Overview

Ahmad Khatibi Aghda is a U.S.-designated Iranian cyber terrorist who is wanted for his alleged involvement in a campaign to compromise hundreds of computers across the United States and abroad. On September 14, 2022, Khatibi was designated by the U.S. Department of the Treasury as a Specially Designated National (SDN) for carrying out cybercrimes in connection with a company that is affiliated with the Islamic Revolutionary Guards Corps (IRGC), an Iranian government agency tasked with defending the regime against internal and external threats.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.

From at least 2007, Khatibi has worked at Afkar System Yazd Co. (Afkar System) where he eventually served as its managing director and a member of its board. Between October 2020 and August 2022, Khatibi worked with Mansour Ahmadi and Amir Hossein Nickaein Ravari to gain unauthorized access to protected networks in the U.S. and abroad. After gaining access, the men exfiltrated data, encrypted computer systems, and demanded ransom for decryption keys. Their activities—which compromised the operational capabilities of organizations across multiple sectors—targeted small businesses, government agencies, non-profit programs, and educational and religious institutions.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style; “Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.

In February 2021, Khatibi and his conspirators targeted a township in Union County, New Jersey. After gaining access to the township’s network and data, Ahmadi used a hacking tool to establish continued remote access. A year later, around February 2022, Khatibi, Ravari, and Ahmadi targeted an accounting firm based in Morris County, New Jersey, where they used a hacking tool to establish continued remote access and steal data from the firm. The defendants then heavily encrypted the firm’s computer systems in March 2022, demanding payment of $50,000 in cryptocurrency in exchange for the firm to regain access to some of its systems.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.

On August 10, 2022, a federal grand jury in New Jersey indicted Khatibi, Ahmadi, and Ravari on charges of conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.“AHMAD KHATIBI AGHDA,” Federal Bureau of Investigation, https://www.fbi.gov/wanted/cyber/ahmad-khatibi-aghda. Along with victims in New Jersey, the defendants also compromised data from an accounting firm in Illinois, regional electric utility companies based in Mississippi and Indiana, a public housing corporation in Washington, a domestic violence shelter in Pennsylvania, a county government in Wyoming, and a state bar association, among others. If found guilty, the men face between five to 10 years imprisonment.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.

Given Khatibi’s activities, on September 14, 2022, the U.S. Department of the Treasury designated Khatibi as an SDN.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948. Additionally, the U.S. Department of State’s Rewards for Justice program is offering $10 million for information leading to the whereabouts of Khatibi.“Ahmad Khatibi Aghda,” Rewards for Justice, https://rewardsforjustice.net/rewards/ahmad-khatibi-aghda/.