Two brothers accused of destroying 96 databases containing US government information did so in the minutes immediately following their termination from the same Washington, DC, technology firm, according to federal authorities.
Muneeb and Sohaib Akhter, both 34, had worked for a company that sold software and services to 45 federal clients. Muneeb joined in 2023; Sohaib followed a year later. According to the government, both were fired, and both allegedly responded by wiping out the databases their employer maintained for those federal clients, as Ars Technica reported.
The case is notable in part because of the brothers' history. In 2015, both pled guilty in Virginia to a scheme involving wire fraud and computers. Muneeb was sentenced to three years in prison and Sohaib to two. After their sentences, they worked their way back into the technology industry before landing at the federal contractor.
Their alleged misconduct did not begin with the database wipe. According to the government, on February 1, 2025, Muneeb asked Sohaib for the plaintext password of an individual who had submitted a complaint to the Equal Employment Opportunity Commission's Public Portal, which was maintained by their employer. Sohaib conducted a database query and provided the password to Muneeb, who then used it to access that individual's email account without authorization.
That was not a one-off incident. Muneeb had been collecting usernames and passwords from his company's own network data, amassing a stockpile of 5,400 credentials. He then built custom Python scripts to test those logins against consumer websites. One of those scripts, named "marriott_checker.py," tested the stolen credentials against Marriott hotel chains. He successfully logged in hundreds of times across multiple platforms, including DocuSign and airline accounts. When victims had airline miles stored, Muneeb allegedly booked travel for himself using those accounts.
The case illustrates a long-standing tension in corporate IT security. In the US, many employers deactivate digital credentials before notifying workers of their termination, precisely because a fired employee with active system access represents a security risk. In this instance, that window between termination and access revocation appears to have been the critical interval.
The scale of the alleged attack, 96 databases serving US government clients, places the case among the more serious insider-threat incidents in recent memory. Federal charges are pending.
