Global Cybercrime Supply Chain Targeted in FBI Undercover Sting

A 40-year-old Jordanian with the name, Feras Khalil Ahmad Albashiti, admitted to facilitating digital attacks against up to 50 American firms. He operated from Georgia throughout 2023 and worked under the online alias r1z. His specialty was acting as an initial access broker, essentially a middleman who sells hackers the keys to corporate networks.

This criminal ecosystem exists in the hidden corners of the internet that are now being strategically leveraged by state actors for their own purposes, including recruitment, as demonstrated by MI6’s launch of a dark web portal to find secret agents.

The Undercover Purchase

On May 19, 2023, Albashiti made a sale that would unravel his entire operation. An undercover FBI agent noticed him advertising access to companies using specific firewall products. The agent made an initial purchase worth $5,000 in cryptocurrency.

What Albashiti delivered was a complete attack package: IP addresses, usernames, alongside detailed guide to circumvent the firewalls and infiltrate networks of the victims’ networks.

The undercover agent came back for more, spending an additional $15,000 on specialized malware. This included a tool designed to disable endpoint detection and response systems. These EDR systems are critical security defenses that companies rely on to detect threats. The agent also purchased separate malware for escalating user privileges within compromised systems.

A Demonstration that Backfired

Here’s where Albashiti made his critical mistake. The undercover agent requested proof that the EDR-killing malware actually worked. Albashiti agreed to demonstrate it by connecting to what he believed was a test server. The FBI actually controlled that server.

The moment he connected, the system exposed his IP address. Court documents reveal this IP address linked him directly to a ransomware attack on an American manufacturing company. That single attack caused approximately $50 million in losses.

Law enforcement didn’t stop with the IP address. They dug deeper into Albashiti’s digital footprint. State Department records became crucial to confirming his identity. Prosecutors found out that in 2016, Albashiti had enlisted for a visa with a specific email. He used that particular email to sign up for the r1z account on the internet crime forum, where he marketed his services.

Investigators tagged along the digital breadcrumbs. The Google Pay account is linked to the email address, and multiple credit cards are connected to that account. Every single identifier pointed back to the same person: Feras Khalil Ahmad Albashiti.

Albany to Face Serious Consequences

In July 2024, Georgia deported Albany, and the court will sentence him on 11th May 2026. He could face up to 10 years in prison and fines totaling nearly $250,000.

This case exemplifies how the initial access broker in this situation plays an important role in the wider “ransomware ecosystem”. Initial access brokers do not always instigate the attacks, but rather sell access to other criminals, who use that access to instigate ” devastating ransomware campaigns/data theft/extortion”.

This case also illustrates the FBI’s undercover operation against these criminal marketplaces and how law enforcement is going directly after these cybercriminals.

Cybercriminals (commonly known as “hackers”) working in the dark web do not realise they could potentially have the FBI working undercover within their operation. Cybercriminals may believe that the dark web provides complete anonymity, but a simple mistake may reveal countless incidents of their criminal behavior.

This tactic of undercover infiltration is a cornerstone of modern dark web investigations, targeting everything from hacking marketplaces to other grave crimes, as demonstrated in a recent sting where US Homeland Security aided in the arrest of two alleged child predators.