Twin brothers Muneeb and Sohaib Akhter, ages 34, were arrested for allegedly deleting 96 databases and stealing sensitive government data from Opexus, a Washington-based federal contractor serving more than 45 agencies, during a weeklong sabotage spree in February 2025 mapped to T1485 and T1530. The brothers are repeat offenders who previously served prison time in 2015 for hacking the State Department while employed as government contractors—Muneeb received 39 months and Sohaib 24 months. DOJ prosecutors say they were "back at it a decade later," using insider access minutes after being fired to launch coordinated attacks against Department of Homeland Security, Internal Revenue Service, and Equal Employment Opportunity Commission systems. Muneeb Akhter specifically deleted approximately 96 databases storing government information, including sensitive investigative files and FOIA records, deleted a DHS production database, copied more than 1,800 EEOC files, and stole IRS records containing personally identifiable information on at least 450 individuals. What makes this case particularly notable is Muneeb's use of an artificial intelligence tool to assist the cover-up, querying it for advice on how to clear system logs from SQL servers after deleting databases and how to wipe event and application logs from Windows Server 2012. The brothers also cleaned their residence anticipating a law enforcement raid and wiped their employer-owned computers by reinstalling the operating system. Business impact includes major disruption to federal agency operations serving the American public, exposure of sensitive investigative files and citizen PII, potential FOIA compliance violations, and national security concerns given the brothers' access to systems across 45+ federal agencies through Opexus's infrastructure. The case was investigated by more than 20 federal agencies and represents one of the most significant insider threat incidents involving a government contractor in recent years. Muneeb Akhter faces conspiracy to commit computer fraud and destroy records, two counts of computer fraud, theft of government records, and two counts of aggravated identity theft—carrying a mandatory minimum of four years and up to 45 years in prison. Sohaib Akhter is charged with password trafficking and conspiracy, facing up to six years. The fact that both brothers had prior convictions for identical conduct yet regained access to sensitive government systems raises serious questions about contractor vetting and insider threat monitoring for organizations handling federal data. Mitigation requires enhanced privileged user monitoring with behavioral analytics to detect anomalous database access or deletion patterns, immediate credential revocation and system lockouts upon employee termination before access can be abused, comprehensive audit logging that cannot be easily cleared by insiders including off-system SIEM collection, and rigorous background checks with continuous vetting for contractors with access to sensitive government systems, especially those with prior criminal histories in the same domain.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: The Akhter twins' insider attack exposed critical vulnerabilities in government contractor oversight, demonstrating how trusted insiders with privileged access can cause massive damage within minutes of termination. The deletion of 96 databases serving multiple federal agencies, theft of 450+ citizen PII records, and use of AI tools to cover tracks represents a sophisticated, premeditated attack that disrupted government operations and compromised sensitive investigative data. Organizations working with federal data face heightened scrutiny around insider threat controls, especially for employees with prior criminal histories. Technical Context: The attack leveraged legitimate database administrator access mapped to T1485 (Data Destruction) and T1530 (Data from Cloud Storage), executed during a narrow window after termination but before credential revocation. The use of AI tools to query log-clearing techniques for SQL Server and Windows Server 2012 demonstrates evolving insider tradecraft where threat actors leverage generative AI for operational security. The brothers' 2015 convictions for identical conduct while employed as federal contractors highlights systemic failures in continuous vetting and insider risk assessment for privileged users.
⚡Strategic Intelligence Guidance
- Implement just-in-time privileged access that automatically revokes credentials at the moment of termination, before HR notifications or exit interviews, to prevent post-termination abuse windows.
- Deploy behavioral analytics monitoring for privileged users that flags anomalous patterns such as mass database deletions, unusual data exfiltration volumes, or access to systems outside normal job functions.
- Enable tamper-proof audit logging with real-time replication to external SIEM systems that insiders cannot access or modify, ensuring forensic visibility even when local logs are cleared.
- Establish continuous background monitoring and insider risk scoring for contractors with access to sensitive data, especially those with prior security incidents or criminal histories in cyber domains.
Vendors
OpexusDepartment of Homeland SecurityInternal Revenue ServiceEqual Employment Opportunity CommissionUS Department of Justice
Threats
insider threatdatabase destructionMuneeb AkhterSohaib Akhter
Targets
US federal agenciesgovernment contractorsOpexusDHS databasesIRS recordsEEOC systems
Impact
Data Volume:1,800+ EEOC files, 450+ PII records
Financial:96 databases