A Jordanian national has pleaded guilty in a United States federal court to selling unauthorized access to dozens of compromised corporate networks. The case highlights how access brokerage—selling footholds into victim environments—has become a foundational layer of modern cybercrime operations. By monetizing initial access rather than deploying malware directly, actors like this enable ransomware, espionage, and data theft at scale.

The sale of compromised network access has evolved into a mature underground economy. Rather than executing full attacks themselves, access brokers specialize in breaching organizations and reselling entry points to other criminal groups. These services lower the barrier to entry for cybercrime and accelerate large-scale attacks against enterprises across sectors.

Law enforcement agencies increasingly target these intermediaries, as disrupting access brokers can prevent downstream ransomware and extortion campaigns.

Feras Khalil Ahmad Albashiti, a 40-year-old Jordanian national residing in the Republic of Georgia, pleaded guilty to selling unauthorized access to at least 50 organizations’ networks.

Operating under the online alias “r1z,” Albashiti advertised and sold access through a cybercrime forum known for trafficking malware and stolen credentials. In May 2023, he sold access to dozens of victim networks to an undercover law enforcement officer who had infiltrated the forum during an ongoing investigation.

Court records indicate Albashiti accepted payment in cryptocurrency for the access he sold.

He was arrested in Georgia, extradited to the United States in July 2024, and charged by the US Department of Justice with fraud and related activity involving access credentials. Sentencing is scheduled for May 11, with a potential penalty of up to 10 years in prison and fines of up to $250,000 or twice the financial impact of the crime.

The crime centered on “initial access” sales—providing buyers with valid credentials or remote access into enterprise environments.

Such access is commonly obtained through:

Once sold, this access can be used by buyers to deploy ransomware, steal sensitive data, or conduct long-term espionage operations.

While individual victims were not named publicly, access to 50 corporate networks represents a significant downstream risk. Each compromised environment could have enabled further breaches, operational disruption, or data exfiltration by secondary threat actors.

This model amplifies harm by separating intrusion from exploitation, allowing multiple attacks to stem from a single initial compromise.

Access brokers sit at the center of the modern cybercrime supply chain. Targeting them disrupts multiple attack paths simultaneously and raises costs for ransomware groups and other malicious actors.

The case also demonstrates law enforcement’s growing ability to infiltrate underground forums and conduct covert operations against credential traffickers.

Security researchers have repeatedly warned that access resale markets are a force multiplier for cybercrime. Even moderately skilled actors can purchase access and launch high-impact attacks without developing their own intrusion capabilities.

From a defensive standpoint, this underscores the importance of detecting early-stage compromises before access can be monetized.