DriftSeasAI Agent Reviews
Home
National Security Archive
Scanned document

United States District Court for the District of Vermont, "United States of America v. Mohammed Saeed Ajily and Mohammed Reza Rezakhah, Defendants, Superseding Indictment," Filed April 21, 2016. Unclassified.

Na

National Security Archive

May 23, 202619 min read

A 2016 indictment exposes an Iranian‑run cyber‑theft ring that stole a U.S. defense‑software package and sold it to sanctioned customers, merging export‑control law with computer‑fraud statutes.

Source: United States District Court for the District of Vermont, "United States of America v. Mohammed Saeed Ajily and Mohammed Reza Rezakhah, Defendants, Superseding Indictment," Filed April 21, 2016. Unclassified. Date: Apr 21, 2016 Archive: United States Department of Justice.

Editorial Analysis

Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.

A Sanction‑Busting Cyber‑Crime Ring in the Age of Digital Warfare

The superseding indictment filed in the U.S. District Court for the District of Vermont on April 21, 2016 unravels a transnational conspiracy that blended classic export‑control violations with modern computer‑intrusion tactics. At its core were two Iranian nationals—Mohammed Saeed Ajily, a businessman, and Mohammed Reza Rezakhah, a self‑styled “software cracker.” The grand‑jury charge paints them as the operational hub of a network that used compromised servers in Canada and the Netherlands to steal Arrow Tech’s PRODAS software, a high‑value ballistic‑design package listed on the United States Munitions List, and then funnel it to Iranian military customers in direct breach of U.S. sanctions.

The indictment emerged against the backdrop of the Obama administration’s “strategic patience” toward Iran, a period marked by heightened enforcement of the 2010 Comprehensive Iran Sanctions, Accountability, and Divestment Act (CISADA). While diplomatic negotiations over a nuclear deal dominated headlines, the Justice Department was quietly expanding its reach into the cyber‑realm, treating illicit software export as a national‑security threat comparable to smuggling missile components. The case therefore sits at the intersection of two broader historical currents: the post‑9/11 expansion of computer‑fraud statutes (notably 18 U.S.C. § 1030) and the tightening of export‑control regimes in response to the diffusion of dual‑use technologies.

Key actors surface through the indictment’s narrative. Ajily, described as an “Iranian businessman,” leveraged a front company, Andisheh Vesal Middle East Company, to market stolen software and even boasted of selling PRODAS without a State Department license. Rezakhah, identified as a “computer hacker and software ‘cracker,’” operated under the alias Dongle Labs, offering services that stripped encryption from protected applications. Their collaborator, Nima Golestaneh, supplied offshore servers—one Canadian, one Dutch—explicitly to mask the origin of the intrusions. The indictment’s language (“knowingly and willfully conspired”) underscores a calculated, not opportunistic, breach of both the Computer Fraud and Abuse Act and the International Traffic in Arms Regulations (ITAR).

Reading between the lines, the document reveals how the conspirators adapted traditional smuggling techniques to a digital environment. Rather than physically shipping prohibited hardware, they exfiltrated code, used dongle‑bypass tools, and transmitted the data across international networks, exploiting jurisdictional blind spots. The mention of “value of the information…exceeded $5,000” is a statutory threshold that transforms a mere privacy violation into a federal felony, indicating the government’s intent to attach severe penalties. Moreover, the indictment’s focus on “certificates of appreciation” from Iranian military entities hints at a tacit endorsement from the regime, suggesting that the United States viewed the theft not merely as commercial piracy but as a conduit for bolstering Iran’s ballistic capabilities.

The significance of this case extends beyond the courtroom. It marked one of the first times the Justice Department pursued a criminal prosecution that combined export‑control violations with computer‑intrusion offenses, setting a precedent for how cyber‑theft of defense‑related software would be treated under U.S. law. The indictment also foreshadowed the later “Operation Tide Hopper” and “Operation Windsor” investigations, which similarly targeted illicit software transfer networks linked to sanctioned states. By framing the theft of PRODAS as a national‑security breach, the government signaled that digital espionage could trigger the same export‑control enforcement mechanisms traditionally reserved for physical arms shipments.

Legacy-wise, the case informs contemporary policy debates over “cyber‑sanctions” and the extraterritorial reach of U.S. export regulations. As modern weapons systems become increasingly software‑centric, the line between a stolen engineering tool and a prohibited weapon blurs. The Ajily‑Rezakhah indictment thus serves as an early legal template for addressing that blur, illustrating how prosecutors can marshal both ITAR and the Computer Fraud and Abuse Act to pursue actors who operate in the shadowy overlap of cybercrime and geopolitics.

