A Federal Jury Just Convicted One of the Brothers Who Wiped 96 Government Databases After Being Fired by Video Call
A federal jury in Alexandria, Virginia convicted Sohaib Akhter on May 7, 2026 for his role in deleting roughly 96 U.S. government databases at federal contractor Opexus on the day he and his twin brother were fired in February 2025. The case is also notable for an unprecedented detail: one minute after deleting a DHS database, his brother Muneeb allegedly asked an AI tool how to clear system logs. Both brothers had been previously convicted in 2015 for hacking the State Department — and Opexus rehired them anyway.
On Thursday, May 7, 2026, the U.S. Department of Justice announced that a federal jury in the Eastern District of Virginia had convicted Sohaib Akhter, 34, of Alexandria, Virginia, on charges of conspiracy to commit computer fraud, password trafficking, and possession of a firearm by a prohibited person. Sentencing is scheduled for September 9, 2026. Akhter faces a maximum of 21 years in prison. The conviction is the first to land in a case that began with a Bloomberg News investigation in May 2025 and resulted in a federal indictment of Sohaib and his twin brother Muneeb Akhter in November 2025.
Muneeb Akhter — facing a separate maximum of 45 years on conspiracy, computer fraud, theft of U.S. government records, and aggravated identity theft charges — has not yet been convicted; his case remains pending. The court records and DOJ press release together describe a chain of events that is exceptional even by insider-threat standards: two brothers with prior federal hacking convictions rehired as engineers at a contractor handling data for more than 45 federal agencies, fired during a video call after their criminal histories were rediscovered, and allegedly retaliating during the very same call by deleting roughly 96 government databases including Freedom of Information Act records.
The single most operationally instructive detail is buried in the indictment. Per court records and Axios reporting, one minute after Muneeb Akhter allegedly deleted a Department of Homeland Security database, he asked an artificial intelligence tool how to clear system logs after deleting databases — including, per Cybernews's review of court documents, the verbatim queries "how do i clear system logs from SQL servers after deleting databases" and "how do you clear all event and application logs from Microsoft windows server 2012." The AI-as-anti-forensics-accomplice detail is the new wrinkle that distinguishes this case from any prior insider-threat prosecution.
| Akhter Brothers Federal Database Wipe Profile | |
|---|---|
| Detail | Information |
| Defendant convicted May 7, 2026 | Sohaib Akhter, 34, of Alexandria, Virginia |
| Sohaib's charges of conviction | Conspiracy to commit computer fraud; password trafficking; possession of a firearm by a prohibited person |
| Sohaib's maximum sentence | 21 years; sentencing scheduled for September 9, 2026 |
| Co-defendant (not yet convicted) | Muneeb Akhter, 34 (twin brother) — faces conspiracy, two counts computer fraud, theft of government records, two counts aggravated identity theft; max 45 years |
| Employer at time of incident | Opexus — Washington, D.C.-headquartered software contractor owned by Thoma Bravo; provides services to 45+ federal agencies; data hosted on servers in Ashburn, VA |
| Termination date | February 18, 2025 — fired during online remote meeting after Opexus discovered Sohaib's prior felony conviction |
| Databases destroyed | Approximately 96, including FOIA records, IRS data, EEOC files, DHS data, and case-management software for federal agencies; deletion occurred within several hours of the termination call |
| IRS data theft | Federal tax data and identifying information for at least 450 individuals (per indictment against Muneeb) |
| EEOC password trafficking | Feb. 1, 2025 — Sohaib queried EEOC database, retrieved plaintext password of complainant, gave it to Muneeb; password used to access complainant's email without authorization |
| AI tool query (per indictment) | ~1 minute after deleting DHS database, Muneeb queried unspecified AI tool: "how do i clear system logs from SQL servers after deleting databases" and "how do you clear all event and application logs from Microsoft windows server 2012" |
| Prior conviction | 2015 — Eastern District of Virginia, conspiracy/wire fraud/unauthorized computer access; State Department breach plus cosmetic-company hack; Muneeb sentenced to 39 months, Sohaib to 24 months |
| Investigation | FDIC-OIG (lead), DHS-OIG, Homeland Security Investigations; assistance from 15+ federal IGs, ATF, U.S. Capitol Police, Fairfax County Police, Alexandria Sheriff's Office |
How a Termination Video Call Became a Federal Database Wipe
Per the DOJ press release announcing Sohaib's conviction, the brothers worked at Opexus — a Washington, D.C.-headquartered contractor providing software services to more than 45 federal agencies, with data hosted on servers in Ashburn, Virginia. Opexus is owned by private equity firm Thoma Bravo and specializes in electronic case management for FOIA processing and government audits. On February 18, 2025, when Opexus discovered Sohaib's 2015 felony conviction, the company terminated both brothers during an online remote meeting. The DOJ's reading of what happened next is direct: "Immediately after being fired during this meeting, the brothers sought to harm their employer and its U.S. government customers by accessing computers without authorization, write-protecting databases, deleting databases, and destroying evidence of their unlawful activities."
