A federal jury has convicted Sohaib Akhter, 34, of Alexandria, Virginia, on charges of conspiracy to commit computer fraud, password trafficking, and illegal firearm possession after he and his twin brother Muneeb Akhter deleted approximately 96 federal government databases following their termination from a Washington, D.C.-based technology contractor that served over 45 federal agencies.

What Happened

Sohaib and Muneeb Akhter were employed by a D.C.-based technology contractor that hosted sensitive federal client data on enterprise servers in Ashburn, Virginia. After the firm terminated both brothers on February 18, 2025, the pair leveraged retained access and stolen credentials to infiltrate internal computer systems, write-protect administrative environments, and systematically delete approximately 96 distinct databases containing critical U.S. government information. They also destroyed forensic evidence of their intrusion in an attempt to obstruct investigation. The brothers were arrested in December 2025, and the federal jury returned its guilty verdict against Sohaib on multiple felony counts. Sentencing is scheduled for September 9, with a maximum statutory penalty of 21 years in prison.

What Was Taken

The compromised environment included case management systems and Freedom of Information Act response processing software supporting more than 45 federal client agencies. Approximately 96 distinct databases were destroyed outright. In a separate incident on February 1, 2025, Muneeb requested the plaintext password of a complainant using the Equal Employment Opportunity Commission (EEOC) Public Portal, and Sohaib responded by executing an unauthorized query against the primary EEOC database to extract the credential and hand it to his co-defendant. This indicates credential exposure affecting at least one EEOC complainant in addition to the bulk database destruction.

Why It Matters

This case is a textbook insider threat incident with national security implications. A single contractor with footprint across 45-plus federal agencies became a single point of catastrophic failure when offboarding controls failed to revoke privileged access. The destruction of FOIA processing systems and case management data has downstream impact on federal transparency obligations, ongoing civil rights complaints, and potentially active litigation. The fact that the brothers had a prior 2015 federal conviction for conspiracy to access State Department systems without authorization and were nonetheless employed in a privileged technical role at a federal contractor highlights a serious failure in personnel vetting for trusted insider positions.

The Attack Technique

The attack pattern follows a classic disgruntled-insider sabotage playbook. Following termination on February 18, 2025, the brothers retained or re-established access to internal contractor systems, used administrative credentials to write-protect environments (preventing rollback or recovery), executed mass DELETE operations against approximately 96 databases, and tampered with logs and forensic artifacts to cover their tracks. The earlier February 1 EEOC credential theft demonstrates abuse of legitimate database query privileges to exfiltrate plaintext passwords stored within the application, suggesting the contractor environment retained credentials in recoverable form rather than as salted hashes.

What Organizations Should Do

1. Enforce same-day revocation of all credentials, VPN tokens, MFA enrollments, SSH keys, and privileged session access at the moment of involuntary termination, with verification by a second engineer.
2. Conduct enhanced background screening for personnel with administrative access to federal data, including checks for prior federal computer fraud convictions and ongoing periodic re-screening.
3. Eliminate plaintext password storage in application databases. Use salted, adaptive hashing (Argon2id, bcrypt) and never expose query paths that return raw credentials.
4. Implement immutable, write-once audit logging shipped off-host in real time so that local log tampering cannot erase forensic evidence of insider activity.
5. Require multi-party authorization (break-glass workflows with dual control) for destructive database operations such as mass DELETE, DROP, or write-protect changes against production environments.
6. Maintain offline, air-gapped backups with regularly tested restore procedures so that a malicious insider with admin credentials cannot destroy both production data and its recovery copies.

Sources: Sohaib Akhter Convicted in Government Database Deletion - TechNadu