Page 1

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 1 of 14

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF VERMONT

[U.S. DISTRICT COURT DISTRICT OF VERMONT FILED 2016 APR 21 AM 11:43 CLERK BY DEPUTY CLERK]

UNITED STATES OF AMERICA ) ) No. 2:15-CR-15-1, 2 (WKS) v. ) ) (18 U.S.C. §§ 371, 1030(a)(2), 1030 MOHAMMED SAEED AJILY and ) (c)(2)(B)(iii), 1343, & 2; 22 U.S.C. §§ MOHAMMED REZA REZAKHAH, ) 2778(b)(2) & (c); 22 C.F.R. §§ 121.2, Defendants ) 123.1, 127.1; 50 U.S.C. § 1705; 31 ) C.F.R. §§ 560.203 and 560.204)

SUPERSEDING INDICTMENT

The Grand Jury Charges:

Count One

INTRODUCTION

At all times relevant to this indictment:

  1. Arrow Tech was a Vermont-based engineering consulting and software company that did business in interstate and foreign commerce. Arrow Tech’s primary product was PRODAS (Projectile Rocket Ordnance Design and Analysis System), a proprietary software that assists users in, among other things, aerodynamics analysis and design for projectiles from bullets to GPS guided artillery shells. PRODAS was designated as a “defense article” on the United States Munitions List under the International Traffic in Arms Regulations.

  2. Arrow Tech marketed its products, including PRODAS, through its website. Depending on customization and customer support packages, PRODAS typically sold for between $40,000 and $800,000.

Page 2

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 2 of 14

  1. In order to obtain a copy of the software, customers downloaded a locked version of the software from Arrow Tech's website and received a special hardware key, or "dongle," with a code to allow access to the software. Arrow Tech's website informed foreign customers that "Arrow Tech software shipped outside of the United States requires an Export License approved by the United States State Department."

  2. MOHAMMED REZA REZAKHAH was a citizen of Iran and worked as a computer hacker and software "cracker," (i.e. someone who breaks protective encryption to allow the use of restricted software). REZAKHAH and co-conspirator Nima Golestaneh operated under the company name "Dongle Labs" to sell customers the capability to circumvent these types of protections on a variety of software packages. REZAKHAH also conducted other hacking and cracking activities at the direction of MOHAMMED SAEED AJILY. REZAKHAH frequently relied upon servers obtained by co-conspirator Nima Golestaneh in order to conduct his illicit online activities.

  3. MOHAMMED SAEED AJILY was an Iranian businessman who used a group of hackers and crackers, including REZAKHAH, to obtain software in contravention of Western sanctions against Iran for the Iranian market, including for Iranian military and government entities. AJILY did so through multiple companies, including Andisheh Vesal Middle East Company. In addition to payment, he received certificates of appreciation for his work from several of the Iranian government and military entities.

CONSPIRACY

  1. From at least as early as August 2007 through at least May 2013, in the District of Vermont and elsewhere, the defendants MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY knowingly and willfully conspired with each other and others known and
Page 3

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 3 of 14

unknown to the grand jury, including Nima Golestaneh, to intentionally access protected computers without authorization and thereby obtain information from the protected computers where the value of the information obtained exceeded $5,000.00, in violation of 18 U.S.C. §§ 1030(a)(2) and 1030(c)(2)(B)(iii).

OBJECT OF THE CONSPIRACY

  1. It was the object of the conspiracy that the defendants MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY would access computers without authorization in order to obtain software, and would sell and redistribute the software in Iran, a country against which the United States has economic sanctions, and elsewhere outside of the United States. In many instances, including PRODAS, the sale and redistribution of such software was in violation of United States sanctions and export licensing requirements.

MANNER AND MEANS OF THE CONSPIRACY

  1. It was part of the conspiracy that MOHAMMED SAEED AJILY would task MOHAMMED REZA REZAKHAH and others with obtaining or cracking particular pieces of software for him to market and sell.

  2. It was further a part of the conspiracy that Nima Golestaneh, a known co-conspirator, would acquire access to servers, including a Canadian server ("Server 1") and a Dutch server ("Server 2"), knowing that they would be used, among other things, to obtain unauthorized access to other computers.

  3. It was further a part of the conspiracy that MOHAMMED REZA REZAKHAH would use the servers Golestaneh acquired to conduct unauthorized computer intrusions so that the intrusions would be more difficult to trace.

