A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.

The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release. 

Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.

This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said. 

Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns. 

CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others. 

Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said. 

These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.

Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said. 

The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication. 

The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.

CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.

Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said. 

CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic. 

Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said. 

“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

Researchers warn that BlackFile, an extortion group likely associated with The Com, continues to impersonate IT support in voice-phishing and social engineering attacks that have impacted organizations in multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail.

Attackers have been actively targeting organizations in the retail and hospitality industry since February, according to Unit 42’s latest intelligence on the campaign, which the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) released alongside indicators of compromise Thursday.

The threat group, which is also tracked as CL-CRI-1116, UNC6671 and Cordial Spider, appears to be targeting victims opportunistically in a campaign that remains active and ongoing, Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop. 

“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Brady said.

Unit 42 declined to say how many organizations have been impacted thus far, and RH-ISAC did not respond to a request for comment.

BlackFile’s attacks against companies in the retail and hospitality sector are part of a broader wave of voice-phishing attacks initiated by multiple cybercrime groups, which Google Threat Intelligence Group and Okta warned about in January. 

Unit 42 also noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign CrowdStrike has been tracking as Cordial Spider since at least October 2025.

Yet, the threat group’s tactics have been far from cordial. RH-ISAC said some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands. 

The threat group lures victims via voice-phishing attacks and phishing pages mimicking corporate single-sign on services to steal credentials before moving into privileged accounts. 

“They scrape internal employee directories to obtain contact lists for executives,” RH-ISAC wrote in a blog post. “By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”

The group’s unauthorized access and data theft for extortion activity spans SaaS environments, Microsoft Graph API permissions, Salesforce API access, internal repositories, SharePoint sites and datasets containing employee’s phone numbers and business records. 

BlackFile also created a data-leak site to extort victims that it claims ignored or failed to agree to its demands, according to researchers. 

Brady said Unit 42 has observed relatively consistent activity from the threat group since February. 

RH-ISAC advises organizations to manage multi-factor identity verification for callers and limit the IT support actions that can be completed in a single call without escalation to management.

The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.

Tracked as UNC6783, the threat actor is likely linked to Mr. Raccoon, the hacker behind the alleged theft of Adobe data from a BPO.

The post Google Warns of New Campaign Targeting BPOs to Steal Corporate Data appeared first on SecurityWeek.

A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday.

Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.

The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.

Curry used his access to the company’s network to remove corporate data for extortion while he worked for the company between August and December 2023. Immediately following his last day of employment with the company, Curry started sending threatening emails to its employees and demanded a ransom to not leak and destroy the data.

Officials said he sent more than 60 emails to various employees and executives over a six-week period, threatening to disclose the company’s payroll data, claiming it showed significant pay inequity across the workforce. In those emails, Curry framed the data theft extortion attack as an effort to implement salary transparency.

“Loot and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations on protected acts,” Curry wrote in one of the emails, according to the indictment.

Curry included attachments with the emails containing screenshot images of spreadsheets listing the personally identifiable information of company employees. Officials said he also warned the company he would provide employees instructions on how to address pay discrimination through mediation, the Equal Employment Opportunity Commission or a class-action lawsuit.

Some of the extortion emails got personal, including a claim that one person on the legal team wasn’t getting a bonus while most employees in high-level positions did receive bonuses. Curry also threatened to report the breach to the Securities and Exchange Commission, citing rules that require public companies to disclose cyberattacks quickly. 

The publicly traded company notified the FBI of the breach on Dec. 14, 2023 and paid Curry’s ransom demand almost a month later.

Multiple operational security mistakes helped authorities identify and build a case against Curry rather quickly. He used personal and verifiable data to establish a new Coinbase account, and two of the debit cards linked to the account Curry established to receive a ransom belonged to his mother and sister.

Authorities searched Curry’s apartment, digital devices and vehicle in Charlotte, North Carolina, just weeks after the ransom was paid. He was arrested and released on bond in late January 2024. 

Officials said Curry initiated his extortion scheme after he learned his contract with the company wouldn’t be renewed. He faces up to 12 years in prison at sentencing.

You can read the full indictment below.

The post North Carolina tech worker found guilty of insider attack netting $2.5M ransom appeared first on CyberScoop.

Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.

Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.

