Twin contractors deleted 96 federal databases in 56 minutes. One asked an AI how to clear the logs.

A federal jury in Alexandria, Virginia, convicted Sohaib Akhter on May 7 of conspiracy to commit computer fraud, password trafficking, and unlawful firearm possession. His twin brother Muneeb spent 56 minutes wiping 96 government databases the afternoon they were both fired. When Muneeb didn’t know the SQL commands to cover his tracks, he asked an AI.

The case lands at an awkward intersection. Opexus, the contractor the brothers worked for, runs case-management software for more than 45 federal agencies. The deleted systems handled EEOC complaints, FDIC inspector general files, and Freedom of Information Act response pipelines across departments. Both brothers had a 2015 federal conviction for hacking State Department systems. They were hired anyway, given DB-admin credentials, then fired in back-to-back video calls once the prior record surfaced internally. The 56-minute window between Sohaib’s termination and Muneeb’s is the entire story.

What we know

The indictment, the May 7 jury verdict, and parallel reporting from The Register and Cybernews line up on the timeline. The deletion began at 16:55 on February 18, 2025 and ran until 17:51.

• The employer. The brothers worked at Opexus, a Washington, D.C.-area contractor that runs case-management software for more than 45 federal agencies, including the EEOC’s Public Portal, FDIC OIG systems, and FOIA response platforms for a long list of departments.
• The trigger. On February 1, 2025, Muneeb asked Sohaib for the plaintext password of a person who had filed an EEOC complaint. Sohaib ran a database query, pulled the password, and handed it over. Muneeb used it to read the complainant’s email. That access trail is what got both of them fired on February 18, 2025, in back-to-back termination videoconferences.
• The 56 minutes. Sohaib’s credentials were deactivated during his firing. Muneeb’s weren’t. Between 16:55 and 17:51 the same day, Muneeb ran roughly 96 destructive database operations and wiped logs behind him. The targets included EEOC case management, the FDIC Inspector General system, and the FOIA response pipeline shared across multiple agencies.
• The AI prompt. Per Cybernews and The Register, Muneeb queried an AI tool with two prompts during the attack: “how do I clear system logs from SQL servers after deleting databases,” then “how do you clear all event and application logs from Microsoft Windows Server 2012.” The DOJ filing notes those queries were recovered as evidence.
• What followed the wipe. In the week after the deletion, Muneeb returned to the network using a stolen credential set and exfiltrated about 1,805 EEOC-related files to a USB drive. He also accessed federal taxpayer records covering at least 450 people, and ran 5,400 stolen username and password pairs against hotels, airlines, and financial services.
• The firearms count. A March 2025 search warrant turned up seven firearms and 378 rounds of ammunition in Sohaib’s home. He had a 2015 federal computer-fraud conviction on his record, which made all of that unlawful. Prosecutors said he coerced his domestic partner into helping with the gun sales.

What we don’t know yet

The DOJ filing preserved the exact prompts Muneeb typed and the timestamps for the 56-minute window, but several details remain off the record.

• Which AI tool. Neither the DOJ release nor the trial coverage names the assistant Muneeb queried. The prompts were preserved in evidence, but the vendor wasn’t called out.
• Restoration cost. No agency has published a damage estimate. EEOC, FDIC OIG, and the FOIA response systems were the named victims, but the public record is silent on how much of the 96 databases got rebuilt from backups versus reconstructed from paper.
• Muneeb’s outcome. He pleaded guilty on April 15 to computer fraud and record destruction. He faces up to 45 years across the consolidated charges. Sentencing dates are still pending.

The reaction

FDIC Inspector General Jennifer L. Fain said the deletion “demonstrated a blatant disregard for the security and integrity of federal information systems,” in a statement carried by the Information Age writeup. Assistant Attorney General A. Tysen Duva used the conviction press conference to deliver the line prosecutors clearly wanted on the record: “His conviction shows that getting fired from a job is not an invitation to retaliate.”

That framing matters because the brothers had a 2015 conviction for accessing State Department systems, attempting to install a wireless sniffer in a federal building, and trading stolen card data on darknet markets. Sohaib served 24 months on that case. Muneeb served 39. Opexus hired them anyway, then fired them once Sohaib’s record surfaced internally. The DOJ doesn’t have to argue that the firing was unjust to win this conviction. It only has to argue that the response was.

What this means for you

Insider risk is the part of the security stack that doesn’t show up in product demos. Most threat models assume that revoking access ends access, and most companies revoke access on a schedule that doesn’t survive a same-day termination. Opexus pulled Sohaib’s credentials in the termination call. Muneeb’s stayed live for an hour because the meetings ran sequentially, not in parallel. That gap is the whole story.

If you run a vendor that touches federal data, the takeaway isn’t “fire people in pairs.” It’s that read access, write access, and log-deletion privilege need to come apart from each other before you ever have to use the off switch. A junior engineer should not have rights to destroy the audit trail that records what they’re doing. And if your termination playbook has a five-minute window where one fired employee still has DB-admin rights to the agency that contracts you, that’s the window an unhappy ex-coworker will use, with or without an AI prompt to help with the cleanup.