Jordanian initial access broker pleads guilty to helping target 50 companies

Steven

Jordanian initial access broker pleads guilty to helping target 50 companies

Summary

Feras Albashiti, a 40-year-old Jordanian national who operated under the alias “r1z,” pleaded guilty to selling network access and malware to cybercriminals. According to the indictment, Albashiti sold access to at least 50 companies via exploits of firewall and other vulnerabilities, and later supplied powerful malware capable of disabling multiple endpoint detection and response (EDR) products. An undercover FBI agent purchased tools and access, paying $5,000 for initial exploits and $15,000 for one version of the EDR-killing malware. The FBI traced activity to Albashiti’s IP address and linked it to a June 2023 ransomware attack that caused around $50 million in damage to a US manufacturing firm. Albashiti was extradited from Tbilisi, Georgia, in July 2024 and faces up to 10 years in prison; sentencing is set for May.

Key Points

  • Albashiti pleaded guilty to selling access to the networks of at least 50 companies under the username “r1z.”
  • An undercover FBI agent bought a cracked penetration-testing tool, network access via firewall exploits ($5,000), and EDR-bypassing malware ($15,000).
  • The malware bought was described by the FBI as novel and highly effective at compromising networks, and could disable three different EDR products.
  • Investigators linked Albashiti’s IP address to a June 2023 ransomware attack against a US manufacturer that caused roughly $50 million in damage.
  • The r1z account was previously flagged by cybersecurity firms and agencies (Fortinet, HHS, Health-ISAC, ZeroFox, Kela) as a credible threat actor selling working exploits and illicit tools, including unauthorised Cobalt Strike builds and compromised Confluence servers (CVE-2022-26134).
  • Albashiti was traced through an email address tied to a 2016 US visa application and other accounts; he was extradited to the US in July 2024 and will be sentenced in May.

Context and Relevance

Initial access brokers (IABs) like “r1z” are pivotal in the cybercrime supply chain: they gain entry to victim networks and sell that access to ransomware operators and other threat actors. This case highlights two worrying trends — the commercial availability of highly effective EDR-bypass malware and the continued exploitation of critical product vulnerabilities (eg. Confluence CVE-2022-26134). The FBI’s use of undercover purchases demonstrates how law enforcement can both attribute and disrupt these markets, but it also shows the scale of damage that access brokers enable when their tools are weaponised by other criminals.

Why should I read this?

Short version: crooks were selling working EDR-killers and access that led to a ~$50M ransomware hit. If you care about defending networks or buying security tech, this is exactly the kind of playbook you need to know — quick, grim and useful.

Source

Source: https://therecord.media/guilty-plea-initial-access-broker-r1z