Iranian Hackers Used Victims’ Printers To Issue Ransom Demands

upporters of Irans Supreme Leader Ayatollah Ali Khamenei wave Iranian flags as one of them holds a portrait of former commander of IRGC Quds Force, General Qasem Soleimani, during a gathering to chant the Hymn Hello Commander at the one hundred thousand s

Image: Morteza Nikoubazl/NurPhoto via Getty Images

Screen Shot 2021-02-24 at 3

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

Prolific Iranian hackers put a new twist on an old format: The ransom note.

Last year, three alleged Iranian hackers used their victims’ printers to deliver ransom notes, according to an indictment published today by the Department of Justice. According to the DOJ, the hackers put ransomware on victims’ computers, then used their printers to issue demands.


On Wednesday, prosecutors accused Iranian citizens Mansour Ahmadi, Ahmad Khatibi Aghda, and Amir Hossein Nickaein Ravari of hacking several companies and governmental organizations in the United States, the UK, and Iran.

Screen Shot 2022-09-14 at 11.41.27 AM.png

“By publicly naming them we are stripping the anonymity away. They cannot operate anonymously from the shadows anymore,” U.S. Attorney Philip R. Sellinger said in a press conference. 

Do you track ransomware hackers and their activities? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email

The victims that received the printed out ransom demands were only identified as an accounting firm, a power company, a domestic violence shelter, and a construction company, according to the indictment. 

Screen Shot 2022-09-14 at 11.55.05 AM.png

Ahmadi and Khatibi are owners of two respective technology companies in Iran, while Nickaein was an employee of Khatibi’s company, according to the indictment. The three are accused of hacking 10 or more computers during a one-year period to try to extort victims with ransomware, and to steal victims’ data threatening them to publish it. 

According to the indictment, the three alleged hackers don’t appear to be particularly sophisticated, as they exploited known vulnerabilities, and created domains that were designed to look like the websites of “legitimate, well-known,” tech companies. In some cases, the hackers used Microsoft’s own encryption technology, BitLocker, to encrypt victims’ networks and computers. 

In at least one case, the one affecting the domestic violence shelter, the hackers were able to collect a ransom of $13,000 in Bitcoin, the feds said. 

Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.