Feras Albashiti, a Jordanian national operating under the alias “r1z”
on the XSS Russian-language cybercrime forum, was identified by the FBI and KELA
Cyber Intelligence as one of the most prolific initial access brokers (IABs) operating
in the ransomware ecosystem in 2024. With over 1,600 forum posts demonstrating deep
technical fluency and active engagement in the criminal market, Albashiti sold
remote code execution (RCE)-level access to more than 50 companies across the
United States, Europe, and Mexico - access that was purchased by ransomware
affiliates who subsequently deployed their payloads against the compromised targets.
The FBI’s undercover operation, in which an agent posed as a buyer and purchased
access from r1z, provided the evidentiary foundation for identifying and charging
Albashiti. His toolkit included exploitation of firewall vulnerabilities for initial
network penetration, distribution of cracked versions of Cobalt Strike (the premier
red-team and attacker command-and-control platform), and an endpoint detection and
response (EDR) killer tool designed to disable the security software that would otherwise
detect and terminate his activities. Poor operational security (OPSEC) practices
ultimately enabled investigators to link his online alias to his real identity -
a cautionary illustration of the forensic fragility of even experienced cybercriminal
operations.
## Key Facts
- .**What:** Jordanian hacker "r1z" sold network access to 50+ companies for ransomware groups.
- .**Who:** Corporations across the USA, Europe, and Mexico were compromised.
- .**Data Exposed:** Network credentials, internal systems, and corporate data for ransomware deployment.
- .**Outcome:** FBI undercover sting identified Feras Albashiti; criminal charges filed.
## What Was Exposed
- .RCE-level access to more than 50 corporate networks across the USA, Europe, and Mexico - access that provided ransomware affiliates a ready-made foothold from which to deploy encryption payloads and exfiltrate data
- .Internal network credentials, session tokens, and administrative access obtained through firewall exploitation and subsequent lateral movement within victim environments
- .The implicit exposure of every victim organization’s proprietary data, customer records, financial systems, and intellectual property to whatever the purchasing ransomware affiliate subsequently chose to steal or encrypt
- .Infrastructure detail - network architecture, security tool deployments, and Active Directory configurations - that r1z assembled during his reconnaissance dwell time within victim networks before listing access for sale
- .The EDR configurations and deployed security tooling of each victim organization, enabling purchasers to plan their operations with knowledge of what defenses they would need to defeat
- .Potential link to at least one major ransomware attack through infrastructure connections identified by investigators, suggesting that r1z’s access sales contributed directly to significant data loss events beyond the 50+ confirmed compromises
Initial access brokers occupy a specialized but critical niche in the modern ransomware
ecosystem. Rather than conducting end-to-end attacks themselves - from initial
exploitation through ransomware deployment and ransom negotiation - IABs focus
exclusively on the intrusion phase, developing expertise in specific exploitation
techniques and scaling their operations by selling access to multiple buyers. This
specialization mirrors legitimate marketplace economics: IABs develop and monetize
a scarce skill set while ransomware affiliates, who may have stronger capabilities
in lateral movement and encryption deployment, purchase the costly and risky
initial access phase from specialists. The result is a supply chain for corporate
intrusions that is more efficient and more resilient than a model where every
attacker must conduct every phase of the attack independently.
The XSS forum on which r1z operated is a predominantly Russian-language cybercriminal
marketplace that has been a central venue for ransomware affiliate recruitment,
malware distribution, and access sales since the early 2010s. An account with 1,600+
posts represents a significant investment of time and effort and signals an established
reputation within the criminal community - a vendor with that posting history
has demonstrated consistent delivery of claimed capabilities to buyers, building the
trust that criminal marketplaces require for high-value transactions. For r1z to
accumulate this forum presence, he must have been operating continuously for
months or years, conducting repeated successful intrusions against corporate targets
and building a clientele of ransomware affiliates who returned for repeat purchases.