“When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.

Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems. 

Ransomware attacks also often include data theft as an additional pressure point for extortion — occurring in 77% of ransomware intrusions Google observed last year, up from 57% in 2024 — but it’s not technically ransomware unless encryption is involved. 

“Over the past several years we’ve seen a gradual increase in the overall percentage of directly observed financially motivated incidents that involved only data theft extortion incidents, growing from around 2% of incidents in 2020 to more than 15% of incidents in 2025,” said Bavi Sadayappan, senior threat intelligence analyst at GTIG.

“In the same time span, the percentage of incidents involving ransomware deployment has fluctuated. We’ve seen a decrease in ransomware incidents in the past year, with 39% of incidents involving ransomware in 2024 compared to 31% in 2025,” she added.

The company declined to say how many ransomware attacks it responded to in 2025. “We hesitate sharing the number of cases that we work on, in terms of a quantitative number, because it’s so difficult for everybody to agree on what constitutes one incident versus two,” said Chris Linklater, practice leader at Mandiant. “Anecdotally, we’re staying very busy.”

Stark acknowledged that significant challenges prevent the industry from developing a clear, comprehensive picture of ransomware’s true scale and impact. Insight is largely confined to what individual incident response firms see in their own cases, and what information is shared is typically provided case by case rather in a centralized way.

“We’re not doing a great job as an industry in looking at the volume. I think that we’re overly dependent on things like the volume of data-leak sites, which have a lot of problems,” she said.

The increase in data extortion is likely driving an increase in these posts. At the same time, some threat clusters are making non-credible claims or recycling previous breaches and claiming them as their own work. “Data-leak sites as a measure is actually pretty poor, and I think that as an industry we’ve over relied on that,” Stark said.

Yet, the data is still useful for gauging certain trends, such as shifts in targeting or an increase in alleged attacks on specific sectors or regions, researchers said.

For what it’s worth, Google said the amount of posts on data leak sites jumped 48% from the year prior to 7,784 posts in 2025. Meanwhile, the number of unique data leak sites climbed almost 35% over the same period to 128 sites with at least one post.

Google’s report also focuses on the tactics and shifts it observed during its response to ransomware attacks last year, including the most common ways attackers broke into systems, the most prominent ransomware families and increased targeting of virtualization infrastructure.

Exploited vulnerabilities was the top initial access vector in ransomware attacks last year, accounting for a third of all incidents, followed by various forms of web compromise and stolen credentials. Attackers most commonly exploited vulnerabilities in widely used virtual private networks and firewalls from Fortinet, SonicWall, Palo Alto Networks and Citrix, researchers said.

Zach Riddle, principal threat intelligence analyst at GTIG, said this doesn’t reflect a growing trend as much as a recurring cycle of different initial access vectors, which rise and fall year to year for various reasons.

Google specifically called out 13 vulnerabilities, many disclosed years ago, ranking those defects among the top exploited vulnerabilities for ransomware attacks last year. Three of those vulnerabilities affect Fortinet products, followed by two from Microsoft, two from Veritas, and one each from SonicWall, Citrix, SAP, Palo Alto Networks, CrushFTP and Zoho.

Stolen credentials were the initial access point in 21% of ransomware intrusions last year, and attackers often used those credentials to authenticate to a victim’s VPN or Remote Desktop Protocol login, Google said in the report.

Attackers are also confronting more challenges in deploying ransomware once they break into victim networks. “We’re actually seeing a decrease in successful ransomware deployment,” Sadayappan said. Google observed a year-over-year decline from 54% in 2024 to 36% last year.

Another landmark change reflected in ransomware activity in 2025 involves increased targeting of virtualization infrastructure, such as VMware ESXi hypervisors. Attackers targeted these environments in 43% of ransomware intrusions last year, up from 29% in 2024.

“It lets the attacker hit a huge number of systems with a very small amount of effort,” Linklater said, adding that “it makes the investigation significantly harder to accomplish, because a lot more of the forensic evidence is lost when those hypervisors are attacked.”

The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.

The post The ransomware economy is shifting toward straight-up data extortion appeared first on CyberScoop.

A 37-year-old Nigerian man was sentenced to eight years in prison for participating in a five-year cybercrime spree to steal money from the U.S. government through fraudulent tax returns, the Justice Department said Wednesday.