Per court documents reviewed by The Register and Axios, prosecutors estimate Muneeb deleted approximately 96 databases including records and documents tied to FOIA requests. The brothers also wiped company laptops before returning them and discussed cleaning out their house in anticipation of a potential law enforcement search. The destruction occurred within several hours of the termination call. The brothers ran commands to write-protect databases before deletion — preventing others from modifying them and effectively destroying any chance of trivial recovery.
Sohaib was separately convicted of conduct that predated the firing. On February 1, 2025 — just over two weeks before the termination — Muneeb asked Sohaib for the plaintext password of an individual who had filed a complaint with the EEOC's Public Portal, which Opexus operated. Sohaib ran a database query, retrieved the password, and gave it to Muneeb, who used it to access the complainant's email account without authorization. That password trafficking is the conduct at the core of Sohaib's conviction. The aggravated identity theft and IRS data theft charges remain against Muneeb separately; per the indictment, he stole federal tax data on at least 450 individuals from a virtual machine.
The AI-as-Anti-Forensics-Accomplice Detail That Distinguishes This Case
Per the indictment, about one minute after deleting a Department of Homeland Security database, Muneeb Akhter asked an artificial intelligence tool how to clear system logs after deleting databases. Cybernews's review of the court documents identified the verbatim queries: "how do i clear system logs from SQL servers after deleting databases" and "how do you clear all event and application logs from Microsoft windows server 2012." The DOJ has not publicly identified which specific AI tool Muneeb used; the indictment refers only to "an artificial intelligence tool." The Microsoft Windows Server 2012 reference is itself notable — Microsoft ended support for that operating system in October 2023, suggesting Opexus's environment included substantially out-of-date Windows infrastructure.
This is the first publicly documented federal prosecution to include AI-tool prompts as evidence of intent in a destruction-of-records case. The implication for defenders is that LLM queries are increasingly part of insider-threat tradecraft — and conversely, part of the forensic record that investigators can pull. The CyberSignal's prior coverage of AI tools being used by attackers in operational technology environments documented Dragos's case study of LLMs assisting hackers in pre-attack reconnaissance against a Mexican water utility. The Akhter case is the corresponding evidence of LLMs assisting attackers in post-attack evidence destruction. Both ends of the kill chain now have AI components.
How Two Convicted Hackers Got Federal Contractor Jobs
Both brothers pleaded guilty in 2015, in the same Eastern District of Virginia federal court that convicted Sohaib this week, to conspiracy charges involving wire fraud and unauthorized computer access. Muneeb was sentenced to three years and three months in prison; Sohaib received a two-year sentence. The 2015 case involved hacking the U.S. State Department's Bureau of Consular Affairs, where Sohaib was working as an IT support contractor at the time, and a separate compromise of a cosmetics company that resulted in stolen credit card numbers. The brothers also accessed passport and visa data including information on a federal investigator examining their case. After serving their sentences, both worked various engineering jobs and then both ended up at Opexus.
Per Bloomberg's original May 2025 reporting, an Opexus spokesperson declined to comment on whether the company conducted a background check before hiring the brothers. In a statement to Cybernews after the December 2025 indictment, Opexus said: "While these individuals passed background checks at the time, this incident made clear that our screening protocols needed to be even more robust." The brothers' criminal histories were ultimately discovered when Sohaib was offered a separate role at the FDIC Office of Inspector General that required a fresh background check; FDIC officials flagged the brothers' criminal records to Opexus's chief information security officer, who initiated the February 2025 terminations. The discovery sequence is itself a process failure: a background check that catches the problem at FDIC's hiring stage but did not at Opexus's hiring stage.
The DOJ Quotes That Tell the Government's Story
Assistant Attorney General A. Tysen Duva of the DOJ's Criminal Division said in the May 7 statement: "Sohaib Akhter harmed Americans who trusted their government with personal information and sensitive requests. His conviction shows that getting fired from a job is not an invitation to retaliate." FDIC-OIG Inspector General Jennifer L. Fain added: "As proven at trial, Akhter participated in the unauthorized access of protected computer systems, the theft of credentials, and the destruction of government data affecting numerous federal agencies. The deliberate deletion of databases containing sensitive government information and the subsequent attempts to conceal that criminal activity demonstrated a blatant disregard for the security and integrity of federal information systems."
The investigation involved an unusual breadth of federal participation: FDIC-OIG (Electronic Crimes Unit) led the case, with Department of Homeland Security OIG and Homeland Security Investigations as primary partners, and additional assistance from more than 15 federal inspectors general, the Bureau of Alcohol, Tobacco, Firearms and Explosives, the U.S. Capitol Police, the Fairfax County Police Department, and the Alexandria Sheriff's Office. The ATF involvement reflects the firearms-possession charge against Sohaib — investigators executed a search warrant on March 12, 2025 and recovered seven firearms (M1 and M1A rifles, a Glenfield Model 60, a Ruger .22 automatic pistol, and a Colt Police .38 Special revolver) plus approximately 378 .30 caliber rounds. Sohaib, a convicted felon, was prohibited from possessing them.
