A 40-year-old Jordanian man has admitted to selling unauthorized access to computer networks of at least 50 companies, the US Attorney’s Office of the District of New Jersey has announced.
Feras Khalil Ahmad Albashiti has pleaded guilty last Thursday to fraud and related activity in connection with access devices.
“In May 2023, law enforcement officers were investigating an online forum where malware and malicious code was being offered for sale. Albashiti controlled an online moniker named ‘r1z’ and used it in the online forum,” the press release says.
“On May 19, 2023, Albashiti sold to an undercover law enforcement officer unauthorized access to the networks of at least 50 victim companies in exchange for cryptocurrency.”
The court documents don’t mention the name of the undergound forum, but older reports by a number of cybersecurity companies show that r1z was a “credible” threat actor that advertised on the notorious Russian-language XSS Forum, which was taken down in July 2025 when its suspected administrator was arrested in Ukraine.
The threat actor was spotted offering 30 SonicVPN and 50 Microsoft Exchange accesses with a ‘working exploit’ on XXS Forum in June 2022, according to Kela threat researchers.
“Interestingly, three months before, r1z claimed that they can sell ‘the implementation of CVE-2021-42321’, which is known as Microsoft Exchange security vulnerability. Therefore, it is possible that r1z had a working custom exploit for this CVE that was later used by [r1z] for gaining access,” the researchers noted.
“The same month, r1z was observed selling access to 50 American companies through ‘Confluence’. The actor also offered to sell a list of 10,000 vulnerable machines. As seen on a screenshot shared by the actor, the hacker was able to gain access to servers using a critical RCE vulnerability tracked as CVE-2022-26134 that affects Confluence Server and Data Center. The list offered for sale probably included machines that could be exploited through the same flaw.”
CloudSEK reported that in February 2023, they spotted the r1z promoting EDR/AVs malware that could also act as a persistent backdoor, credential harvester, malware dropper, and event log remover.
OpSec failures revealed r1z’s identity
According to a signed FBI affidavit, in 2023 r1z also offered for sale access to the computer networks of approximately 50 victim companies through the exploitation of two commercial firewall products, and an unauthorized software modification of a commercial penetration testing tool.
Contacted by an undercover FBI employee, r1z first sold them access to the above mentioned 50 victim companies, and later an exploit that would bypass a specific EDR solution. Unfortunately for him, he (unknowingly) demonstrated its effectiveness on a server operated and monitored by the FBI.
This allowed the FBI to discovered r1z’s (uncloaked) IP address, which was later connected to a ransomware attack against a US manufacturing company that resulted in $50+ million of damages.
Finally, the records obtained following the seizure of the defunct XSS Forum revealed that the Gmail address associated with r1z’s account was also used in 2016 by Albashiti to apply for a US visa with the US State Department, and that this email account is linked to a Google Pay Account and credit cards in the names of “Firas K. Bashiti” and “Firas Bashiti.”
At the time of his arrest, Albashiti was residing in the Republic of Georgia. He was extradited to the US in July 2024.
His sentencing is scheduled for May 11, 2026, when he could receive a maximum sentence of 10 years in prison and a maximum fine of $250,000, “or twice the gross amount of gains or losses resulting from the offense.”