  4. It was further a part of the conspiracy that MOHAMMED REZA REZAKHAH, Nima

Page 4

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 4 of 14

Golestaneh and others would use a variety of names and email addresses to further conceal their identities and their association with the computer intrusions.

  1. It was further a part of the conspiracy that MOHAMMED REZA REZAKHAH would use servers Nima Golestaneh acquired to gain unauthorized access to Arrow Tech's computers despite Arrow Tech's security precautions.

  2. It was further a part of the conspiracy that MOHAMMED REZA REZAKHAH would use the unauthorized access to Arrow Tech's computers to steal PRODAS and other proprietary information and to transmit such software and information to Server 2.

  3. It was further a part of the conspiracy that MOHAMMED SAEED AJILY would market and sell software, including Arrow Tech's PRODAS, in Iran and elsewhere outside the United States once it was acquired by the conspiracy.

OVERT ACTS

  1. In furtherance of the conspiracy, on or about August 23, 2007, MOHAMMED SAEED AJILY tasked MOHAMMED REZA REZAKHAH with cracking software on behalf of an Iranian customer.

  2. In furtherance of the conspiracy, on or about January 4, 2012, MOHAMMED SAEED AJILY offered software for sale from Andisheh Vesal Middle East Company, including a version of Arrow Tech's PRODAS. In describing PRODAS, AJILY noted that he could provide the software to Iranian purchasers without obtaining the necessary licenses from the United States Government.

  3. In furtherance of the conspiracy, on or about January 4, 2012, MOHAMMED SAEED AJILY advertised what he referred to as his group of software hackers and crackers and their ability to circumvent Western sanctions against Iran by hacking the servers of software

Page 5

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 5 of 14

manufacturers and cracking software protections in order to obtain software for Iranian entities, including government entities and purported research centers and military production industries, all in contravention of Western sanctions against Iran. Such entities included, but were not limited to, Malek Ashtar Defense University, Tehran University, Sharif Technical University, Khvajeh Nasir University, and Shiraz Electro Optic Industry.

  1. In furtherance of the conspiracy, from at least as early as April 2012, Nima Golestaneh acquired access to servers, including Server 1 and Server 2, knowing that they would be used, among other things, to obtain unauthorized access to other computers.

  2. In furtherance of the conspiracy, on or about July 31, 2012, MOHAMMED SAEED AJILY tasked MOHAMMED REZA REZAKHAH with obtaining software from a Western company specializing in aerospace control and simulation technology.

  3. In furtherance of the conspiracy, on or about October 22, 2012, MOHAMMED REZA REZAKHAH sent a wire communication from Server 1 located outside the United States to Arrow Tech's website hosted in Vermont, transmitting computer commands designed to provide unauthorized access to Arrow Tech's computers.

  4. In furtherance of the conspiracy, on or about October 22, 2012, MOHAMMED REZA REZAKHAH sent a wire communication from Server 2 located outside the United States to Arrow Tech's website hosted in Vermont transmitting computer commands designed to provide unauthorized access to Arrow Tech's computers.

  5. In furtherance of the conspiracy, on or about October 22, 2012, MOHAMMED REZA REZAKHAH sent a wire communication from a third computer located outside the United States to Arrow Tech's website hosted in Vermont transmitting computer commands designed to provide unauthorized access to Arrow Tech's computers.

Page 6

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 6 of 14

  1. In furtherance of the conspiracy, on or about October 22, 2012, MOHAMMED REZA REZAKHAH obtained unauthorized access to at least one Arrow Tech computer in Vermont.
  2. In furtherance of the conspiracy, on or about October 22, 2012, MOHAMMED REZA REZAKHAH sent a wire communication from an Arrow Tech computer in Vermont to Server 2 outside the United States transmitting version 3.6.5 of PRODAS, a version that had been in existence since only in or around June 2012, and other proprietary information.
  3. In furtherance of the conspiracy, on or about April 8, 2013, MOHAMMED SAEED AJILY offered software for sale, including Arrow Tech's PRODAS, using marketing materials similar to those used on or about January 4, 2012.

(18 U.S.C. § 371)

Page 7

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 7 of 14

Count Two

  1. The Grand Jury repeats and realleges paragraphs 1 through 5 and 7 through 25 of Count One of this Indictment.

  2. On or about October 22, 2012, in the District of Vermont and elsewhere, the defendants MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY intentionally accessed, and aided and abetted the accessing of, a computer without authorization, and thereby obtained information from a protected computer where the value of the information obtained exceeded $5,000.00.

