When a trusted contractor turns against the systems they once maintained, the fallout can be catastrophic. A recent federal case out of Virginia illustrates just how quickly insider threats can escalate from termination to digital destruction. The case serves as a stark warning about the risks organizations take when they fail to revoke access immediately upon employee departure.
The Inside Story: How a Twin Brother Turned on His Employer
The events began weeks before the actual deletion. Sohaib and his twin brother, Muneeb Akhter, worked for a software supplier that provided services to at least 45 federal agencies. On February 1, 2025, the brothers allegedly collaborated to access the Equal Employment Opportunity Commission (EEOC) public portal. According to court documents, Muneeb asked Sohaib for an individual’s plaintext password, and Sohaib provided it. Muneeb then used that credential to gain unauthorized access to the account. The reason for this intrusion remains unclear in public filings.
Just over two weeks later, on February 18, 2025, both brothers were fired after the company discovered Sohaib’s prior felony conviction for hacking State Department systems. That termination triggered a chain reaction of malicious actions that would ultimately lead to the database wipe conviction and additional charges.
The 56-Minute Attack Window
Within five minutes of being dismissed via a remote meeting, the twins began plotting retaliation. Sohaib attempted to log into the company network, but his VPN had already been cut off and his Windows account deactivated. Muneeb, however, still retained access. At approximately 4:56 p.m., Muneeb issued commands that prevented other users from reading or writing to the database, then immediately issued a delete command. Over the next 56 minutes, he systematically erased roughly 96 databases containing Freedom of Information Act (FOIA) data and sensitive investigative files from multiple federal departments.
One of the deleted databases was a Department of Homeland Security (DHS) production database hosted in the Eastern District of Virginia. That single database held critical government information used for ongoing operations. The loss of such data can cripple agency workflows and compromise national security.
Covering Tracks: AI Queries and Evidence Destruction
After the deletion, Muneeb did not simply walk away. He immediately sought to hide his activity. According to the indictment, Muneeb queried an artificial intelligence tool with two specific questions: “How do I clear system logs from SQL servers after deleting databases” and “How do you clear all event and application logs from Microsoft Windows Server 2012.” These queries reveal a deliberate attempt to erase forensic evidence of the attack.
The twins then discussed next steps. Sohaib allegedly said, “They’re gonna probably raid this place,” to which Muneeb replied, “I’ll clean this up.” Sohaib added, “We also gotta clean stuff up from the other house, man.” This conversation, captured in court proceedings, shows they understood the gravity of their actions and planned to destroy additional evidence.
Stolen Data and a Cross-Country Flight
Muneeb then copied approximately 1,805 EEOC files to a USB drive using his company laptop. He also stole IRS documents stored on virtual machines, including tax information and personally identifiable information (PII) belonging to at least 450 individuals. That level of data theft exposes victims to identity theft and fraud for years.
Over the following week, Muneeb tried unsuccessfully to access a DHS-owned laptop. The brothers also enlisted an unnamed third party to help wipe their company-issued devices by reinstalling Windows. Finally, Muneeb drove to Texas, transporting his personal laptop, mobile device, and a Personal Identity Verification (PIV) card issued by a U.S. government agency. Both brothers were arrested on December 3, 2025. Muneeb has not yet been convicted, but Sohaib’s trial concluded with a guilty verdict on multiple counts.
The Firearms Twist: A Convicted Felon with an Arsenal
The database wipe conviction was not Sohaib’s only legal trouble. In March 2025, roughly a month after the database deletions, police executed a search warrant and discovered seven firearms in his possession. As a convicted felon, Sohaib was legally prohibited from owning any guns. Officers found 378 rounds of.30 caliber ammunition along with an M1 rifle, an M1A rifle, a Glenfield Model 60, a Ruger.22 automatic pistol, and a Colt Police.38 revolver.
Court documents indicate that after the search warrant was served, Sohaib attempted to sell the weapons. He allegedly threatened his domestic partner, pressuring her to sign documents because he was a convicted felon. This additional charge of being a felon in possession of firearms adds years to his potential sentence.
Prior Record: A Pattern of Betrayal
This was not Sohaib’s first offense against the federal government. In 2015, he was sentenced to two years in prison and three years of supervised release for accessing sensitive data on State Department systems as a contractor. That earlier conviction should have barred him from any future work involving government networks, yet he managed to secure a position at the software supplier—a clear failure in background checks. The pattern suggests a deep-seated willingness to exploit privileged access for personal gain or revenge.
Legal Implications of the Database Wipe Conviction
The database wipe conviction carries severe penalties. Sohaib was found guilty of computer fraud (18 U.S.C. § 1030) and password trafficking (18 U.S.C. § 1029). Each count can bring up to 10 years in prison, and the firearms charge adds another 10 years. With multiple counts, Sohaib faces a potential sentence of several decades. Sentencing is expected later this year.