The specific technical capabilities r1z offered illuminate the vulnerability landscape
that corporate defenders must prioritize. Firewall exploitation as an initial access
vector reflects a broader trend identified across the threat intelligence industry:
perimeter security appliances - including VPN concentrators, next-generation
firewalls, and unified threat management devices from major vendors - have
become primary targets for exploitation because they are internet-facing, often
run older firmware due to operational update inertia, and their compromise provides
immediate access to internal network segments. High-profile vulnerabilities in Fortinet,
Ivanti, Cisco, and Palo Alto devices in 2023 and 2024 were exploited within days or
hours of public disclosure, and IABs like r1z build automation around these
exploits to scale their intrusion operations.
The distribution of cracked Cobalt Strike is a further indicator of r1z’s
position in the criminal ecosystem. Cobalt Strike is a commercial red-team platform
legitimately licensed to security professionals, but cracked and modified versions
have circulated in criminal communities for years, enabling attackers to use its
sophisticated command-and-control, lateral movement, and payload staging capabilities
without paying the legitimate license fee. KELA’s investigation found that
r1z was not merely using cracked Cobalt Strike for his own operations but was
distributing it to other criminal actors - an indicator of his role as a
capability supplier within the broader ecosystem, not merely an individual operator.
The EDR killer tool distributed by r1z represents one of the most sophisticated and
dangerous elements of his toolkit. EDR platforms - including CrowdStrike Falcon,
Microsoft Defender for Endpoint, SentinelOne, and their competitors - are
the primary detective and preventive control that modern organizations rely upon to
identify and terminate ransomware deployment in progress. An EDR killer that
successfully terminates these agents before the ransomware payload is deployed
effectively blinds the victim organization at the moment of maximum danger.
The existence and distribution of such a tool demonstrates that criminal actors
have specifically engineered countermeasures to the security investments that
organizations have made in response to the ransomware threat - an adversarial
adaptation that security teams must actively monitor and prepare to detect through
secondary means.
The FBI undercover operation that ultimately identified r1z represents a sophisticated
law enforcement engagement with the dark web criminal marketplace. By posing as a
buyer and purchasing access from r1z - thereby receiving both the access itself
and the forensic evidence of the transaction - the FBI was able to gather
evidence of criminal intent that would be difficult to establish through passive
observation alone. The OPSEC failures that enabled the attribution of r1z to Feras
Albashiti are not detailed in public reporting, but KELA’s analysis suggests
the connection between the online alias and the individual was established through
a combination of digital infrastructure analysis, forum metadata, and potentially
information from other investigations or cooperative sources.
## Regulatory Analysis
The r1z case intersects Jordan’s legal framework at several points. As a Jordanian
national, Albashiti’s activities are governed by Jordanian criminal law in
addition to whatever legal exposure he faces in the jurisdictions where his victims
are located. The Cybercrime Law No. 17/2023 - which replaced the 2015 law with
expanded offense categories and enhanced prosecutorial powers - squarely encompasses
the conduct attributed to r1z. The law criminalizes unauthorized access to information
systems, the development and distribution of malicious software, and participation in
organized criminal activity involving cyber offenses. Each access sale that r1z
conducted would constitute a distinct criminal act under the 2023 law, and the
distribution of cracked Cobalt Strike and EDR killer tools would likely constitute
a malicious software distribution offense.
The 2023 law’s expanded prosecutorial powers are relevant here. Under the previous
2015 framework, the public prosecutor’s ability to initiate proceedings without
a victim complaint was limited. The 2023 law expanded this authority, enabling the
Jordanian public prosecutor to act on cybercrime matters affecting the national interest
without waiting for individual victims - many of whom are foreign companies with
no practical means of filing a complaint in Jordan - to initiate the process.
This change is particularly significant for IAB cases where the direct victims are
distributed across multiple foreign jurisdictions and may be unaware that the initial
access to their networks originated from a Jordanian operator.
The international dimension of the r1z case creates a complex jurisdictional picture.
The FBI’s investigation and the criminal complaint are U.S. proceedings targeting
a Jordanian national whose victims are primarily located in the USA, Europe, and Mexico.