(18 U.S.C. §§ 1030(a)(2) and(c)(2)(B)(iii) & 2)

Page 8

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 8 of 14

Counts Three – Six

  1. The Grand Jury repeats and realleges paragraphs 1 through 5 and 7 through 25 of Count 1 of this Indictment.

  2. From at least as early as April 2012 through at least May 2013, the defendant MOHAMMED REZA REZAKHAH, MOHAMMED SAEED AJILY, and others known and unknown to the grand jury, including Nima Golestaneh, intended to devise a scheme to defraud Arrow Tech and other software companies, and to obtain property from Arrow Tech and other software companies by means of materially false and fraudulent pretenses, representations, and promises.

  3. On or about the following date, in the District of Vermont and elsewhere, the defendant MOHAMMED REZA REZAKHAH, MOHAMMED SAEED AJILY, and others known and unknown to the grand jury, including Nima Golestaneh, knowingly caused to be transmitted by means of wire communication in interstate and foreign commerce, and aided and abetted the causing of such transmission, the following signals and sounds in furtherance of the scheme to defraud:

COUNT DATE WIRE COMMUNICATION
3 October 22, 2012 From Server 1 outside of the United States to Arrow Tech's website hosted in Vermont, transmission of computer commands designed to provide unauthorized access to Arrow Tech's computers
4 October 22, 2012 From Server 2 outside of the United States to Arrow Tech's website hosted in Vermont, transmission of computer commands designed to provide unauthorized access to Arrow Tech's computers
Page 9

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 9 of 14

5 October 22, 2012 From a computer outside the United States to Arrow Tech's website hosted in Vermont, transmission of computer commands designed to provide unauthorized access to Arrow Tech's computers
6 October 22, 2012 From an Arrow Tech computer in Vermont to Server 2 outside of the United States, transmission of proprietary software and other proprietary information

(18 U.S.C. §§ 1343 & 2)

Page 10

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 10 of 14

Count Seven

  1. The Grand Jury repeats and realleges paragraphs 1 through 5 and 7 through 25 of Count One of this Indictment.

  2. The Arms Export Control Act (“AECA”), 22 U.S.C. § 2778, authorized the President of the United States, among other things, to control the export of “defense articles.” 22 U.S.C. § 2778(a)(1). AECA also gave the President the authority to designate items as “defense articles.” Id. As a practical matter, that task was performed by the Department of State (“DOS”), with the concurrence of the Department of Defense, through regulations that were promulgated by the DOS’s Directorate of Defense Trade Controls (“DDTC”). 22 C.F.R. Parts 120.1 and 120.2. The regulations promulgated by the DDTC were known as the International Traffic in Arms Regulations (“ITAR”), and specify items that are designated as defense articles. 22 C.F.R. Parts 120 – 130. All defense articles were identified by category in a portion of the ITAR that is known as the “United States Munitions List.” Any person seeking to export defense articles listed in the ITAR must request and obtain a license from the DOS before doing so.

  3. At no time relative to this Indictment did defendants MOHAMMED REZA REZAKHAH, MOHAMMED SAEED AJILY, or any co-conspirators, including Nima Golestaneh, request or obtain the required license from the Department of State for the export of PRODAS.

  4. From at least as early as January 2012 through at least May 2013, in the District of Vermont and elsewhere, the defendants MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY knowingly and willfully exported and caused to be exported, and attempted to export and caused to be exported, from the United States through the Netherlands to Iran, Arrow Tech’s PRODAS software, which was designated as an ITAR-controlled defense article on the

Page 11

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 11 of 14

United States Munitions List, without having first obtained from the Department of State the required license for such export or written authorization for such export. MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY did so by transmitting PRODAS from the United States via the Internet and by disclosing PRODAS to foreign persons, including themselves.

(22 U.S.C. §§ 2778(b)(2) & (c), 22 C.F.R. §§ 121.1, 123.1, 127.1, & 18 U.S.C. § 2)

Page 12

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 12 of 14

Count Eight

  1. The Grand Jury repeats and realleges paragraphs 1 through 5, and 7 through 25, of Count One of this Indictment.

  2. The International Emergency Economic Powers Act ("IEEPA"), 50 U.S.C. §§ 1701-1706, authorized the President of the United States ("the President") to impose economic sanctions on a foreign country in response to an unusual or extraordinary threat to the national security, foreign policy or economy of the United States when the President declares a national emergency with respect to that threat. Pursuant to the authority under the IEEPA, the President and the executive branch have issued orders and regulations governing and prohibiting certain transactions with Iran by U.S. persons or involving U.S.-origin goods.

