Hacking Tools

Two Iranian men were recently indicted in the United States for deploying ransomware to extort hospitals, municipalities and public institutions. We take a look at how a 34-month long international computer hacking and extortion scheme was dismantled, the increased internationalisation of criminal law for cybercrime offences and the increasing use of successful multilateral co-operation as encouraged by the Budapest Convention – the international cybercrime treaty.


Case Facts

The two men, acting from inside Iran, created malware capable of forcibly encrypting data on the computers of victims. The more than 200 victims included hospitals, public institutions, hospitals and healthcare-related entities, multiple municipalities within the U.S. such as Newark, New Jersey, as well as the University of Calgary in Alberta, Canada.

The two men then proceeded to extort the victims, demanding a ransom paid in Bitcoin in exchange for decryption keys for the encrypted data. Bitcoin proceeds were converted into Iranian rial using Iran-based Bitcoin exchangers, collecting over $6 million USD in ransom payments and causing over $30 million USD in losses to victims.


Case Investigation and Global Partners

The case was investigated by the FBI’s Newark Field Office, with the support of domestic and international partners including other FBI divisions, the U.S. Justice Department and Office of International Affairs, the National Crime Agency (UK), West Yorkshire Police (UK), Calgary Police Service (Canada), and the Royal Canadian Mounted Police.

This multi-agency, multi-jurisdictional approach is likely to have provided for the effective sharing of information across borders without the need necessarily for formal mutual legal assistance requests.


Case Result

The two accused were charged with one count of conspiracy to commit wire fraud, one count of conspiracy to commit fraud and related activity in connection with computers, two substantive counts of intentional damage to a protected computer and two substantive counts of transmitting a demand in relation to damaging a protected computer.