A federal jury has convicted Sohaib Akhter, 34, of Alexandria, Virginia, on charges of conspiracy to commit computer fraud, password trafficking, and illegal firearm possession after he and his twin brother Muneeb Akhter unlawfully deleted approximately 96 distinct federal government databases following their termination from a Washington, D.C. based technology contractor. The contractor served more than 45 federal agencies and hosted sensitive client data on enterprise servers in Ashburn, Virginia. Sohaib faces a maximum statutory penalty of 21 years in prison at his September 9 sentencing hearing.

What Happened

The Akhter brothers were employed by a federal contracting firm that supported more than 45 U.S. government agencies. On February 18, 2025, the firm terminated both brothers. In the period that followed, the pair leveraged retained or improperly obtained access to the contractor's systems and deleted roughly 96 distinct databases containing critical federal government information. They were arrested in December 2025, and Sohaib was convicted at trial. The brothers also have prior federal convictions: in June 2015, they pleaded guilty to conspiracy to commit wire fraud and conspiracy to access protected and government computers without authorization in connection with an attempt to access State Department systems, with Muneeb subsequently sentenced to more than three years in prison.

What Was Taken

Court records confirm the destruction of approximately 96 federal government databases, including case management systems and Freedom of Information Act (FOIA) response processing software supporting numerous federal agencies. Beyond destruction, the pair also engaged in credential theft. On February 1, 2025, Muneeb requested the plaintext password of a complainant using the Equal Employment Opportunity Commission (EEOC) Public Portal; Sohaib then executed an unauthorized query against the primary EEOC database, extracted the credential, and handed it to his co-defendant. The compromised data ecosystem touched sensitive federal client information across dozens of agencies hosted on the contractor's enterprise infrastructure.

Why It Matters

This case is a textbook example of catastrophic insider threat realized at the third-party contractor layer, the same trust boundary that has produced some of the most damaging federal compromises in recent memory. Ninety-six destroyed databases is not a data theft incident; it is a continuity-of-operations event for the affected agencies, with downstream impact on case adjudication, FOIA processing, and inter-agency workflows. The credential extraction from EEOC further demonstrates that contractor staff with privileged database access can pivot from routine queries to targeted exploitation of citizens' personally identifiable information. For defenders, the incident underscores that termination is a high-risk window and that contractor environments serving multiple agencies create concentrated, asymmetric blast radius.

The Attack Technique

According to court records, the brothers accessed internal computer systems without authorization, write-protected administrative environments to lock out legitimate operators, deleted vital databases, and systematically destroyed forensic evidence of their intrusion. The credential trafficking component was straightforward abuse of privileged database access: a direct query against the EEOC primary database to extract a plaintext user password, which was then passed between conspirators. The destructive phase appears to have leveraged retained administrative reach into the contractor's enterprise servers in Ashburn, Virginia, after employment had been terminated. Indicators of an insider sabotage pattern include the write-protection of admin environments, mass database deletion across distinct tenants, and deliberate anti-forensics activity.

What Organizations Should Do

1. Treat termination as a privileged access incident: revoke all credentials, API keys, VPN profiles, jump host access, cloud IAM roles, and database accounts within minutes, not days, and verify revocation through automated attestation.
2. Eliminate plaintext password storage and direct DBA access to credential fields. Enforce hashed/salted credential storage, and route any legitimate credential reset workflow through audited service accounts that cannot return cleartext.
3. Implement immutable, offline, and cross-tenant-segregated backups for any database supporting federal or regulated workloads, with restoration time objectives validated through regular tabletop and live recovery exercises.
4. Deploy database activity monitoring (DAM) and privileged access management (PAM) with behavioral analytics tuned to detect mass-delete operations, write-protection toggles, and out-of-pattern administrative queries against sensitive tables.
5. Enforce dual-control (two-person integrity) for destructive administrative actions on production databases and for any change to backup retention or admin write-protection settings.
6. Audit contractor environments serving multiple agencies for tenant isolation, separate-of-duties enforcement, and the existence of independent forensic logging that cannot be altered by privileged operators.

Sources: Sohaib Akhter Convicted in Government Database Deletion - TechNadu