This case also highlights the legal concept of “access exceeding authorization.” Under the Computer Fraud and Abuse Act (CFAA), an individual who uses authorized access for an unauthorized purpose can be prosecuted. Here, Muneeb had legitimate access to the databases, but his command to delete them clearly exceeded that authorization. The prosecution successfully argued that even though he was an employee at the time, the deletion was not part of his job duties.
What This Means for Organizations
For companies that handle sensitive government data, the Akhter case underscores the critical need for immediate offboarding procedures. The twins were fired via remote meeting, yet Muneeb retained database access for at least five minutes after termination. In many organizations, account deactivation can take hours or even days due to manual processes. Automating access revocation the moment an employee is terminated—especially for high-risk roles—can prevent similar disasters.
Additionally, the use of AI tools to ask about clearing logs is a new frontier in cybercrime. Organizations must monitor for unusual queries to AI assistants, especially when those queries involve log deletion or data destruction. Security teams should train AI monitoring systems to flag such language and alert administrators in real time.
You may also enjoy reading: 7 Reasons Why npmx Reaches Alpha to Disrupt npm Registry.
Lessons for Cybersecurity Professionals
This database wipe conviction offers several takeaways for anyone responsible for protecting digital assets. First, implement a zero-trust model where no user is trusted by default, even after termination. Revoke all credentials, VPN access, and application permissions immediately upon separation. Second, maintain immutable backups stored offsite or in a separate cloud environment that cannot be deleted by a single user. In this case, the deletion of 96 databases might have been recoverable if backups were isolated from the primary database servers.
Third, enforce the principle of least privilege. Muneeb should not have had the ability to issue delete commands on production databases. Role-based access controls (RBAC) with strict separation of duties can limit the blast radius of a single compromised account. Fourth, log all administrative actions and monitor for anomalies, such as bulk delete commands outside normal business hours.
How to Conduct a Post-Incident Review
If your organization suffers a similar data destruction event, follow these steps:
- Immediately isolate affected systems to prevent further damage.
- Preserve all logs, even if they appear incomplete. Forensic tools can recover deleted entries.
- Engage law enforcement and legal counsel early; data destruction involving federal data is a felony.
- Notify affected individuals if PII was compromised, as required by state and federal breach notification laws.
- Conduct a root cause analysis to determine how the attacker retained access and implement controls to prevent recurrence.
The Broader Impact on Government Contractors
The Akhter case sends a chilling message to the contractor community. Insider threats are responsible for a significant portion of data breaches, and the federal government is increasingly prosecuting these cases aggressively. According to the 2024 Verizon Data Breach Investigations Report, insider threats accounted for about 19% of all breaches. When the insider is a contractor with elevated privileges, the damage can be disproportionate.
For software vendors serving multiple agencies, a single malicious insider can compromise dozens of clients. The company in this case lost the trust of at least 45 government agencies, and its reputation may never fully recover. Organizations should conduct thorough background checks, including checking for past felony convictions, before granting access to sensitive systems. The fact that Sohaib was hired despite a 2015 hacking conviction indicates a gap in vetting processes.
What Individuals Can Do to Protect Themselves
If your PII was among the 450 individuals whose tax information was stolen, you are at risk of identity theft. Monitor your credit reports, set up fraud alerts, and consider a credit freeze. The IRS offers identity protection PINs for affected taxpayers. Additionally, be cautious of phishing attempts that may reference the data breach to trick you into revealing more information.
For employees who witness suspicious activity, most organizations have anonymous whistleblower hotlines. Reporting unusual behavior early can prevent catastrophic data loss. In this case, no one reported Muneeb’s actions until after the deletion, likely because the attack happened within minutes of termination.
A Cautionary Tale for the Digital Age
The database wipe conviction of Sohaib Akhter is more than a news story—it is a blueprint for what can go wrong when insider threats are not taken seriously. The combination of immediate termination without access revocation, a disgruntled employee with technical skills, and a twin brother willing to assist created a perfect storm. The result was the loss of 96 government databases, theft of PII of hundreds of individuals, and a felon illegally possessing an arsenal of weapons.
As organizations increasingly rely on contractors and third-party vendors, the need for rigorous access controls and rapid offboarding has never been greater. This case also demonstrates that cybercriminals are now leveraging AI to cover their tracks, making detection even harder. Security teams must adapt by using AI defensively to flag suspicious queries and behaviors.
The justice system has delivered a verdict, but the consequences for the victims—the agencies that lost data, the individuals whose tax records were stolen, and the taxpayer-funded systems that must be rebuilt—will last for years. The Akhter twins’ story should serve as a wake-up call for every organization that holds sensitive data. One vengeful employee with a few keystrokes can undo years of work in under an hour.
