When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft Teams becomes key witness in government database wipe crime

Microsoft Teams unexpectedly became crucial evidence after a pair of fired IT workers forgot to stop a recording.

Neowin · with 2 comments

Microsoft Teams logo in the center and heart eyes emoji on both sides

We have talked before how Microsoft Teams is an essential tool in many organizations and government environments for online communication and collaboration. However, its benefits may have extended beyond simple utility, as the software was recently used to capture two cybercriminals.

As reported by Ars Technica, 34-year-old twin brothers, Muneeb and Sohaib Akhter, were found guilty of deleting 96 government databases just a few minutes after being fired. Basically, the siblings were working for federal IT contractor, Opexus, but were fired during a Teams call with HR.

Although Sohaib's access to company infrastructure had already been terminated, Muneed still had access. Within a few minutes, the twins, who were living together in Virginia, decided to restrict changes to production databases that they had access to, and then delete them. The Department of Homeland Security's (DHS) databases were also deleted using the DROP command in SQL. The Akhter twins then download over a thousand files on to their USB and tax information related to hundreds of individuals. After that, the evidence shows that they asked an AI tool how to delete logs related to their crimes.

However, what's really interesting is that the evidence presented by the prosecutors also included records of a conversation between the twins. This was quite odd considering the two brother worked from home together, so why would their conversation be recorded, unless some software was spying on them?

Turns out that the answer to this mystery isn't that sinister at all, and is actually related to the bumbling twins' own fumble with Teams. Some excellent investigative reporting from Ars Technica reveals that the Teams call in which the twins were fired was being recorded by HR. Although the HR person exited the call within 2 minutes after they fired the twins, the Akhter siblings forgot to exit the meeting and their conversation was subsequently recorded and presumably stored on the company's server.

The excerpt from this Teams recording can be seen below:

SOHAIB: “Still connected? Still on the VPN?”

SOHAIB: “Delete all their databases?”

MUNEEB: “Eh, they can recover them…backups, I’m pretty sure.”

SOHAIB: “Daily backups?”

MUNEEB: “Yup.”

SOHAIB: “What’s the plan [then]? We gonna take care of severance or are we gonna do something about…” “Should we retort to whatever they send us by saying we need $25,000 each? Hm?”

MUNEEB: “We are doing petty shit now.”

MUNEEB: “I’m going to wipe my computer clean.”

SOHAIB: “I can’t access the system but I still have the email address for their customers for eCase and FOIAXpress.”

MUNEEB and SOHAIB discuss being compensated by Company-1.

MUNEEB: “I’m not gonna threaten them shit, that’s like could be shown as some sort of . . .”

SOHAIB: “It depends on how you write it. Just say, ‘according to our previous agreement, this is the tally of the amount that I’ve been [paid], if you pay it up front, then I have no reason to communicate with customers.’”

MUNEEB: “I’m good.”

SOHAIB: “Whatcha working on man?”

MUNEEB: “Nothing important, man.”

SOHAIB: “Why won’t you tell me? I ain’t gonna snitch.”

MUNEEB: “Don’t need to. Don’t worry about it.”

MUNEEB: “People are logged out for the day, this is the perfect time.”

SOHAIB: “How do you still have access? When did you connect to their VPN?”

MUNEEB: “10 minutes before their stupid meeting.”

SOHAIB: “You might still have access to it until the end of the day. Until at least 6 hours.”

MUNEEB: “Don’t worry about it man. Don’t worry about it.”

SOHAIB: “I see you are cleaning out their database backups.”

MUNEEB: “Don’t worry about it. You don’t do nothing. Don’t try nothin’. They are looking at you, they are not looking at me.”

SOHAIB: “[G]oing to RDP into their systems and delete all their data.”

[inaudible]

SOHAIB: “The ramifications for that would be worse though.”

MUNEEB: “What are you talking about? I didn’t do nothing. They closed my access when they had that meeting.”

SOHAIB: “Alright, if you have good plausible deniability.”

SOHAIB and MUNEEB then have additional discussion about deleting backups and changing DNS information.

MUNEEB: “Eh, they can recover from yesterday. [The IT manager] will have some work to do.”

MUNEEB and SOHAIB discuss Company-1 customers, including Veteran’s Affairs OIG, Education Department OIG, DHS OIG, and customer data.

MUNEEB: “DHS was a big [customer].”

SOHAIB: “Just go into each of them and start the delete process. It will take its time. . . It will eventually delete all their files.”

MUNEEB: “Sabes, don’t say nothin’, OK, don’t worry about it.”

SOHAIB: “I ain’t sayin’ shit.”

SOHAIB: “You should have thought about it prior, man.”

MUNEEB: “What do you mean? Like had a kill script, what do you mean?”

SOHAIB: “Blackmailing them in for some money would’ve been…”

MUNEEB: “No, you do not do that. That’s proof of guilt, man.”

SOHAIB: “No but the thing was you always have your opinion, I could just communicate with their customers.”

MUNEEB: “Communicate with their customers is a different thing!”

SOHAIB: “So you’re saying these are two separate things?”

MUNEEB: “There ya go. Go say that man, go argue for that, then they’ll think you’re the one behind this shit.”

SOHAIB: “. . . They’re gonna probably raid this place.”

MUNEEB: “Eh, I’ll clean this shit up. I don’t got shit.”

SOHAIB: “We also gotta clean stuff up from the other house man.”

MUNEEB: “Get rid of that shit.”

SOHAIB: “Deleting their filesystems would be a harder fix.”

MUNEEB: “Mhhmm, especially if you clear it out.”

MUNEEB: “Everything that I did, I’m making sure it’s protected. That it’s clean.”

MUNEEB: “Don’t worry, we’ll go to Texas.”

It's all rather fascinating. It kind of goes to show how little mistakes from both sides can cause major problems. The lack of controlled access removal for one of the twins from Opexus' IT admin led to production databases being deleted and data being stolen, while the twins' mistake of not stopping the Teams recording was instrumental in their capture. Let's hope that the former group manages to close gaps like these moving forward, while cybercriminals continue to make silly mistakes.

Ubuntu 2604 desktop
Next Article

Ubuntu 25.10 users need to make a critical move before July deadline

Gmail logo superimposed on a darkened Manage Subscriptions view
Previous Article

Google may reduce your Gmail storage from 15GB to 5GB, unless you provide your phone number

2 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here