A Jordanian national is awaiting sentencing in the United States after admitting to a central role in a string of cybercrime activities that targeted dozens of American companies. The case highlights how modern cyberattacks are often enabled not by a single hacker, but by an underground marketplace where access to corporate networks is bought and sold like a commodity.
Feras Khalil Ahmad Albashiti, 40, pleaded guilty to acting as an initial access broker, a figure who specializes in finding weak points in corporate systems and selling those entry points to other criminals. Prosecutors say Albashiti’s actions helped enable cyber intrusions against at least 50 U.S.-based organizations, many of which later faced serious operational and financial harm.
The crimes took place largely in 2023 and involved exploiting security vulnerabilities, bypassing protective systems, and advertising unauthorized access through cybercrime forums frequented by ransomware groups and other attackers.
Operating in Plain Sight While Living in the United States
Court documents show that Albashiti was living in the state of Georgia during the period when the offenses occurred. Despite residing openly in the U.S., he allegedly conducted his illegal activities online using the alias “r1z,” a name he used to promote his services on underground forums.
Investigators say Albashiti focused on selling what is known in cybercrime circles as “initial access.” This typically includes stolen login credentials, exposed network entry points, or detailed instructions on how to bypass security systems such as firewalls. Once inside a network, buyers of that access can deploy ransomware, steal sensitive data, or disrupt business operations.
This model has become increasingly common in recent years, allowing specialized criminals to focus on one part of an attack while others carry out the more destructive stages.
FBI Undercover Operation Uncovers the Scheme
Albashiti’s activities eventually drew the attention of U.S. law enforcement. On May 19, 2023, an undercover FBI agent posing as a cybercriminal contacted him through the same forum where he was advertising access to compromised networks.
Investigators noticed that Albashiti was offering entry into companies that relied on one of two widely used firewall products. Believing he was dealing with a fellow criminal, Albashiti agreed to sell access to multiple organizations in exchange for cryptocurrency.
The initial transaction was valued at roughly $5,000. After receiving payment, Albashiti provided sensitive technical details, including IP addresses, usernames, and step-by-step instructions for bypassing firewall protections. According to prosecutors, this information would have been sufficient for an attacker to enter the victims’ networks with minimal effort.
Additional Malware Sales Expand the Case
Rather than ending the operation with a single purchase, the undercover agent continued communicating with Albashiti to better understand the scope of his activities. Over time, additional deals were arranged that revealed a deeper level of involvement in cybercrime.
Prosecutors say the agent paid an additional $15,000 to acquire malware designed to disable endpoint detection and response software, a key security layer used by organizations to detect and block cyberattacks. The agent also purchased separate malware intended to elevate user privileges, allowing attackers to gain broader control once inside a system.
To confirm that the EDR-disabling malware worked as advertised, Albashiti was asked to demonstrate it by connecting to a server controlled by the FBI. During that process, he unintentionally exposed his real IP address, a misstep that proved critical to the investigation.
Connection to High-Impact Ransomware Attack
The exposed IP address allowed investigators to link Albashiti to a previous ransomware incident involving an unnamed U.S. manufacturing company. According to court filings, that attack resulted in losses estimated at $50 million, underscoring the scale of damage that can stem from the sale of initial network access.
Although Albashiti was not separately charged with executing the ransomware attack itself, prosecutors pointed to the connection as evidence of the serious consequences of his actions and the type of criminal activity he helped enable.
The link further strengthened the government’s case by tying his online activities to real-world harm suffered by American businesses.
Digital Records Reveal the Man Behind the Alias
In addition to technical evidence, investigators followed a digital paper trail that helped confirm Albashiti’s identity. U.S. State Department records showed that he applied for a visa in 2016 using the same email address later associated with the r1z account on the cybercrime forum.
That email address was also linked to a Google Pay account, which had multiple credit cards connected to it. The names tied to those financial records matched Albashiti, providing investigators with corroborating evidence that he was the individual operating under the alias.
This combination of technical data, financial records, and government documentation allowed authorities to build a comprehensive case.
Albashiti was extradited from Georgia in July 2024 after legal proceedings related to his arrest were completed. He later entered a guilty plea in federal court, formally accepting responsibility for his role in facilitating unauthorized access to corporate networks across the United States.
He is scheduled to be sentenced on May 11, 2026. Under U.S. federal law, he faces a maximum prison sentence of up to 10 years, along with a potential fine of up to $250,000. The final sentence will be determined by the court.
