CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Former engineer pleads guilty to Windows domain compromise and extortion plot at New Jersey industrial company

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A former core infrastructure engineer pleaded guilty to remotely compromising a Windows domain at his employer, an industrial firm in Somerset County, New Jersey, by deleting dozens of domain admin accounts, locking out thousands of users, and scheduling mass shutdowns to extort the company. Between November 9 and November 25, 2023, Daniel Rhyne used an unauthorized administrator account to schedule tasks via Windows Task Scheduler on the domain controller, altering 13 domain admin and 301 user passwords and preparing to affect 3,284 workstations and 254 servers. On November 25, he sent a ransom email demanding 20 bitcoin (~$750,000 at the time) or daily server shutdowns, falsely claiming backups were deleted to prevent recovery. The plot began to unravel when administrators received password reset notifications and discovered domain admin accounts had been deleted, cutting off domain-wide administrative access. Investigators found Rhyne had researched log-clearing, password changes, and account deletion techniques at least one week prior using both his laptop and a hidden virtual machine.

Timeline

  1. 03.04.2026 12:04 1 articles · 3h ago

    Windows domain compromise with extortion demands attributed to insider engineer

    On November 25, 2023, a former infrastructure engineer remotely locked out domain administrators at a New Jersey industrial company by deleting domain admin accounts and resetting credentials via scheduled tasks on the Windows domain controller. The attacker then sent an extortion email demanding 20 bitcoin (worth ~$750,000) or threats of disabling 40 servers daily for ten days. Forensic analysis tied the pre-attack reconnaissance to the defendant’s use of both a laptop and a hidden virtual machine to research privilege escalation and log evasion techniques.

    Show sources
    Open in new tab

Information Snippets

  • Daniel Rhyne, 57, a former core infrastructure engineer, pleaded guilty to remotely accessing and compromising his employer’s Windows domain without authorization.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • Rhyne used his admin account to schedule tasks on the Windows domain controller between November 9–25, 2023, including deleting 13 domain admin accounts and changing passwords for 13 other domain admins and 301 domain users to "TheFr0zenCrew!".

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • He also scheduled password changes for four local admin accounts projected to impact 3,284 workstations and 254 servers, and added shutdown tasks affecting random devices in December 2023.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • On November 25, 2023, Rhyne sent a ransom email titled "Your Network Has Been Penetrated", demanding 20 bitcoin (~$750,000 at the time) under threat of disabling 40 servers daily for ten days.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • Forensic analysis revealed Rhyne researched techniques for clearing Windows logs, changing domain user passwords, and deleting domain accounts using both his laptop and a hidden virtual machine at least one week before the attack.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • Court filings state that shortly after the attack began, administrators received password reset notifications and discovered all other domain admin accounts had been deleted, denying domain administrator access company-wide.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources

  • Rhyne was arrested in Missouri on August 27, 2024, and released after his initial federal court appearance; guilty pleas carry a maximum penalty of 15 years imprisonment.

    First reported: 03.04.2026 12:04
    1 source, 1 article
    Show sources