  3. Beginning with Executive Order No. 12170, issued on November 14, 1979, the President found that "the situation in Iran constitutes an unusual and extraordinary threat to the national security, foreign policy and economy of the United States and declare[d] a national emergency to deal with that threat."

  4. On May 6, 1995, the President issued Executive Order No. 12959, adopting and continuing Executive Order No. 12170 (collectively, the "Executive Orders"), and prohibiting, among other things, the exportation, re-exportation, sale, or supply, directly or indirectly, to Iran of any goods, technology, or services from the U.S. or by a U.S. person. The Executive Orders authorized the U.S. Secretary of the Treasury to promulgate rules and regulations necessary to carry out the Executive Orders. Pursuant to this authority, the Secretary of the Treasury promulgated the Iranian Transactions and Sanctions Regulations ("ITSR"), implementing the sanctions imposed by the Executive Orders.

  5. The ITSR generally prohibited any person from exporting or causing to be exported from the U.S. any goods, services or technology without having first obtained an export license from

Page 13

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 13 of 14

the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”), which is located in the District of Columbia. The ITSR imposed, among others, the following prohibitions:

Section 560.203 - Prohibition of any Transaction to Evade or Avoid the Embargo and any Attempt to Violate the Embargo:

Any transaction by any United States person or within the United States that evades or avoids, or has the purpose of evading or avoiding, or attempts to violate, any of the prohibitions contained in this part is hereby prohibited.

Section 560.204 - Prohibition of any Sale or Supply of any Goods, Technology, Services to Iran or the Iranian Government:

Except as otherwise authorized [by a license issued by OFAC], the exportation, . . . sale, or supply, directly or indirectly, from the United States, or by a United States person, wherever located, of any goods, technology, or services to Iran or the Government of Iran is prohibited, including the exportation, . . . sale, or supply of any goods, technology, or services to a person in a third country undertaken with knowledge or reason to know that:

Such goods, technology, or services are intended specifically for supply . . . or re-exportation directly or indirectly, to Iran or the Government of Iran . . . .

  1. The Iran Trade Embargo and the ITSR were in effect at all times relevant to this Indictment.

  2. At no time relevant to this Indictment did defendants MOHAMMED REZA REZAKHAH, MOHAMMED SAEED AJILY, or any co-conspirators including Nima Golestaneh, apply for, receive, or possess a license from OFAC to export goods, technology, or services to Iran of any kind.

  3. From at least as early as January 2012 through at least May 2013, in the District of Vermont and elsewhere, the defendants MOHAMMED REZA REZAKHAH and MOHAMMED SAEED AJILY did knowingly and willfully violate and attempt to violate the embargo against

Page 14

Case 2:15-cr-00015-wks SEALED Document 6 Filed 04/21/16 Page 14 of 14

Iran by exporting and attempting to export software, including the PRODAS software, from the United States to Iran without first having obtained the required licenses and authorizations from the U.S. Department of the Treasury's OFAC. (50 U.S.C. § 1705, 31 C.F.R. §§ 560.203 and 560.204, & 18 U.S.C § 2)

A TRUE BILL

[illegible] FOREPERSON

ERIC S. MILLER United States Attorney Burlington, VT April 21, 2016

Page 15

NATIONAL SECURITY ARCHIVE

National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu

Keywords

declassifiedNational Security Archive

Sources & References

  1. [1]United States District Court for the District of Vermont, "United States of America v. Mohammed Saeed Ajily and Mohammed Reza Rezakhah, Defendants, Superseding Indictment," Filed April 21, 2016. Unclassified.

Keep reading

More related articles from DriftSeas.

National Security Archive

Office of the National Counterintelligence Executive, Foreign Spies Stealing US Economic Secrets in Cyberspace: Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011 . October 2011. Unclassified. [2708]

This document reports on cyber-enabled economic and industrial espionage between 2009 and 2011 and makes projections for the impact of new technologies, shifting workforce culture, and changes in the focus of foreign collectors.

Jun 1
National Security Archive

Air University Press, Command and Control Warfare: Putting Another Tool in the War-Fighter's Data Base . September 1994. Unclassified. [3272]

This report examines the potential for command and control warfare, or battlefield information warfare, and makes recommendations for its implementation and integration into US doctrine.

Jun 1
National Security Archive

Memorandum to Boris Yeltsin from Russian Supreme Soviet delegation to NATO HQs

This document is important for describing the clear message in 1991 from the highest levels of NATO – Secretary General Manfred Woerner – that NATO expansion was not happening. The audience was a Russian Supreme Soviet delegation, which in this memo was reporting back to Boris Yeltsin (who in June h

Jun 1