Matthew Abiodun Akande was living in Mexico when he and at least three co-conspirators broke into the networks of tax preparation firms, stole sensitive data on their clients and filed fraudulent tax returns, claiming tax refunds with victims’ personal data, according to court records. 

Akande and his co-conspirators filed more than 1,000 fraudulent tax returns seeking more than $8.1 million in phony tax refunds during a five-year period ending in June 2021, prosecutors said. The crew collectively obtained more than $1.3 million in fraudulent tax refunds.

Officials said Akande also advanced the scheme by sending phishing emails to five Massachusetts-based tax preparation firms that were designed to trick employees into downloading remote access trojan malware, including Warzone RAT. Four of those firms were listed as victims in the indictment.

Akande has been in detention since he was arrested at Heathrow Airport in the United Kingdom in October 2024 and extradited to the United States in March 2025. A month later, Akande pleaded guilty to all 33 counts in the indictment prosecutors filed against him in July 2022.

His crimes include conspiracy to obtain unauthorized access to protected computers, wire fraud, unauthorized access to protected computers, theft of government money, and aggravated identity theft.

Akande and his alleged co-conspirators — Kehinde Hussein Oyetunji, a Nigerian national living in North Dakota, and two people that prosecutors declined to name — directed the fraudulent tax refunds to be deposited in U.S. bank accounts. Co-conspirators living in the United States withdrew some of the stolen money in cash then, at Akande’s direction, transferred a portion of the funds to third parties in Mexico, officials said.

In a sentencing memo submitted to the court, Akande’s lawyer insisted his client was not living an extravagant lifestyle in Mexico. Yet, he was ordered to pay almost $1.4 million in restitution as part of his sentencing.

You can read the full indictment below.

The post Nigerian man sentenced to 8 years in prison for running phony tax refund scheme appeared first on CyberScoop.

Threat hunters and researchers are racing to contain a wave of voice-phishing attacks targeting single sign-on tools, already leading to data theft and extortion attempts. Multiple cybercrime groups are combining voice calls and advanced phishing kits to trick victims into handing over access — including a group identifying itself as ShinyHunters, which has publicly named alleged targets and posted samples of stolen data.

The attacks share common characteristics with previous campaigns attributed to ShinyHunters, which has abused third-party vendors to gain initial access to multiple company networks, including the attack spree that impacted more than 700 Salesforce customer environments last fall.

“Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved voice phishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim multifactor authentication solutions,” Charles Carmakal, chief technology officer at Mandiant Consulting, said in an email to CyberScoop.

“This is an active and ongoing campaign,” Carmakal added. “After gaining initial access, these actors pivot into SaaS environments to exfiltrate sensitive data. An actor that identifies as ShinyHunters has approached some of the victim organizations with an extortion demand.”

Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.

Okta, one of the single sign-on providers targeted by this campaign, released threat intelligence on phishing kits observed in this campaign and others Thursday. Attackers appearing to be aligned with ShinyHunters have attempted to extort targeted organizations on behalf of a specific initial access broker that used one of these phishing kits.

Brett Winterford, vice president at Okta Threat Intelligence, said researchers have observed at least two phishing kits that demonstrate the real-time capability to mimic the authentication flows of identity providers. 

“This creates a more compelling pretext for asking the user to share credentials and accept multifactor authentication challenges,” he told CyberScoop.

“Okta Threat Intelligence has observed multiple phishing kits developed for the needs of voice phishing operators, each with dedicated panels for impersonation of Google, Microsoft and Okta sign-in flows, as well as cryptocurrency providers,” Winterford added.

A spokesperson for Microsoft said the company has nothing to share on the campaign. Meanwhile, a Google spokesperson said: “At this time, we have no indication that Google itself or its products are affected by this campaign.”

Security experts noted the attacks don’t involve a vulnerability in single sign-on vendors’ products or infrastructure, but rather a persistent weak point in identity and access management. Targeted victims are once again being duped into sharing their credentials with attackers.

These phishing kits allow cybercriminals without deep technical skills to buy the tooling and focus on targeting people and processes, said Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center. 

“While these campaigns occur often, the difference here is the amount of success in the recent campaign is slightly higher. That’s likely because of the believable content and the use of voice phishing versus just phishing,” she said.

