Skip to main content
Press Release

Manhattan U.S. Attorney Announces Charges Against Seven Iranians For Conducting Coordinated Campaign Of Cyber Attacks Against U.S. Financial Sector On Behalf Of Islamic Revolutionary Guard Corps-Sponsored Entities

For Immediate Release
U.S. Attorney's Office, Southern District of New York

Loretta E. Lynch, the Attorney General of the United States, Preet Bharara, the United States Attorney for the Southern District of New York, James B. Comey, Director of the Federal Bureau of Investigation (“FBI”), and John P. Carlin, Assistant Attorney General for National Security, announced today the unsealing of an indictment charging seven Iranians – AHMAD FATHI; HAMID FIROOZI; AMIN SHOKOHI; SADEGH AHMADZADEGAN, a/k/a Nitr0jen26; OMID GHAFFARINIA, a/k/a PLuS; SINA KEISSAR; and NADER SAEDI, a/k/a Turk Server – who were employed by two Iran-based computer companies,  ITSecTeam (“ITSEC”) and Mersad Company (“MERSAD”), which were sponsored by Iran’s Islamic Revolutionary Guard Corps – for conducting a coordinated campaign of distributed denial of service (“DDoS”) attacks against 46 major companies, primarily in the U.S. financial sector, from late 2011 through mid-2013.  These attacks, which occurred on more than 176 days, disabled victim bank websites, prevented customers from accessing their accounts online, and collectively cost the banks tens of millions of dollars in remediation costs as they worked to neutralize and mitigate the attacks on their servers.  In addition, FIROOZI is also charged with obtaining unauthorized access into the Supervisory Control and Data Acquisition (“SCADA”) systems of the Bowman Dam, located in Rye, New York, in August and September of 2013.

Attorney General Loretta E. Lynch said:  “In unsealing this indictment, the Department of Justice is sending a powerful message: that we will not allow any individual, group, or nation to sabotage American financial institutions or undermine the integrity of fair competition in the operation of the free market.  Through the work of our National Security Division, the FBI, and U.S. Attorney’s Offices around the country, we will continue to pursue national security cyber threats through the use of all available tools, including public criminal charges.  And as today’s unsealing makes clear, individuals who engage in computer hacking will be exposed for their criminal conduct and sought for apprehension and prosecution in an American court of law.”

Manhattan U.S. Attorney Preet Bharara said: “The charges announced today respond directly to a cyber-assault on New York, its institutions, and its infrastructure.  The alleged onslaught of cyber-attacks on 46 of our largest financial institutions, many headquartered in New York City, resulted in hundreds of thousands of customers being unable to access their accounts and tens of millions of dollars being spent by the companies trying to stay online through these attacks.  The infiltration of the Bowman Avenue dam represents a frightening new frontier in cybercrime.  These were no ordinary crimes, but calculated attacks by groups with ties to Iran’s Islamic Revolutionary Guard and designed specifically to harm America and its people.  We now live in a world where devastating attacks on our financial system, our infrastructure, and our way of life can be launched from anywhere in the world, with a click of a mouse.  Confronting these types of cyber-attacks cannot be the job of just law enforcement.  The charges announced today should serve as a wake-up call for everyone responsible for securing our financial markets and for guarding our infrastructure.  Our future security depends on heeding this call.” 

FBI Director James B. Comey said: “The FBI will find those behind cyber intrusions and hold them accountable — wherever they are, and whoever they are.  By calling out the individuals and nations who use cyber-attacks to threaten American enterprise, as we have done in this indictment, we will change behavior.”

Assistant Attorney General John P. Carlin said:  “Like past nation state-sponsored hackers, these defendants and their backers believed that they could attack our critical infrastructure without consequence, from behind a veil of cyber anonymity.  This indictment once again shows there is no such veil – we can and will expose malicious cyber hackers engaging in unlawful acts that threaten our public safety and national security.”

According to the allegations contained in the Indictment[1] unsealed today in Manhattan federal court:

DDoS Attacks

The DDoS attacks against the U.S. financial sector began in approximately December 2011, and occurred sporadically until September 2012, at which point they escalated in frequency to a near-weekly basis, occurring between Tuesdays and Thursdays during normal business hours in the United States through in or about May 2013.  On certain days during the campaign, victim computer servers were hit with as many as 140 Gigabits of data per second, and hundreds of thousands of customers were cut off from online access to their bank accounts.

