Overview
Mansour Ahmadi is a U.S.-designated Iranian cyber hacker who, along with Ahmad Khatibi Aghda and Amir Hossein Nickaein Ravari, carried out a wide-ranging hacking campaign to compromise hundreds of computers across the United States and abroad. On September 14, 2022, Ahmadi was designated by the U.S. Department of the Treasury as a Specially Designated National (SDN) for carrying out cybercrimes in affiliation with the Islamic Revolutionary Guards Corps (IRGC), an Iranian government agency tasked with defending the regime against internal and external threats.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.
According to the U.S. Treasury Department, Ahmadi has been associated with Iran-based cyber company Najee Technology Hooshmand Fater LLC (Najee) since at least 2018 and serves as Najee’s managing director. Between October 2020 and August 2022, Ahmadi worked with Khatibi and Ravari to gain unauthorized access to target and hack into select computer networks. After gaining access, the men exfiltrated data, encrypted computer systems and extorted victims for ransom. Their activities—which compromised the operational capabilities of organizations across multiple sectors—targeted small businesses, government agencies, non-profit programs, and educational and religious institutions.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.
In February 2021, Ahmadi, Ravari, and Khatibi targeted a township in Union County, New Jersey. After gaining access to the township’s network and data, Ahmadi used a hacking tool to establish continued remote access. A year later, around February 2022, Ahmadi and his conspirators targeted an accounting firm based in Morris County, New Jersey, where they used a hacking tool to establish continued remote access and steal data from the firm. The defendants then heavily encrypted the firm’s computer systems in March 2022, demanding payment of $50,000 in cryptocurrency in exchange for the firm to regain access to some of its systems.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.
On August 10, 2022, a federal grand jury in New Jersey indicted Ahmadi, Khatibi, and Ravari on charges of conspiracy to commit fraud and related activity in connection with computers, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer.“MANSOUR AHMADI,” Rewards for Justice, https://rewardsforjustice.net/rewards/mansour-ahmadi/#:~:text=Rewards%20for%20Justice%20is%20offering,infrastructure%20in%20violation%20of%20the. Ahmadi is charged with one additional count of intentionally damaging a protected computer.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.
Along with victims in New Jersey, the defendants also compromised data from an accounting firm in Illinois, regional electric utility companies based in Mississippi and Indiana, a public housing corporation in Washington, a domestic violence shelter in Pennsylvania, a county government in Wyoming, and a state bar association, among others. Ahmadi is charged with one additional count of intentionally damaging a protected computer.“Three Iranian Nationals Charged With Engaging In Computer Intrusions And Ransomware-Style Extortion Against U.S. Critical Infrastructure Providers,” U.S. Department of Justice, September 14, 2022, https://www.justice.gov/usao-nj/pr/three-iranian-nationals-charged-engaging-computer-intrusions-and-ransomware-style.
Given Ahmadi’s activities, on September 14, 2022, the U.S. Department of the Treasury designated Ahmadi as an SDN.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948. Additionally, the U.S. Department of State’s Rewards for Justice program is offering $10 million for information leading to the capture of Ahmadi.MANSOUR AHMADI,” Rewards for Justice, https://rewardsforjustice.net/rewards/mansour-ahmadi/#:~:text=Rewards%20for%20Justice%20is%20offering,infrastructure%20in%20violation%20of%20the.
Associated Groups
- Extremist entity
- Islamic Revolutionary Guard Corps (IRGC)
- Read Threat Report
- Type(s) of Organization:
- Military, terrorist, transnational, violent
- Ideologies and Affiliations:
- Islamist, Khomeinist, Shiite, state actor
- Position(s):
- Cyber hacker and extortioner
The IRGC is an Iranian government agency tasked with defending the regime against internal and external threats. The IRGC uses secret police methods against its opponents within Iran, and terrorist tactics against its enemies abroad.
History
United States
The United States Department of the Treasury designated Mansour Ahmadi as a Specially Designated National on September 14, 2022.“Treasury Sanctions IRGC-Affiliated Cyber Actors for Roles in Ransomware Activity,” U.S. Department of the Treasury, September 14, 2022, https://home.treasury.gov/news/press-releases/jy0948.
Daily Dose
Extremists: Their Words. Their Actions.
Fact:
On August 23, 2017, Boko Haram insurgents attacked several villages in northern Nigeria’s Borno State. The extremists shot at villagers and slit their throats, killing 27 people and wounding at least 6 others.