Feras Albashiti, a Jordanian national operating under the alias “r1z” on the XSS Russian-language cybercrime forum, was identified by the FBI and KELA Cyber Intelligence as one of the most prolific initial access brokers (IABs) operating in the ransomware ecosystem in 2024. With over 1,600 forum posts demonstrating deep technical fluency and active engagement in the criminal market, Albashiti sold remote code execution (RCE)-level access to more than 50 companies across the United States, Europe, and Mexico - access that was purchased by ransomware affiliates who subsequently deployed their payloads against the compromised targets.
Key Facts
- WhatJordanian hacker "r1z" sold network access to 50+ companies for ransomware groups.
- WhoCorporations across the USA, Europe, and Mexico were compromised.
- Data ExposedNetwork credentials, internal systems, and corporate data for ransomware deployment.
- OutcomeFBI undercover sting identified Feras Albashiti; criminal charges filed.
What Was Exposed
- RCE-level access to more than 50 corporate networks across the USA, Europe, and Mexico - access that provided ransomware affiliates a ready-made foothold from which to deploy encryption payloads and exfiltrate data
- Internal network credentials, session tokens, and administrative access obtained through firewall exploitation and subsequent lateral movement within victim environments
- The implicit exposure of every victim organization’s proprietary data, customer records, financial systems, and intellectual property to whatever the purchasing ransomware affiliate subsequently chose to steal or encrypt
- Infrastructure detail - network architecture, security tool deployments, and Active Directory configurations - that r1z assembled during his reconnaissance dwell time within victim networks before listing access for sale
- The EDR configurations and deployed security tooling of each victim organization, enabling purchasers to plan their operations with knowledge of what defenses they would need to defeat
- Potential link to at least one major ransomware attack through infrastructure connections identified by investigators, suggesting that r1z’s access sales contributed directly to significant data loss events beyond the 50+ confirmed compromises
Initial access brokers occupy a specialized but critical niche in the modern ransomware ecosystem. Rather than conducting end-to-end attacks themselves - from initial exploitation through ransomware deployment and ransom negotiation - IABs focus exclusively on the intrusion phase, developing expertise in specific exploitation techniques and scaling their operations by selling access to multiple buyers.
This specialization mirrors legitimate marketplace economics: IABs develop and monetize a scarce skill set while ransomware affiliates, who may have stronger capabilities in lateral movement and encryption deployment, purchase the costly and risky initial access phase from specialists. The result is a supply chain for corporate intrusions that is more efficient and more resilient than a model where every attacker must conduct every phase of the attack independently.
The XSS forum on which r1z operated is a predominantly Russian-language cybercriminal marketplace that has been a central venue for ransomware affiliate recruitment, malware distribution, and access sales since the early 2010s. An account with 1,600+ posts represents a significant investment of time and effort and signals an established reputation within the criminal community - a vendor with that posting history has demonstrated consistent delivery of claimed capabilities to buyers, building the trust that criminal marketplaces require for high-value transactions.
For r1z to accumulate this forum presence, he must have been operating continuously for months or years, conducting repeated successful intrusions against corporate targets and building a clientele of ransomware affiliates who returned for repeat purchases.
The specific technical capabilities r1z offered illuminate the vulnerability landscape that corporate defenders must prioritize. Firewall exploitation as an initial access vector reflects a broader trend identified across the threat intelligence industry:
perimeter security appliances - including VPN concentrators, next-generation firewalls, and unified threat management devices from major vendors - have become primary targets for exploitation because they are internet-facing, often run older firmware due to operational update inertia, and their compromise provides immediate access to internal network segments.
High-profile vulnerabilities in Fortinet, Ivanti, Cisco, and Palo Alto devices in 2023 and 2024 were exploited within days or hours of public disclosure, and IABs like r1z build automation around these exploits to scale their intrusion operations.
The distribution of cracked Cobalt Strike is a further indicator of r1z’s position in the criminal ecosystem. Cobalt Strike is a commercial red-team platform legitimately licensed to security professionals, but cracked and modified versions have circulated in criminal communities for years, enabling attackers to use its sophisticated command-and-control, lateral movement, and payload staging capabilities without paying the legitimate license fee.
KELA’s investigation found that r1z was not merely using cracked Cobalt Strike for his own operations but was distributing it to other criminal actors - an indicator of his role as a capability supplier within the broader ecosystem, not merely an individual operator.
The EDR killer tool distributed by r1z represents one of the most sophisticated and dangerous elements of his toolkit. EDR platforms - including CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, and their competitors - are the primary detective and preventive control that modern organizations rely upon to identify and terminate ransomware deployment in progress. An EDR killer that successfully terminates these agents before the ransomware payload is deployed effectively blinds the victim organization at the moment of maximum danger.
The existence and distribution of such a tool demonstrates that criminal actors have specifically engineered countermeasures to the security investments that organizations have made in response to the ransomware threat - an adversarial adaptation that security teams must actively monitor and prepare to detect through secondary means.
The FBI undercover operation that ultimately identified r1z represents a sophisticated law enforcement engagement with the dark web criminal marketplace. By posing as a buyer and purchasing access from r1z - thereby receiving both the access itself and the forensic evidence of the transaction - the FBI was able to gather evidence of criminal intent that would be difficult to establish through passive observation alone.
The OPSEC failures that enabled the attribution of r1z to Feras Albashiti are not detailed in public reporting, but KELA’s analysis suggests the connection between the online alias and the individual was established through a combination of digital infrastructure analysis, forum metadata, and potentially information from other investigations or cooperative sources.
