Four US citizens and one Brit have been charged in connection with a series of sophisticated corporate data breaches and SIM swap-enabled crypto theft.
The quintuplet, who are all in their early 20s, are reportedly members of the notorious hacking collective known as Scattered Spider (aka Octo Tempest, 0ktapus, UNC3944), which has been linked to major data extortion campaigns against Caesars Entertainment and MGM, often in collaboration with the notorious Black Cat/ALPHV ransomware group.
According to Microsoft, the group is known for “extensive technical depth and multiple hands-on-keyboard operators” – with attacks usually starting with sophisticated social engineering including impersonation of IT helpdesk staff.
The Justice Department (DoJ) claimed that, from at least September 2021 to April 2023, the five carried out text-based phishing (smishing) targeting employees with messages purporting to come from their company or a supplier.
Read more on Scattered Spider: FBI Lifts the Lid on Notorious Scattered Spider Group
These messages sometimes warned that victims’ VPN accounts were about to be deactivated, in order to trick them into clicking on a link. In other cases, the group sent victims fake ‘password reset’ texts. These took the victims to phishing sites designed to look like the real thing, where they were encouraged to provide confidential personal and login information – sometimes authenticating via multi-factor authentication (MFA).
The group are alleged to have used these stolen credentials to access victims’ accounts en route to confidential corporate information including PII and IP.
The same access to victim accounts apparently enabled them to perform SIM swap attacks which ultimately gave them access to victim phone numbers and crypto wallets – helping them to steal millions in virtual currency.
“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said US attorney Martin Estrada.
“As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”
The four US men are each charged with one count of conspiracy to commit wire fraud, one count of conspiracy and one count of aggravated identity theft. The fifth, a UK citizen, is charged with conspiracy to commit wire fraud, conspiracy, wire fraud and aggravated identity theft.
They are:
- Ahmed Hossam Eldin Elbadawy, 23 (aka “AD”) of College Station, Texas
- Noah Michael Urban, 20 (aka “Sosa” and “Elijah”) of Palm Coast, Florida
- Evans Onyeaka Osiebo, 20, of Dallas, Texas
- Joel Martin Evans, 25, (aka “joeleoli”) of Jacksonville, North Carolina
- Tyler Robert Buchanan, 22, of the UK