The United States Department of Justice (DOJ) has unsealed charges against five individuals accused of orchestrating sophisticated phishing campaigns tied to the notorious Scattered Spider cybercrime group. The attacks have resulted in millions of dollars in theft, including cryptocurrency and sensitive corporate data, showcasing the ongoing threat of organized cybercrime.
Scattered Spider has gained infamy for its high-profile cyberattacks, including the ransomware assault on MGM Casino in 2023, which caused widespread disruption. Known for targeting employee credentials through phishing schemes, the group uses stolen access to infiltrate systems, extract sensitive data, and deploy ransomware.
According to a DOJ press release, the five individuals arrested have been charged with:
- Phishing campaigns: Conducting phishing attacks to harvest employee credentials and bypass security controls;
- Data theft: Illegally accessing corporate systems to steal sensitive information;
- Cryptocurrency theft: Stealing $11 million worth of cryptocurrency from 29 victims;
- Ransomware and extortion: Using stolen credentials to deploy ransomware and demand payments.
The following defendants are charged by a federal grand jury indictment with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft:
- Ahmed Hossam Eldin Elbadawy, 23, a.k.a. "AD," of College Station, Texas;
- Noah Michael Urban, 20, a.k.a. "Sosa" and "Elijah," of Palm Coast, Florida;
- Evans Onyeaka Osiebo, 20, of Dallas, Texas; and
- Joel Martin Evans, 25, a.k.a. "joeleoli," of Jacksonville, North Carolina.
Evans was arrested Tuesday by the FBI in North Carolina and is expected to make his initial court appearance November 21. Urban also faces and has pleaded not guilty to several fraud charges in a separate criminal case in federal court in Jacksonville, Florida.
Also unsealed was a criminal complaint charging Tyler Robert Buchanan, 22, of the United Kingdom, with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
This case highlights the critical role of employee awareness and robust cybersecurity measures. Scattered Spider's phishing tactics demonstrate how a single compromised credential can escalate into massive financial and reputational losses for organizations.
From the DOJ press release:
"We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals," said United States Attorney Martin Estrada. "As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you're viewing seems off, it probably is."
"The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts," said Akil Davis, the Assistant Director in Charge of the FBI's Los Angeles Field Office. "These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse. I'm proud of our stellar cyber agents whose work led to the identification of the alleged schemers who are facing significant prison time if convicted."
More from the release:
According to court documents, from at least September 2021 to April 2023, the defendants conducted phishing attacks by sending mass short message service (SMS) text messages to mobile phones of numerous victim companies’ employees—messages that purported to be from the victim company or a contracted information technology or business services supplier of the victim company.
The phishing text messages often stated that the employees' accounts were about to be deactivated and provided links to phishing websites which were designed to look like legitimate websites of the victim companies or their contracted suppliers and lure the recipient into providing confidential information, including account login credentials. Some employees went to the phishing websites, entered their credentials, and sometimes authenticated their identities using a two-factor authentication request sent to their mobile phones.
The defendants then used the stolen credentials to gain unauthorized access to the accounts of victim companies' employees and the companies' computer systems to steal confidential information, including confidential work product, intellectual property, and personal identifying information, such as account access credentials, names, email addresses, and telephone numbers.
The group also used stolen information obtained from victim company intrusions, leaked data sets, and other sources to gain unauthorized access to numerous individuals' cryptocurrency accounts and wallets and steal millions of dollars' worth of virtual currency.
If convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count, as well.
As the Justice Department continues its crackdown on cybercriminal networks, this case underscores the importance of vigilance and proactive measures in the fight against sophisticated threats like Scattered Spider.
