CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Jordanian Cybercriminal Admits Selling Access to 50 Enterprise Networks

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in Georgia, pleaded guilty in a US court to selling unauthorized access to at least 50 compromised enterprise networks. The access was sold to an undercover agent on an underground cybercriminal forum. Albashiti, known online as 'r1z,' received payment in cryptocurrency. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

Timeline

  1. 19.01.2026 15:48 2 articles · 1d ago

    Jordanian National Pleads Guilty to Selling Access to 50 Enterprise Networks

    Feras Khalil Ahmad Albashiti, known online as 'r1z,' admitted in a US court to selling unauthorized access to 50 enterprise networks. The access was sold to an undercover agent on an underground forum, with payment received in cryptocurrency. Albashiti was arrested in Georgia, extradited to the US in July 2024, and pleaded guilty to fraud-related charges. He faces up to 10 years in prison and a $250,000 fine, with sentencing scheduled for May 11, 2026. The Justice Department's Office of International Affairs secured Albashiti's extradition from Georgia in July 2024. Initial access brokers like Albashiti are critical middlemen in the cybercrime ecosystem, providing other threat actors with the credentials needed to breach victims' networks and drop malicious tools to steal data, deploy ransomware, or conduct espionage.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Credential Stuffing Attack on Fantasy Sports Betting Platform

A Minnesota man, Nathan Austad (online alias “Snoopy”), pleaded guilty to participating in a large-scale credential stuffing attack targeting a fantasy sports and betting platform. The attack compromised over 60,000 user accounts, resulting in financial losses of approximately $600,000 from around 1,600 victims. Austad and his co-conspirators used stolen login credentials to gain unauthorized access, draining account balances and selling access to compromised accounts on online marketplaces. Austad is the third defendant to plead guilty in this case, with two others, Joseph Garrison and Kamerin Stokes, previously convicted. Austad faces up to five years in prison, with sentencing scheduled for April 2026.

Open in new tab

Marquis Software Solutions Ransomware Attack Exposes Data from 74 US Financial Institutions

Marquis Software Solutions, a financial software provider, suffered a ransomware attack on August 14, 2025, through a compromised SonicWall firewall. The breach impacted over 74 US banks and credit unions, exposing personal information of approximately 400,000 customers. The stolen data includes names, addresses, phone numbers, Social Security numbers, financial account information, and dates of birth. Marquis has since taken steps to enhance its security measures, but there is no evidence of data misuse or publication. The attack is suspected to be linked to the Akira ransomware gang, which has been targeting SonicWall VPN devices.

Open in new tab

Yanluowang Ransomware Initial Access Broker Pleads Guilty

Aleksey Olegovich Volkov, a Russian national, pleaded guilty to acting as an initial access broker (IAB) for the Yanluowang ransomware group, facilitating attacks on at least eight U.S. companies between July 2021 and November 2022. Volkov breached corporate networks and sold access to the ransomware group, which encrypted victims' data and demanded ransoms ranging from $300,000 to $15 million. Investigators recovered chat logs, stolen data, and evidence linking Volkov to the attacks, including a potential connection to the LockBit ransomware gang. Volkov faces up to 53 years in prison and must pay over $9.1 million in restitution.

Open in new tab

RaccoonO365 Phishing Network Disrupted by Microsoft and Cloudflare

The RaccoonO365 phishing network, a financially motivated threat group, was disrupted by Microsoft's Digital Crimes Unit (DCU) and Cloudflare. The operation, executed through a court order in the Southern District of New York, seized 338 domains used by the group since July 2024. The network targeted over 2,300 organizations in 94 countries, including at least 20 U.S. healthcare entities, and stole over 5,000 Microsoft 365 credentials. Authorities in Nigeria have arrested three individuals linked to the RaccoonO365 phishing-as-a-service (PhaaS) scheme, including Okitipi Samuel, also known as Moses Felix, identified as the principal suspect and developer of the phishing infrastructure. The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) collaborated with Microsoft and the FBI in the investigation, seizing laptops, mobile devices, and other digital equipment linked to the operation. The stolen data was used to fuel more cybercrimes, including business email compromise, financial fraud, and ransomware attacks. The Nigerian police arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing platform. The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide. The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI. The authorities identified individuals who administered the phishing toolkit 'Raccoon0365,' which automated the creation of fake Microsoft login pages for credential theft. The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September. It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria. One of the arrested suspects is an individual named Okitipi Samuel, also known online as 'RaccoonO365' and 'Moses Felix,' whom the police believe is the developer of the phishing platform. Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials. The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months. Cloudflare estimates that the service is used primarily by Russia-based cybercriminals. Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation. The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The **ShinyHunters and Scattered Spider collaboration** has escalated with a **new extortion campaign targeting PornHub Premium members**, following the **Mixpanel data breach on November 8, 2025**. ShinyHunters, confirmed as the perpetrator, stole **94GB of data** containing **over 200 million records** of PornHub users' historical search, watch, and download activity from 2021 or earlier. The stolen data includes **email addresses, video URLs, keywords, locations, and timestamps**, which the group is now using to extort victims, including PornHub, via ransom demands. PornHub confirmed the breach impacted its Premium users but clarified that **no passwords, payment details, or financial information were exposed** and that the compromise stemmed from a **third-party vendor (Mixpanel)**, not its own systems. **Mixpanel has disputed the origin of the data**, stating it was last accessed by a legitimate PornHub employee account in 2023 and that there is no evidence it was stolen during their November 2025 incident. This latest attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. The groups have also targeted **Almaviva/FS Italiane Group**, **Zendesk users**, and now **Mixpanel customers**, demonstrating their ability to **leverage third-party IT providers, cloud-based CRM systems, and analytics platforms** to maximize data exposure. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and claims of shutdowns, the threat persists, with authorities like the **FBI and U.K. NCA** issuing ongoing alerts as the groups adapt tactics, including **smishing, OAuth token abuse, and AI-enhanced tooling** to evade detection. The **Gainsight cyber-attack** further expanded in late November 2025, with Salesforce confirming a **larger, unspecified number of victims** beyond the initial three disclosed. The breach involved **unauthorized access via an AT&T IP address on November 8**, followed by **reconnaissance and intrusions using VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**. Forensic investigations revealed the attackers exploited **compromised multifactor credentials**, prompting Gainsight to advise customers to **rotate S3 keys, reset passwords, and re-authorize integrations**. Meanwhile, the **SLSH alliance unveiled ShinySp1d3r**, a **ransomware-as-a-service (RaaS) platform** with **advanced anti-forensic capabilities** and **network propagation tools**, administered by core member **Saif Al-Din Khader (aka Rey)**, who claims cooperation with law enforcement since June 2025. The alliance has been linked to **51 cyberattacks in the past year**, combining **RaaS, extortion-as-a-service (EaaS), and insider recruitment** to maximize impact across sectors.

Open in new tab