and Title 28 United States Code Section 2461 c any and all property real and personal which constitutes or is derived 23 from proceeds traceable to the commission said offenses including but not limited to a sum of money in United States currency representing the amount of proceeds traceable to the commission of said offenses that the defendant personally obtained Substitute Assets Provision 38 If any of the above described forfeitable property as a result of any act or omission of the defendant a cannot be located upon the exercise of due diligence b has been transferred or sold to or deposited with a third person c has been placed beyond the jurisdiction of the Court d has been substantially diminished in value or e has been commingled with other property which cannot be subdivided without difficulty it is the intent of the United States pursuant to Title 21 United States Code Section 853 p and Title 28 United States Code Section 2461 c to seek forfeiture of any other property 24 of the defendant up to the value of the above forfeitable property Title 18 United States Code Sections 981 a 1030 Title 21 United States Code Section 853 and Title 28 United States Code Section 2461 my sewn- FOREPERSON GEOFFREY UBERMAN United States Attorney 25 Form No Ed 9 25 58 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK UNITED STATES OF AMERICA - V GHOLAMREZA RAFATNEJAD EHSAN MUHAMMADI ABDOLLAH KARIMA a k a Vahid Karima MDSTAFA SADEGHI SEYED ALI MIRKARIMI MOHAMMED REZA SABAHI ROOZBEH SABAHI EBUZAR GOHARI MUQADAM and SAJJAD Defendants SEALED INDICTMENT 18 Cr 13 U S C 1030 b 1030 a 2 1343 1349 1028A a 1 1028A b r and 2 GEOFFREY S BERMAN United States Attorney FOREPERSON This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu