Broker who sold malware to the FBI set for sentencing

Steven

Broker who sold malware to the FBI set for sentencing

Summary

Feras Khalil Ahmad Albashiti, 40, a Jordanian national, has pleaded guilty to acting as an initial access broker (IAB) who facilitated cyberattacks against at least 50 US companies in 2023. Using the alias “r1z”, Albashiti sold network access and malware to buyers — including an undercover FBI agent — who paid a total of about $20,000 for IP lists, firewall-bypass instructions and EDR-disabling malware. During a demonstration of the EDR-killing tool he connected to an FBI-controlled server and revealed his IP, linking him to a ransomware incident that cost an unnamed US manufacturer roughly $50 million. Identified via a reused email address tied to visa records and payment accounts, Albashiti was extradited from Georgia in July 2024 and is due to be sentenced on 11 May 2026. He faces up to ten years in prison and a possible fine of $250,000.

Key Points

  • Albashiti operated as an initial access broker under the alias “r1z”, advertising access to companies that used specific firewall products.
  • An undercover FBI agent purchased access for $5,000 and later paid $15,000 for EDR-disabling malware and privilege-elevation tools.
  • The defendant’s live demonstration connected to an FBI server and exposed his IP, tying him to a major ransomware attack causing ~$50m in losses.
  • Investigators traced Albashiti using a reused email linked to State Department visa records and financial accounts.
  • He was extradited from Georgia in July 2024 and faces sentencing on 11 May 2026 — maximum ten years’ imprisonment and up to $250,000 in fines.

Why should I read this?

Short version: this is how a single broker can make it embarrassingly easy for ransomware gangs to wreck businesses. It’s a neat, real-world example of commoditised access — tiny transactions, huge damage. If you look after security or run a business, it explains why basic controls matter and why attackers pay for access rather than build it themselves.

Context and Relevance

The case highlights a persistent trend: the commercialisation of network access through IABs lowers the barrier for large-scale ransomware and intrusion campaigns. Law enforcement used a classic undercover buy to both unmask the broker and gather evidence linking him to destructive attacks. For defenders, the story underscores the importance of fundamentals — multi-factor authentication, up-to-date firewalls and EDR, network segmentation and monitoring of external-facing services — because attackers are increasingly buying, not inventing, their way in.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/19/iab_sentencing/