Fired Hacker Twins Forget to End Teams Recording, Capture Own Crimes

On May 12, 2026, a federal jury convicted Sohaib Ahmad of unauthorized computer access and extortion. His twin brother Muneeb Ahmad pleaded guilty in April 2026 but has since filed multiple handwritten letters attempting to withdraw the plea. The critical evidence? A Microsoft Teams recording they forgot to stop.

The Recording That Sealed Their Fate

After being terminated from their employer (referred to as Company-1 in court documents), the brothers continued a Teams call that had been used for the termination meeting. They never ended the recording. What followed was a 30-minute conversation where they laid out their criminal plans in explicit detail.

Key excerpts from the transcript:

> SOHAIB: "Delete all their databases?" > MUNEEB: "Eh, they can recover them…backups, I'm pretty sure." > SOHAIB: "Daily backups?" > MUNEEB: "Yup."

They discussed deleting database backups, changing DNS records, and accessing customer data. Muneeb admitted connecting to the company VPN "10 minutes before their stupid meeting" and still having access after termination.

> MUNEEB: "I'm going to wipe my computer clean." > SOHAIB: "I can't access the system but I still have the email address for their customers for eCase and FOIAXpress."

FOIAXpress is a case management system used by government agencies. The brothers discussed contacting customers of Company-1 to demand payment, including the Department of Veterans Affairs Office of Inspector General, Education Department OIG, and Department of Homeland Security OIG.

Technical Details of the Attack

The brothers' plan involved:

  • RDP access: Sohaib said "Going to RDP into their systems and delete all their data." Remote Desktop Protocol (RDP) allows remote access to Windows machines. If not properly secured, it's a common vector for breaches.
  • Backup deletion: Muneeb confirmed he was "cleaning out their database backups." Sohaib responded, "Just go into each of them and start the delete process. It will take its time… It will eventually delete all their files."
  • DNS changes: The transcript mentions altering DNS information, which could redirect traffic or disrupt services.

The Extortion Scheme

Sohaib suggested blackmail: "Should we retort to whatever they send us by saying we need $25,000 each? Hm?" Muneeb initially resisted, saying "I'm not gonna threaten them shit, that's like could be shown as some sort of…" But Sohaib persisted: "Just say, 'according to our previous agreement, this is the tally of the amount that I've been [paid], if you pay it up front, then I have no reason to communicate with customers.'"

Muneeb eventually agreed to let Sohaib contact customers, saying "Communicate with their customers is a different thing!" They discussed covering their tracks by wiping computers and cleaning evidence from another house.

Legal Consequences

Sohaib was found guilty at trial last week. Muneeb pleaded guilty in April 2026 but has been attempting to withdraw his plea through handwritten letters to the judge. Both are currently in federal prison, not in Texas as they had planned.

Lessons for Developers

This case is a masterclass in how not to commit cybercrime. The obvious blunder: forgetting to end a Teams recording. But deeper lessons include:

  • Access revocation must be immediate and complete: Company-1 failed to terminate VPN and RDP access before the termination meeting. Muneeb connected 10 minutes prior and retained access for hours.
  • Monitor post-termination activity: The recording itself suggests IT didn't immediately disable accounts. A proper offboarding process should revoke all credentials at the moment of termination.
  • Assume all communications are recorded: Corporate devices often have monitoring software, DLP agents, and automatic recording enabled. Even personal devices on corporate networks can be logged.
  • Backup immutability: The brothers believed backups could be deleted. Immutable backups (write-once-read-many) would have thwarted their plan.

How to Protect Your Organization

  1. Implement a termination checklist: Revoke all access — VPN, email, RDP, SaaS apps — before the termination meeting.
  2. Use conditional access policies: Require MFA and device compliance for all remote access. Block personal devices.
  3. Enable backup immutability: Use object lock or similar features to prevent deletion of backups.
  4. Monitor for anomalous activity: Set alerts for after-hours access or bulk data deletion attempts.
  5. Conduct exit interviews with IT present: Have a security team member witness the return of devices and confirm account deactivation.

The Bottom Line

Two experienced IT professionals — the brothers were skilled enough to access systems and plan data destruction — were undone by a basic human error: forgetting to hit "stop recording." Their conversation provided prosecutors with a confession that no technical evidence could match. For developers and security teams, the takeaway is clear: technical controls matter, but process failures (like delayed access revocation) create opportunities for insider threats. Review your offboarding procedures today.