“If you’re getting a call and it’s personalized and it’s changing in real time — that feels believable, that’s a different element that people don’t necessarily have their guard up for.”

Investigation ongoing into scope

It’s unclear how many organizations have been impacted by the campaign. A ShinyHunters-branded data leak site, which is currently down, previously listed at least three victims, including two companies that publicly confirmed they were impacted by recent attacks.

SoundCloud said some personally identifiable data on about 20% of its user base, roughly 36 million people, was compromised by an attack it first discovered in mid-December. The company insists sensitive data wasn’t exposed and did not name the attackers, but said users, employees and partners have been flooded with threatening emails. 

“We are aware that a threat actor group has published data online allegedly taken from our organization,” Sade Ayodele, senior director of communications at SoundCloud, said in an email. “Our security team — supported by leading third-party cybersecurity experts — is actively reviewing the claim and published data.”

Betterment, a financial services company, said an attacker gained access to some of its systems via social engineering on Jan. 9. The company said customer data was stolen, but no accounts were accessed and customer credentials weren’t compromised.

The attacker also quickly used access to Betterment’s systems to send a fraudulent cryptocurrency offer to some customers. Betterment did not respond to a request for comment.

Threat intelligence suggests additional victims have been targeted and potentially impacted. Sophos researchers are tracking a cluster of about 150 malicious domains established starting last month, including some used in voice phishing campaigns resulting in data theft and ransom notes demanding a payment, said Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit.

“We can’t confirm that they have all been used but the threat actors are creating target-specific domains, themed to reflect single-sign on services and impersonating authentication providers like Okta,” Pilling said. The fake domains impersonate organizations in the education, real estate, energy, financial services and retail sectors.

While one of the groups behind this campaign identifies itself as ShinyHunters, researchers have yet to confirm that claim or formally attribute the attacks to a specific group or person. 

“ShinyHunters typically has a mix of real victims and recycled information or exaggerated claims,” Kaiser said. 

Moreover, the names adopted or reused by some cybercriminals has lost relevance, said Ian Gray, vice president of intelligence at Flashpoint. 

A cybercriminal or group can use any username they choose and apply that to a data-leak site, but that doesn’t prove a direct link. 

“While ShinyHunters have claimed credibility for the campaign,” Gray said, “it is equally important that we examine the tactics, techniques and procedures being employed and how they relate to previous campaigns.”

The post A new wave of ‘vishing’ attacks is breaking into SSO accounts in real time appeared first on CyberScoop.

Opexus admits it missed key red flags when it hired twins Muneeb and Sohaib Akhter, as it failed to learn about crimes the brothers pleaded guilty to in 2015, including wire fraud and conspiring to hack into the State Department — offenses committed while they were contractors for federal agencies. The federal government contractor nonetheless maintains it conducted seven-year background checks before hiring the brothers in 2023 and 2024.

Opexus fired them in February, minutes before they allegedly stole and destroyed government data in retaliation. The background checks were “consistent with prevailing government and industry standards with additional requirements for more sensitive work. That said, we fully acknowledge that additional diligence should have been applied,” a spokesperson for Opexus told CyberScoop. 

Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Dec. 3 for allegedly committing a series of insider attack crimes during a weeklong window in February that ultimately compromised data from multiple federal agencies, including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission. 

Opexus said it decided to terminate the twins’ employment upon learning of their prior criminal history, but it did not explain how it became aware of their previous crimes nor what prompted a deeper look into their past. The brothers’ previous crimes were widely reported at the time, including details that are readily available via search engine queries on their respective names.

The Washington-based company, which provides services and hosts data for more than 45 federal agencies, admits it made multiple mistakes in the hiring and termination of Muneeb and Sohaib Akhter.

“As with the onboarding, the terminations were not handled in an appropriate manner,” the company spokesperson said. 

“While these individuals passed background checks at the time, this incident made clear that our screening protocols needed to be even more robust,” the spokesperson added. “We have since enhanced our vetting processes and implemented additional safeguards designed to strengthen the protection of the systems and information we manage.”

Muneeb Akhter allegedly accessed Opexus’ computer network five minutes after he was fired. Within an hour, he allegedly deleted approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment. 