Regulatory Analysis
The r1z case intersects Jordan’s legal framework at several points. As a Jordanian national, Albashiti’s activities are governed by Jordanian criminal law in addition to whatever legal exposure he faces in the jurisdictions where his victims are located. The Cybercrime Law No. 17/2023 - which replaced the 2015 law with expanded offense categories and enhanced prosecutorial powers - squarely encompasses the conduct attributed to r1z.
The law criminalizes unauthorized access to information systems, the development and distribution of malicious software, and participation in organized criminal activity involving cyber offenses. Each access sale that r1z conducted would constitute a distinct criminal act under the 2023 law, and the distribution of cracked Cobalt Strike and EDR killer tools would likely constitute a malicious software distribution offense.
The 2023 law’s expanded prosecutorial powers are relevant here. Under the previous 2015 framework, the public prosecutor’s ability to initiate proceedings without a victim complaint was limited. The 2023 law expanded this authority, enabling the Jordanian public prosecutor to act on cybercrime matters affecting the national interest without waiting for individual victims - many of whom are foreign companies with no practical means of filing a complaint in Jordan - to initiate the process.
This change is particularly significant for IAB cases where the direct victims are distributed across multiple foreign jurisdictions and may be unaware that the initial access to their networks originated from a Jordanian operator.
The international dimension of the r1z case creates a complex jurisdictional picture.
The FBI’s investigation and the criminal complaint are U.S. proceedings targeting a Jordanian national whose victims are primarily located in the USA, Europe, and Mexico.
Jordan’s extradition relationship with the United States is governed by a bilateral treaty, and Jordan has cooperated with U.S. law enforcement on cybercrime matters in the past. However, extradition of own nationals is a legally and politically sensitive matter in many jurisdictions, and the practical resolution of the r1z case - whether through U.S. prosecution, Jordanian prosecution, or some combination - depends on diplomatic as well as legal factors.
The NCSC and Jordanian law enforcement agencies have developed cybercrime investigation capabilities, but the sophistication required to conduct independent investigation of an IAB operating on Russian-language dark web forums represents a significant technical challenge.
From the perspective of the 50+ corporate victims, none of whom appear to be Jordanian entities, the direct regulatory consequence of the r1z operation falls under the data protection and cybersecurity laws of the jurisdictions where they operate. EU-based victims face GDPR breach notification obligations; U.S. victims face sector-specific notification requirements under HIPAA, the FTC Act, and state breach notification laws.
But the r1z case carries an important lesson for Jordanian policymakers: the country is home to technically capable threat actors who are directly enabling some of the most damaging ransomware attacks globally, and the reputational and diplomatic consequences of Jordan being identified as an operational base for IABs create a strong policy incentive to develop robust domestic cybercrime investigation and prosecution capabilities.
What Should Have Been Done
The r1z case illuminates both the corporate defensive failures that enabled 50+ organizations to be compromised and the policy failures that allowed an IAB of this scale to operate without domestic detection or intervention. The recommendations flow in both directions - to the corporate victims whose inadequate controls made them viable targets, and to Jordanian policymakers whose legal and institutional framework did not detect or deter this activity.
For corporate defenders, the r1z toolkit highlights firewall exploitation as the primary risk requiring immediate attention. Organizations must treat their perimeter security appliances as high-value targets that warrant continuous vulnerability management, not merely periodic maintenance. Every internet-facing firewall, VPN concentrator, or unified threat management device should be subject to an aggressive patch management policy that applies vendor security updates within 24 to 48 hours of release for critical vulnerabilities.
Organizations should subscribe to vendor security advisories and threat intelligence feeds that provide advance warning of exploitation activity targeting specific products, enabling pre-emptive action before a CVE is weaponized at scale by operators like r1z.
Network monitoring should include detection rules for the specific indicators of compromise associated with perimeter device exploitation, including anomalous authentication attempts, unexpected outbound connections from firewall management interfaces, and configuration changes not initiated through authorized change management processes.
Detection of cracked Cobalt Strike and EDR killer activity requires security controls that operate independently of the endpoint security tools that the attacker will attempt to disable. Network-based detection - through an NDR (network detection and response) platform that monitors for Cobalt Strike beacon communication patterns even when the endpoint agent has been killed - provides a defensive layer that survives EDR termination.
Security operations centers should maintain alert rules for the specific Windows event log signatures associated with EDR driver killing activities, including service termination events for known security product processes, deletion of security agent files, and registry modifications to disable security tool autostart entries. These events should trigger immediate incident response, as they are unambiguous indicators of an active, sophisticated attacker who has already achieved significant access.
For Jordanian policymakers and law enforcement, the r1z case demonstrates the need for specialized cybercrime investigation units with dark web monitoring capabilities.
KELA’s threat intelligence - a commercial service - identified r1z as a significant criminal actor through systematic monitoring of criminal forums and analysis of tradecraft patterns. Jordan’s NCSC and law enforcement agencies should develop or procure equivalent monitoring capabilities, enabling domestic identification of Jordanian nationals operating in IAB, ransomware affiliate, or other cybercriminal roles before foreign law enforcement agencies conduct the investigation that embarrasses Jordan internationally.
The National Cybersecurity Strategy 2024-2028, launched in conjunction with the NCSC’s annual report, should explicitly address the development of proactive threat intelligence and cybercrime prosecution capabilities.
The r1z case reveals that Jordan is not merely a passive victim of the global ransomware ecosystem - it is also a source of the initial access that enables attacks against companies worldwide, and the inadequacy of domestic detection and prosecution capabilities means that operators of this type can build substantial criminal careers before foreign law enforcement intervention forces accountability.