Cybercrime Broker Admits Selling Access to 50 Corporate Networks
▼ Summary
– Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian man, has pleaded guilty to selling unauthorized access to the computer networks of at least 50 companies to an undercover officer.
– Operating under the alias “r1z” on forums like XSS, he sold network access, exploits for vulnerabilities (including in Microsoft Exchange and Confluence), and malware designed to bypass security software.
– His identity was uncovered after he demonstrated an exploit on an FBI-monitored server, revealing his IP address, which was linked to a ransomware attack causing over $50 million in damages.
– Investigators connected the “r1z” alias to Albashiti through email records from the seized XSS forum, which matched a visa application and financial accounts in his name.
– Albashiti was arrested in Georgia, extradited to the U.S., and faces a maximum sentence of 10 years in prison and a $250,000 fine at his sentencing scheduled for May 2026.
A Jordanian man has pleaded guilty to charges of fraud after admitting he sold illegal access to the computer networks of dozens of major corporations. Feras Khalil Ahmad Albashiti, operating under the online alias ‘r1z’, conducted his illicit business on underground cybercrime forums, ultimately selling access to an undercover law enforcement officer. This case highlights the persistent threat posed by cybercrime brokers who act as intermediaries, providing other criminals with the initial foothold needed for devastating attacks like ransomware.
Court documents reveal that in May 2023, Albashiti sold unauthorized access to networks belonging to at least 50 victim companies in exchange for cryptocurrency. The transaction was part of an FBI sting operation that began when agents were monitoring a forum known for the sale of malware and malicious code. While the specific forum wasn’t named in the plea, previous cybersecurity reports identified ‘r1z’ as a credible threat actor who frequently advertised on the notorious Russian-language XSS Forum.
His criminal offerings were extensive. In June 2022, researchers from the firm Kela observed r1z selling access to 30 SonicVPN and 50 Microsoft Exchange servers, claiming to have a “working exploit.” Evidence suggests he may have possessed a custom exploit for a critical Microsoft Exchange vulnerability known as CVE-2021-42321. That same month, he was also seen selling access to 50 American companies through a flaw in Atlassian Confluence software, leveraging another critical vulnerability tracked as CVE-2022-26134. He even offered a list of 10,000 potentially vulnerable machines for sale.
The scope of his activities expanded beyond just network access. By February 2023, he was promoting malware designed to evade endpoint detection and response (EDR) and antivirus (AV) solutions. This malicious software functioned as a persistent backdoor, harvested credentials, dropped additional malware, and removed event logs to cover its tracks.
Albashiti’s downfall was ultimately due to operational security failures. After an undercover FBI agent purchased access to the 50 corporate networks, r1z later sold them an exploit to bypass a specific EDR product. To demonstrate its effectiveness, he unknowingly tested the exploit on an FBI-operated server. This mistake allowed investigators to uncover his real IP address. This digital footprint was later connected to a separate ransomware attack against a U.S. manufacturing firm that resulted in over $50 million in damages.
Further investigation, including records seized after the XSS Forum was taken down, definitively linked the ‘r1z’ alias to Albashiti. The Gmail account used for the forum was the same one he used in 2016 to apply for a U.S. visa. This email was also connected to a Google Pay account and credit cards under variations of his real name. At the time of his arrest, Albashiti was living in Georgia and was extradited to the United States in July 2024.
He now awaits sentencing, scheduled for May 2026. Albashiti faces a maximum penalty of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from his crimes. His guilty plea underscores the increasing focus of international law enforcement on dismantling the digital marketplaces that fuel the global cybercrime economy.
(Source: HelpNet Security)