The Akhter conviction lands inside a broader pattern of federal cybercrime enforcement against contractors and insiders. The CyberSignal's coverage of the eight U.S.-based laptop-farm facilitators sentenced this year tracks the parallel DOJ initiative producing monthly sentencings of U.S. nationals enabling foreign-state and other insider-mediated infiltration of American companies and federal agencies — same prosecutorial cadence, same root cause of inadequate vetting at the hiring stage.
Defender Actions for Insider-Threat Programs
- Synchronously revoke privileged access during termination meetings — not after. The Akhter brothers had hours of post-termination access because revocation hadn't happened in real time. For employees with system administrator-level access, network and application access should be cut before or during the firing call, not after the call concludes. This is a process failure, not a technology failure, and it is fixable today.
- Have IR and security operations on standby during high-risk terminations. A virtual termination of an employee with database administrator access warrants real-time monitoring of their account for the next 24-72 hours, with a defined escalation path if anomalous activity is detected. Cross-functional termination protocols should bring Security, IT, HR, and Legal together; HR will not naturally think about logging, access revocation, and digital evidence preservation as part of an involuntary termination.
- Implement write-protection on critical databases as default state. The brothers explicitly write-protected databases as part of their destruction sequence to prevent recovery. Default write-protection requiring change-control to modify would have narrowed the destruction window. Combine with immutable backups stored off-platform with credentials separated from production environments — those are the difference between a 24-hour recovery and the kind of multi-month recovery many of the affected federal agencies are still working through.
- Audit your background-check timing for contracted employees. Sohaib Akhter's prior felony conviction was discovered after rehire, leading to termination — but only because a separate FDIC role required a new check. Background checks should be conducted before hire, periodically during employment, and especially when an employee is about to be granted access to new sensitive systems. For federal contractors, the FDIC discovery sequence is a useful reference: agencies cross-checking shared background-check pools could have prevented this years earlier.
- Add LLM-prompt activity to your insider-threat detection signal mix. While direct API-level monitoring of consumer LLMs is rarely feasible, network-level signals — DNS queries to LLM provider domains from privileged-user endpoints, combined with timing correlation to suspicious system activity — are. Detection rules should consider prompts to LLMs from corporate accounts mentioning specific log file paths, audit subsystems, or anti-forensic terminology. Brief HR and legal that LLM prompts are increasingly forensic evidence; the Akhter case is the empirical proof.
The CyberSignal Analysis
Signal 01 — The termination playbook is the single highest-impact insider-threat control
The Akhter case has a single root cause that organizations can fix today: privileged access was not revoked synchronously with the termination conversation. Every other control failure — the write-protection commands, the database deletions, the laptop wiping, the AI-assisted log clearing — happened in the window between "you're fired" and "your access is gone." Closing that window is a procedural change, not a technology purchase. Most enterprises today do not have a synchronous-revocation termination playbook for privileged users; the Akhter case is the specific empirical example that should make this Q3 priority for every CISO and HRO. The cost of getting it wrong, when measured in 96 deleted databases, federal investigation, and credibility loss, dwarfs the cost of building the process.
Signal 02 — AI-assisted anti-forensics is now in the federal evidentiary record
Muneeb Akhter's LLM queries about clearing SQL Server logs and Windows event logs are now part of a federal indictment. That has two implications. First, it confirms what threat researchers have been documenting in case studies — generative AI is being used by attackers and insiders for tactical questions about evidence destruction and anti-forensics. Second, it confirms that LLM queries can become forensic evidence in their own right when investigators reconstruct a defendant's activity. The latter point is operationally meaningful for investigators (and for defense counsel): a defendant's chat history, even with a third-party LLM, is potentially discoverable. For SOC and IR teams, the lesson is that LLM-related telemetry — DNS queries to AI provider endpoints, timing correlation between LLM use and sensitive system actions — has new evidentiary value. Build the collection capability before the next case.
Signal 03 — Federal contracting background-check policy is overdue for an update
Two convicted federal hackers worked at a contractor handling data for 45 government agencies. The discovery sequence — FDIC catches it at hiring, Opexus apparently did not — is exactly the kind of case CISA and OMB guidance updates exist to address. Expect, in the next 12 months, federal contracting requirements to include: stricter prior-cyber-conviction disclosure obligations for contractor staff with privileged access, periodic re-vetting requirements for personnel granted access to new sensitive systems, and possibly shared background-check pools across agencies that would catch the kind of cross-agency oversight gap this case revealed. None of those policy levers prevent insider threats from people without prior convictions. But they would have prevented this specific case, and that is a reasonable bar for a sector-level policy response. For private federal contractors, the operational implication is to assume those updates are coming and build screening protocols ahead of them.
