A 40-year-old Jordanian national, Feras Khalil Ahmad Albashiti, recently pleaded guilty to charges related to his role as an access broker. He admitted to selling unauthorized access to at least 50 corporate networks, which he compromised in 2023 by exploiting vulnerabilities in two commercial firewall products, as stated by the Justice Department.
Albashiti, residing in the Republic of Georgia at the time, sold unauthorized network access to an undercover FBI agent through a cybercrime forum in May 2023. He operated under the alias “r1z,” according to court documents.
Over the following five months, the undercover FBI agent maintained communication with Albashiti, gathering evidence of further illicit activities. Albashiti was also accused of selling malware designed to disable endpoint detection and response (EDR) products from three distinct companies.
The effectiveness of Albashiti’s malware was demonstrated when, unknowingly to him, the FBI observed him deploying the EDR-disabling tool on an FBI server. This access had been granted by the agency as part of its ongoing investigation.
Further purchases by the undercover agent included malware designed to escalate internal user privileges without authorization, along with a modified version of a commercial penetration testing tool. These details were outlined in an affidavit submitted to the U.S. District Court of New Jersey.
Investigators traced the IP address Albashiti used to access the FBI server. This same IP address had been previously linked to intrusions into government systems of a U.S. territory and a ransomware attack against a U.S. manufacturing company in June 2023, which caused losses exceeding $50 million.
Authorities connected Albashiti to the “r1z” account on the cybercrime forum by identifying the Gmail address used to create it in 2018. This email address matched the one Albashiti used when applying for a U.S. visa with the State Department in October 2016.
The FBI acquired records pertaining to the cybercrime forum during the course of a separate investigation.
Albashiti’s arrest occurred in July 2024, and he has remained in custody since. He chose to waive prosecution by indictment, instead pleading guilty to charges of trafficking unauthorized access devices and login credentials.
Sentencing for Albashiti is scheduled for May. He could face a maximum of 10 years in prison and a fine of $250,000, an amount prosecutors indicated is double the gains or losses attributed to his criminal activities.
The affidavit can be accessed below.
