Twin Brothers Delete 96 Government Databases – A Privileged‑Account Failure Case Study

This article examines a real‑world insider‑threat incident in which twin brothers, Sohayb and Munib Ahet, leveraged a privileged‑account vacuum at a contractor serving over 45 U.S. federal agencies to delete 96 government databases and exfiltrate sensitive data.

Case Overview: From Video Call to Database Wipe

Background

Sohayb and Munib Ahet, both 34, had prior convictions for telecom fraud and illegal computer intrusion (2015). After serving their sentences, they re‑entered the tech sector; Munib joined a Washington‑DC firm serving federal agencies in 2023, and Sohayb followed in 2024. The firm, identified as Opexus, provides software and managed services to agencies such as the EEOC and DHS.

Trigger Event

On 1 Feb 2025, Munib asked Sohayb to retrieve a plaintext password from the EEOC public portal database. Sohayb complied, handing the password to Munib, who then accessed the complainant’s email without authorization. The company discovered the brothers’ criminal histories and terminated them during a video meeting at 16:50 on 18 Feb 2025.

Timeline of the Attack (Six‑Minute Window)

16:50 – Video call ends; both brothers are dismissed.

16:51 – Sohayb attempts to access the corporate network; VPN and account are already disabled.

16:56 – Munib’s account, mistakenly left active, initiates a high‑privilege database delete command.

16:58 – Munib executes a command that wipes a Department of Homeland Security database.

16:59 – Munib queries an AI tool: “How to delete a database and clear system logs?”

~1 hour later – Approximately 96 databases containing U.S. government information are deleted; 1,805 EEOC files are copied to a USB drive; tax data for at least 450 individuals is stolen.

Chat Log Excerpts

Munib: “They can restore from yesterday’s backup.” Sohayb: “Yeah, maybe.” Sohayb: “Delete their file system too?” Munib: “Good idea.” Sohayb: “You should write a delete script… maybe ransom them.” Munib: “No, that leaves evidence.” Sohayb: “They’ll search the house.” Munib: “I’ll clean it up.”

After the purge, the brothers reinstalled the operating system on a company laptop. A federal search of Sohayb’s residence on 12 Mar 2025 uncovered seven firearms and 370 rounds of ammunition, violating his status as a convicted felon.

Technical Analysis: AI as an Evidence‑Destruction Enabler

The case is notable for the immediate use of generative AI to obtain instructions for covering tracks. The prosecution presented the following AI queries:

“How to delete a database and clear SQL Server system logs?”

“How to erase all events and application logs on a Windows server?”

This raised a broader security‑community question: are AI tools lowering the technical barrier for destroying electronic evidence?

Using the MITRE ATT&CK framework, the attack was mapped as follows:

Initial Access (T1078 – Valid Accounts): Abuse of former employee credentials.

Credential Access (T1552 – Unsecured Credential Storage): Retrieval of plaintext passwords from the database.

Lateral Movement (T1041 – Exfiltration Over C2 Channel): Downloading files and transporting them on a USB device.

Impact – Data Destruction (T1485): Deletion of 96 government databases.

Impact – Log Clearing (T1070): Attempts to erase system logs via AI‑generated commands.

Blue‑Team Detection Rule Recommendations

# Alert Rule: Privileged Account Abnormal Deletion Activity
Condition:
- Account Type: service/admin
- Action: Execute high‑risk database delete command
- Time Window: within 4 hours after termination/role change
- Threshold: >3 high‑risk delete actions in succession

# Alert Rule: AI Tool Anomalous Queries (Log Clearing)
Condition:
- Source IP: internal network range
- Keywords: clear log, delete log, event log
- Target: system management tool (AI interface)
- Time Window: outside normal working hours

# Alert Rule: Bulk Data Exfiltration
Condition:
- Behavior: large‑scale database queries + USB device insertion
- Data Threshold: >1000 records in a single session
- User Attribute: currently in termination process

The "Golden Six Minutes" Dilemma

From the moment of dismissal at 16:50 to the start of the deletion at 16:56, Munib had a six‑minute window of unrestricted privileged access. This illustrates three systemic problems:

Serial Dependency in Account Termination: HR off‑boarding processes span multiple systems and teams; any delay creates an attack window.

Shared vs. Privileged Account Confusion: Organizations often have shared admin accounts whose ownership changes are hard to track.

Business Continuity vs. Security Termination: Fear of disrupting operations leads to lax or bypassed account‑closure procedures.

Remediation: Real‑Time Identity & Access Management

Guided by the NIST Cybersecurity Framework, the article proposes:

Implement a "termination‑triggers‑revocation" mechanism that automatically suspends privileged accounts within five minutes of HR approval.

Adopt immutable backup strategies: write‑once, read‑many storage, multi‑party approval for backup deletion, and cross‑validation between offline and cloud backups.

Enforce dual‑person authentication for high‑risk operations such as bulk database deletions.

Industry Warning: From Meme to 21‑Year Sentence

The incident sparked discussion about the legal consequences of insider‑initiated data destruction, which in the United States can total up to 21 years of imprisonment (5 years for conspiracy to commit computer fraud, 1 year for password trafficking, and 10 years for illegal firearm possession). Chinese law similarly imposes up to five years, or more for especially severe outcomes.

For database administrators and DevOps engineers, "deleting a database" is not a harmless prank but a criminal act with lifelong repercussions.

Multi‑Layer Defense Recommendations

Identity & Access: Real‑time privileged‑account revocation linked to HR systems (high priority).

Monitoring & Detection: Alerts for abnormal database operations, especially consecutive deletes or actions outside business hours (high priority).

Data Protection: Immutable, offline backups with cross‑region verification (medium priority).

Log Integrity: Centralized log collection on a dedicated server that privileged accounts cannot delete (medium priority).

Off‑boarding Process: Security team supervision for high‑risk role terminations (general priority).

Background Checks: Periodic re‑verification for privileged positions (general priority).

Sources include U.S. Department of Justice announcements, Ars Technica, The Record, and CyberInsider.