U.S. authorities have successfully dismantled the operations of “r1z,” a prolific initial access broker who peddled gateways into corporate networks worldwide. Operating discreetly across numerous cybercrime forums, r1z offered a lucrative menu of stolen VPN credentials, remote access to enterprise environments, and custom tools designed to circumvent sophisticated security controls. His activities significantly fueled the ransomware supply chain by providing other cybercriminals with pre-established entry points into victim organizations, ultimately lowering the barrier to entry for large-scale intrusions.
The case of r1z highlights how a single actor can transform technical proficiencies into a scalable and impactful business model within the cybercrime ecosystem. Investigators revealed that r1z’s illicit offerings provided access to companies across the U.S., Europe, Mexico, and other regions. These access points frequently included rights for remote code execution, granting buyers near-complete control over targeted systems, making them particularly attractive to ransomware gangs seeking swift and reliable footholds.
r1z: A Digital Black Marketer’s Undoing
Cybersecurity firm Kela analysts identified r1z as a highly active participant in underground communities, meticulously documenting his presence. He was linked to approximately 1,600 posts across prominent cybercrime platforms such as XSS, Nulled, Altenen, RaidForums, and BlackHatWorld. In these digital marketplaces, r1z advertised not only network access but also a potent “EDR-killer” tool and cracked versions of Cobalt Strike. These tools facilitated lateral movement and persistent control within compromised networks for his clients.
Meanwhile, behind the scenes, law enforcement agencies had infiltrated r1z’s operations. An undercover FBI agent posed as a potential customer, successfully purchasing network access and advanced malware capable of disabling multiple endpoint detection and response (EDR) products. This undercover operation enabled investigators to observe r1z’s tradecraft in real-time, map his digital infrastructure, and crucially, link his offerings to at least one significant ransomware attack. This breakthrough paved the way for connecting the “r1z” moniker to Feras Albashiti, a Jordanian national who subsequently pleaded guilty to charges related to selling access to dozens of companies.
OPSEC Failures and the OSINT Trail
The unraveling of r1z’s operation was not the result of a single, catastrophic mistake, but rather a culmination of years of consistently weak operational security (OPSEC) practices. Kela analysts observed that Albashiti repeatedly reused the same usernames, email addresses, TOX ID, and even profile images across various platforms. This included cybercrime forums, Telegram channels, personal websites, and professional networking sites.
This consistent pattern of reuse created a rich open-source intelligence (OSINT) trail that analysts were able to meticulously correlate. For instance, a single Gmail account, “gits.systems@gmail[.]com,” appeared in leaked databases, domain registration records, and social media profiles, all of which ultimately led back to Albashiti. These persistent overlaps transformed his attempts at anonymity into significant liabilities for his clandestine operations.
Investigators were able to trace his domain, sec-r1z.com, and historical WHOIS records. Additionally, they identified “OrientalSecurity” branding, which revealed phone numbers, geographical locations in Jordan and Georgia, and a LinkedIn presence under variations of his real name. Each piece of reused information served to strengthen the attribution, demonstrating how even experienced threat actors can undermine their own security when OPSEC discipline weakens.
For cybersecurity defenders, the r1z case serves as a potent reminder of the critical importance of continuous underground monitoring and the sustained correlation of identity signals. Such practices are essential for exposing and disrupting initial access brokers before their illicit services can facilitate the next wave of devastating breaches. The ongoing efforts by law enforcement and cybersecurity firms in tracking these actors are crucial in mitigating future cyber threats.