Twin brothers Sohaib and Munib Akhter have been convicted in what prosecutors describe as the largest cyberattack ever launched against US government databases. The pair, former contractors at federal services provider Opexus, abused their privileged access to destroy 96 government databases and exfiltrate sensitive data in retaliation for being fired. They were arrested in December 2025 and have now been found guilty following a federal investigation.

What Happened

The Akhter brothers worked as federal contractors through Opexus, holding legitimate credentials and trusted access to sensitive government systems across multiple agencies. According to prosecutors, the destruction sequence began just six minutes after the official termination announcement was delivered. Within hours, the twins systematically wiped 96 databases belonging to various US departments, stole credentials, and exfiltrated agency files. Investigators determined the brothers also gained access to the records of the very federal investigator assigned to their case, demonstrating the depth of their unauthorized lateral movement.

This was not the brothers' first offense. In 2015, both pleaded guilty to fraud after compromising a cosmetics company's systems and stealing thousands of credit card numbers to fund personal vacations. Munib received a three-year sentence and Sohaib a two-year sentence at the time. Despite those convictions, they later secured roles handling sensitive federal systems through Opexus.

What Was Taken

The scope of compromise spans multiple federal agencies and citizen records:

• 96 government databases destroyed across various US departments
• Over 1,800 files illegally downloaded by Munib Akhter from the Equal Employment Opportunity Commission (EEOC)
• Tax records belonging to several hundred US citizens
• A cache of 5,400 stolen credentials recovered at the time of arrest, some used for personal benefit including booking hotels and flights with stolen loyalty miles
• Internal records belonging to the federal investigator assigned to the case

Why It Matters

This case is a textbook insider threat scenario with national security implications. The window between termination and catastrophic action was six minutes, far shorter than most offboarding workflows are designed to handle. The breach demonstrates that federal contractor vetting failed to flag two individuals with prior felony cybercrime convictions, raising serious questions about contractor background check procedures for sensitive systems. The destruction of 96 databases across multiple agencies represents a level of data loss that could disrupt government services and citizen-facing functions for an extended recovery period.

The Attack Technique

The attack relied entirely on legitimate, pre-existing privileged access rather than exploitation of any technical vulnerability. Key elements:

• Use of valid contractor credentials that remained active after termination notice
• Rapid execution leveraging pre-staged knowledge of database locations and administrative privileges
• Credential harvesting at scale, accumulating 5,400 sets of credentials belonging to others
• Lateral access to investigator records, suggesting either credential reuse, privilege escalation, or undisclosed access paths into law enforcement systems
• Destructive operations against database systems rather than ransomware or quiet exfiltration, indicating retaliatory intent

What Organizations Should Do

1. Trigger credential revocation simultaneously with the termination notification, never after. Treat the moment of notice as the start of the attack window.
2. Implement just-in-time privileged access so administrative rights to production data require fresh approval rather than persisting indefinitely.
3. Enforce dual-control or break-glass procedures for destructive database operations (mass deletes, table drops, schema changes).
4. Run continuous background re-screening for personnel holding access to sensitive systems, with automatic flags for prior cybercrime convictions.
5. Monitor for anomalous credential collection behavior, including bulk reads from credential stores, password managers, and authentication logs.
6. Maintain offline, immutable backups of critical databases and rehearse restoration of dozens of systems in parallel, not just one at a time.

Sources: Hackers' revenge: fired brothers carry out largest attack on US government databases