The U.S. Department of Justice has charged five members of the cybercrime gang Scattered Spider, also known as UNC3944, 0ktapus, Starfraud, Scatter Swine, Octo Tempest, and Muddled Libra, for related cyber attacks affecting numerous individuals and organizations.
“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” stated the FBI’s Los Angeles Field Office’s Assistant Director in Charge, Akil Davis.
The suspected Scattered Spider members indicted were Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan.
According to the DOJ, the suspects, who were back then in their teens and early 20s, were members of a “loosely organized financially motivated” outfit that cooperated on and off on various projects.
Scattered Spider used mass SMS phishing to steal cryptocurrency
The suspected cybercrime gang members allegedly targeted individuals and employees of various organizations via SMS phishing (smishing) messages to harvest credentials, compromise systems, steal cryptocurrency, and exfiltrate sensitive information.
The mass SMS phishing messages purported to originate from the victim organizations, contractors, or suppliers of the targeted companies. They threatened the victims that their accounts would be locked and provided links that directed their targets to phishing websites mimicking legitimate organizations. The websites harvested their credentials and requested two-factor authentication codes sent to victims’ phones.
The suspects used the login credentials to access the victims’ accounts or computer systems and steal confidential information, including intellectual property, confidential work product information, other account credentials, and personal data. They also abused the stolen credentials to access digital wallets and steal millions of dollars in cryptocurrency.
The cybercrime gang carried out these attacks between September 2021 and April 2023. In September 2023, Scattered Spider collaborated with the ALPHV/BlackCat ransomware gang to breach MGM Resorts. The cybercrime gang also breached cryptocurrency custodian firm Fortress Trust, costing the company $15 million in crypto losses.
Other targets included individual cryptocurrency users, investors, Federal Communications Commission (FCC) employees, Okta, Caesars Entertainment, Twilio, DoorDash, MailChimp, Reddit, and Riot Games.
At least 12 organizations and 29 individuals in the US were targeted, resulting in $11 million worth of damage. The victims include large organizations, contracted telecommunications and information technology (IT) firms, and business process outsourcing (BPO) companies.
In November 2023, the FBI and CISA issued a joint cybersecurity advisory detailing Scattered Spider’s tactics, techniques, and procedures (TTPs) and indicators of compromise. The cybercrime gang’s TTPs listed included push bombing to leverage “MFA fatigue” and posing as IT/helpdesk staff.
Suspected cybercrime gang members face 20 years in federal prison
A federal grand jury indicted four of the suspects: Elbadawy, 23, alias “AD,” of College Station, Texas; Urban, 20, alias “Sosa” and “Elijah,” of Palm Coast, Florida; Osiebo, 20, of Dallas, Texas; and Evans, 25, alias “joeleoli,” of Jacksonville, North Carolina; with one count of conspiracy to commit wire fraud, conspiracy, and one count of aggravated identity theft.
Buchanan, 22, of the United Kingdom, also faces one count of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
If convicted, the conspiracy to commit wire fraud charge carries a statutory maximum sentence of 20 years in federal prison, while the conspiracy charge carries up to five years.
The aggravated identity theft conviction would also hand the suspected Scattered Spider cybercrime gang members a two-year sentence, served concurrently. If convicted, Buchanan could also serve an additional 20-year sentence in federal prison for the wire fraud charge.
Authorities slapped the cuffs on Buchanan, who owned a phishing toolkit widely sold on Telegram, in June 2024. The suspect was apprehended in Spain while trying to fly to Italy. Urban and Evans are also in police custody.
“It is always refreshing to see cybercriminals held accountable for their actions, as it happens so rarely,” noted Erich Kron, security awareness advocate at KnowBe4. “In many cases, law enforcement may even know the identities of the bad actors, but they are hidden away in countries from which we cannot extradite them, making prosecution almost impossible, even if we have charged them with a crime.”
The FBI has also disrupted the cybercrime marketplace PopeyeTools and charged its suspected admins, Javed Mirza, Abdul Sami, and Abdul Ghaffar.