Jordan’s extradition relationship with the United States is governed by a bilateral
treaty, and Jordan has cooperated with U.S. law enforcement on cybercrime matters in
the past. However, extradition of own nationals is a legally and politically sensitive
matter in many jurisdictions, and the practical resolution of the r1z case -
whether through U.S. prosecution, Jordanian prosecution, or some combination -
depends on diplomatic as well as legal factors. The NCSC and Jordanian law enforcement
agencies have developed cybercrime investigation capabilities, but the sophistication
required to conduct independent investigation of an IAB operating on Russian-language
dark web forums represents a significant technical challenge.
From the perspective of the 50+ corporate victims, none of whom appear to be Jordanian
entities, the direct regulatory consequence of the r1z operation falls under the data
protection and cybersecurity laws of the jurisdictions where they operate. EU-based
victims face GDPR breach notification obligations; U.S. victims face sector-specific
notification requirements under HIPAA, the FTC Act, and state breach notification laws.
But the r1z case carries an important lesson for Jordanian policymakers: the country
is home to technically capable threat actors who are directly enabling some of the
most damaging ransomware attacks globally, and the reputational and diplomatic consequences
of Jordan being identified as an operational base for IABs create a strong policy incentive
to develop robust domestic cybercrime investigation and prosecution capabilities.
## What Should Have Been Done
The r1z case illuminates both the corporate defensive failures that enabled 50+
organizations to be compromised and the policy failures that allowed an IAB of
this scale to operate without domestic detection or intervention. The recommendations
flow in both directions - to the corporate victims whose inadequate controls
made them viable targets, and to Jordanian policymakers whose legal and institutional
framework did not detect or deter this activity.
For corporate defenders, the r1z toolkit highlights firewall exploitation as the primary
risk requiring immediate attention. Organizations must treat their perimeter security
appliances as high-value targets that warrant continuous vulnerability management,
not merely periodic maintenance. Every internet-facing firewall, VPN concentrator,
or unified threat management device should be subject to an aggressive patch management
policy that applies vendor security updates within 24 to 48 hours of release for
critical vulnerabilities. Organizations should subscribe to vendor security advisories
and threat intelligence feeds that provide advance warning of exploitation activity
targeting specific products, enabling pre-emptive action before a CVE is weaponized
at scale by operators like r1z. Network monitoring should include detection rules for
the specific indicators of compromise associated with perimeter device exploitation,
including anomalous authentication attempts, unexpected outbound connections from
firewall management interfaces, and configuration changes not initiated through
authorized change management processes.
Detection of cracked Cobalt Strike and EDR killer activity requires security controls
that operate independently of the endpoint security tools that the attacker will attempt
to disable. Network-based detection - through an NDR (network detection and
response) platform that monitors for Cobalt Strike beacon communication patterns even
when the endpoint agent has been killed - provides a defensive layer that survives
EDR termination. Security operations centers should maintain alert rules for the
specific Windows event log signatures associated with EDR driver killing activities,
including service termination events for known security product processes, deletion
of security agent files, and registry modifications to disable security tool autostart
entries. These events should trigger immediate incident response, as they are
unambiguous indicators of an active, sophisticated attacker who has already achieved
significant access.
For Jordanian policymakers and law enforcement, the r1z case demonstrates the need
for specialized cybercrime investigation units with dark web monitoring capabilities.
KELA’s threat intelligence - a commercial service - identified r1z
as a significant criminal actor through systematic monitoring of criminal forums and
analysis of tradecraft patterns. Jordan’s NCSC and law enforcement agencies
should develop or procure equivalent monitoring capabilities, enabling domestic
identification of Jordanian nationals operating in IAB, ransomware affiliate, or
other cybercriminal roles before foreign law enforcement agencies conduct the
investigation that embarrasses Jordan internationally. The National Cybersecurity
Strategy 2024-2028, launched in conjunction with the NCSC’s annual
report, should explicitly address the development of proactive threat intelligence
and cybercrime prosecution capabilities.
The r1z case reveals that Jordan is not merely a passive victim of the global
ransomware ecosystem - it is also a source of the initial access that enables
attacks against companies worldwide, and the inadequacy of domestic detection and
prosecution capabilities means that operators of this type can build substantial
criminal careers before foreign law enforcement intervention forces accountability.