Muneeb Akhter also that evening allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people.

Opexus said it later addressed errors it made, which failed to ensure the twins could no longer access company computers and systems under its care immediately upon their termination. The spokesperson said the company took “appropriate corrective actions and reinforced training across the human resources function to ensure strict adherence to our standard operating procedures going forward.”

The company said it took other measures in response to these insider attacks that are designed to prevent similar outcomes.

“The individuals responsible for hiring the twins are no longer employed by Opexus, and we have since strengthened our screening protocols across the organization,” the spokesperson said. “These enhancements include expanding our standard background check to 10 years, along with additional safeguards that are now embedded into our standard hiring process.”

Opexus also said it supported customers impacted by the internal breach by helping them restore data and providing resources and subject matter expertise for their internal reviews. “The security of our customers’ information is our No. 1 priority, and we remain committed to continuous improvement in our hiring, compliance and internal controls,” the spokesperson said. 

The company said it’s grateful for law enforcement’s actions on this matter, adding that it appreciates that Muneeb and Sohaib Akhter are being held accountable for their alleged crimes. 

Sohaib Akhter faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records. 

Muneeb Akhter is charged with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges.

The post Opexus claims background checks missed red flags on twins accused of insider breach appeared first on CyberScoop.

Twin brothers Muneeb and Sohaib Akhter were arrested in Alexandria, Va., Wednesday for allegedly stealing and destroying government data held by a government contractor minutes after they were fired from the company earlier this year, the Justice Department said.

Prosecutors accuse the 34-year-old brothers of the crimes during a weeklong spree in February, compromising data from multiple federal agencies including the Department of Homeland Security, Internal Revenue Service and the Equal Employment Opportunity Commission.

Authorities did not name the federal government contractor, which provides services and hosts data for more than 45 federal agencies, but the company was previously identified as Washington-based Opexus in a Bloomberg report about the insider attack earlier this year. Opexus did not immediately respond to a request for comment.

The brothers are no strangers to law enforcement, the hacking community and government contract work.  They previously pleaded guilty in 2015 to wire fraud and conspiring to hack into the State Department and other crimes while they were employed as contractors for federal agencies. Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison at that time.

An investigation aided by more than 20 federal agencies and specialized units alleges the brothers were back at it a decade later, committing cybercrime with privileged access and technical expertise gained from their employment at a government contractor.

“These defendants abused their positions as federal contractors to attack government databases and steal sensitive government information,” Matthew R. Galeotti, acting assistant attorney general with the Justice Department’s Criminal Division, said in a statement. “Their actions jeopardized the security of government systems and disrupted agencies’ ability to serve the American people.”

Muneeb Akhter is accused of deleting approximately 96 databases storing U.S. government information hosted by Opexus, including sensitive investigative files and records related to Freedom of Information Act matters, prosecutors said in an indictment. 

Muneeb Akhter also allegedly deleted a Homeland Security production database, copied more than 1,800 files belonging to EEOC and stole copies of IRS records including personally identifiable information on at least 450 people. 

Authorities also accused Muneeb Akhter of using an artificial intelligence tool for assistance throughout his alleged conspiracy, querying the tool for advice on how to clear system logs from SQL servers after deleting databases and how to clear all event and application logs from Microsoft Windows Server 2012. 

Prosecutors in the U.S. District Court for the Eastern District of Virginia charged Muneeb Akhter with conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of U.S. government records and two counts of aggravated identity theft. He faces a mandatory minimum penalty of four years in prison for identity theft and up to 45 years in prison for the other charges. 

Sohaib Akhter is accused of trafficking in a password that could access an Opexus computer used by EEOC. He faces up to six years in prison for password trafficking and conspiracy to commit computer fraud and destroy records. 

The brothers allegedly cleaned their residence in anticipation of a law enforcement raid and wiped their employer-owned computers by reinstalling the operating system.

“Federal contractors who abuse their positions will be held accountable for their actions,” Joseph V. Cuffari, inspector general at the Department of Homeland Security, said in a statement. “The actions of individuals like Muneeb and Sohaib Akhter are threats to our national security.”

You can read the full indictment below.

The post Twins with hacking history charged in insider data breach affecting multiple federal agencies appeared first on CyberScoop.