Jordanian initial access broker pleads guilty to helping target 50 companies

A Jordanian national pleaded guilty on Thursday to charges of selling  access to the networks of at least 50 companies through a cybercriminal forum. 

Feras Albashiti, 40, is facing a maximum penalty of 10 years in prison after being charged with fraud and related activity in connection with access devices. His sentencing will take place in May. 

Court documents said an undercover FBI agent first began communicating with Albashiti in May 2023 during an unrelated investigation of an unnamed cybercrime forum. 

Operating under the username "r1z," Albashiti initially sold the undercover agent a cracked version of a penetration testing tool before selling access to 50 companies through two different exploits of firewalls for $5,000.

By September 2023, the undercover agent contacted Albashiti again about malware that could turn off endpoint detection and response tools, also known as an EDR killer. Albashiti offered powerful malware that could disable three different brands of EDR, and the FBI paid $15,000 for one version of it.

In the indictment, the FBI noted that the malware "is novel and appears to be highly effective at compromising victim computer networks." 

While testing the malware for the undercover agent, the FBI was able to track Albashiti’s IP address. The indictment adds that the same IP address was involved in a June 2023 ransomware attack against a U.S. manufacturing company that caused about $50 million worth of damage. Prosecutors did not specify which company.

The FBI was eventually able to trace the "r1z” cybercrime forum account to Albashiti because it was registered with the same email address that was used to apply for a U.S. visa in 2016. That Gmail address was also linked to several other accounts and payment cards registered under Albashiti’s name. 

Albashiti resided in Tbilisi, Georgia, at the time of his indictment and was extradited to the U.S. in July 2024. 

After months of lawyer changes, Albashiti eventually agreed to a plea deal, admitting that he sold access to the 50 companies.

A known threat 

Initial access brokers are key cogs in the cybercrime ecosystem, conducting the difficult work of breaking into victim networks before offering it up for sale or exploiting it themselves. 

The r1z account was spotlighted by multiple cybersecurity companies and government agencies for years, with many regarding it as a legitimate threat actor offering working exploits of security products. 

Fortinet, a cybersecurity company and large manufacturer of firewalls, published a report in 2022 about r1z, warning that the threat actor had “advertised access to 50 vulnerable Confluence servers acquired by exploiting the critical Confluence unauthenticated RCE vulnerability, tracked as CVE-2022-26134, and claimed to be in possession of a list of over 10,000 vulnerable Confluence servers.”

The "r1z” account was listed by Fortinet as one of 24 credible threat actors in 2022. The cybersecurity agency within the U.S. Health and Human Services Department also cited "r1z” as credible in its own 2022 report. 

The Health-ISAC cyber information sharing organization warned healthcare organizations in January 2023 that r1z is a “known and credible” seller of illicit versions of Cobalt Strike, a popular penetration testing tool. The organization said the account “has been active since around June 2022 and has previously offered unauthorized access via compromised Confluence, Microsoft Exchange, SonicVPN, and VMWare accounts.”

The r1z moniker appeared to have accounts on Russian cybercrime forum XSS. Cybersecurity firm ZeroFox shared screenshots of a post offering tools cybercriminals could use to bypass EDR and antivirus solutions. 

Cybersecurity experts from Kela added that r1z had a good reputation on XSS and had offered working exploits of several security products.