For the purpose of carrying out the attacks, the defendants built botnets that consisted of thousands of compromised computer systems that had been infected with the defendants’ malware, and were subject to their remote command and control.  The defendants and their co-conspirators ordered their botnets to direct significant amounts of malicious traffic at computer servers used to operate the websites for victim corporations, which overwhelmed victim servers and prevented customers from accessing the websites or their accounts online during the period of the attacks.  Although the DDoS campaign damaged and disrupted the businesses of the financial sector victims and interfered with their customers’ ability to do online banking during the course of the attacks, the attacks did not affect or result in the theft of customer account data.

FATHI, FIROOZI, and SHOKOHI were responsible for ITSEC’s portion of the DDoS attack campaign against the U.S. financial sector.  FATHI was the leader of ITSEC and was responsible for supervising and coordinating ITSEC’s portion of the DDoS campaign, as well as managing computer intrusion and cyberattack projects being conducted for the government of Iran.  FIROOZI procured and managed computer servers that were used to coordinate and direct DDoS attacks for ITSEC.  SHOKOHI is a computer hacker who helped build ITSEC’s botnet and created malware used to direct the botnet to engage in DDoS attacks.  During the time that he worked in support of the DDoS campaign, SHOKOKI received credit for his computer intrusion work from the Iranian government towards his completion of his mandatory military service requirement in Iran.

AHMADZADEGAN, GHAFFARINIA, KEISSAR, and SAEDI were responsible for MERSAD’s portion of the DDoS attack campaign against the U.S. financial sector. AHMADZADEGAN was a co-founder of MERSAD and was responsible for managing the MERSAD botnet.  He was also a member of Iranian hacking groups Sun Army and the Ashiyane Digital Security Team (“ADST”), and claimed responsibility for hacking servers belonging to the National Aeronautics and Space Administration (“NASA”) in February 2012.  AHMADZADEGAN has also provided training to Iranian intelligence personnel.  GHAFFARINIA was the other co-founder of MERSAD and created malicious computer code used to build MERSAD’s botnet for the DDoS campaign.  GHAFFARINIA was also a member of Sun Army and ADST, and has also claimed responsibility for hacking NASA servers in February 2012, as well as thousands of other servers in the United States, the United Kingdom, and Israel.  KEISSAR procured computer servers used to access, manipulate, and test MERSAD’s botnet.  SAEDI wrote computer scripts used to locate vulnerable servers to build MERSAD’s botnet.  SAEDI was also a former Sun Army computer hacker who expressly touted himself as an expert in DDoS attacks.

Bowman Dam Intrusion

Between August 28, 2013, and September 18, 2013, FIROOZI repeatedly obtained unauthorized access to the SCADA systems of the Bowman Dam, in Rye, New York, which allowed him to repeatedly obtain information regarding the status and operation of the dam, including information about the water levels and temperature, and the status of the sluice gate, which is responsible for controlling water levels and flow rates.  Although that access would normally have permitted FIROOZI to remotely operate and manipulate the Bowman Dam’s sluice gate, unbeknownst to FIROOZI, the sluice gate had been manually disconnected for maintenance at the time his intrusion.

*                *                *

FATHI, 37; FIROOZI, 34; SHOKOHI, 25; AHMADZADEGAN, 23; GHAFFARINIA, 25; KEISSAR, 25; and SAEDI, 26, all citizens and residents of Iran, are each charged with one count of conspiracy to commit and aid and abet computer hacking, which carries a maximum sentence of 10 years in prison.  FIROOZI is also charged with an additional count of obtaining and aiding and abetting unauthorized access to a protected computer, which carries a maximum sentence of five years in prison.

Mr. Bharara praised the outstanding investigative work of the FBI and the multiple FBI Field Offices that participated in the investigation, which included agents from the Chicago, Cincinnati, New York, Newark, Phoenix, and San Francisco FBI Field Offices.  Mr. Bharara also thanked the Department of Homeland Security for its work to remediate the intrusion at the Bowman Dam.

The prosecution of this case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant United States Attorney Timothy T. Howard is in charge of the prosecution, with assistance provided by Deputy Chief Sean M. Newell of the National Security Division’s Counterintelligence and Export Control Section.

The charges contained in the Indictment are merely accusations and the defendants are presumed innocent unless and until proven guilty.


[1] As the introductory phrase signifies, the entirety of the text of the Indictment, and the description of the Indictment set forth herein, constitute only allegations, and every fact described should be treated as an allegation.

Updated March 24, 2016

Press Release Number: 16-065