Five alleged members of Scattered Spider cybercrime group charged for breaches, theft of $11 million

The Justice Department unsealed charges against five men accused of running prolific phishing campaigns that allowed them to steal employee credentials, gain access to sensitive data and pilfer millions of dollars.

A Justice Department spokesperson confirmed that the five are part of the notorious Scattered Spider group — responsible for several devastating cyber incidents including the ransomware attack on MGM Casino last year. 

Court documents say the five are accused of stealing $11 million worth of cryptocurrency from at least 29 victims in addition to taking troves of corporate documents out of company systems.

One U.K. national — 22-year-old Tyler Robert Buchanan — and four Americans were named in the indictments: 

Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas;Noah Michael Urban, 20, of Palm Coast, Florida;Evans Onyeaka Osiebo, 20, of Dallas, Texas; andJoel Martin Evans, 25, of Jacksonville, North Carolina 

The four Americans are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Each is facing up to 25 years in federal prison.

“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said U.S. Attorney Martin Estrada. 

“As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”

Buchanan, who court documents say is based in Scotland, is facing the same charges as well as another wire fraud charge, which would add another 20-year sentence to the 25-year sentences he may receive. 

The Justice Department said Evans was arrested on Tuesday in North Carolina while Urban, who was arrested in Florida in January, is facing another case related to separate fraud charges. The whereabouts of the other two Americans are unknown and it is unclear if Buchanan will be extradited. 

The court filings say the five were “members of a loosely organized financially motivated cybercriminal group whose members primarily target large companies and their contracted telecommunications, information technology, and business process outsourcing suppliers.”

The FBI said in May that the group is an offshoot of a larger pool of online criminals who dubbed themselves “the Community,” or “the Com.” Several other alleged Scattered Spider members have been arrested in Spain and in the U.K.

Scattered Spider initially made a name for itself with several high-profile attacks, including networks of Coinbase, Twilio, Mailchimp, LastPass, Riot Games and Reddit.

A report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in nearly 10,000 accounts from more than 136 organizations being compromised.

Dozens of victims are named in the court filings, including several interactive entertainment companies, telecommunications firms, technology companies and suppliers, cloud communications providers, virtual currency companies and individuals. 

“In some instances, defendants ELBADAWY, URBAN, OSIEBO, and UICC 1, together with other co-conspirators, would gain access to the computer systems of certain interactive entertainment Victim Companies and use that access to give themselves or other co-conspirators privileges or gifts,” prosecutors alleged. 

“In other instances, defendants ELBADAWY, URBAN, OSIEBO, and UICC 1, together with other co-conspirators, would copy confidential databases from Victim Companies and attempt to sell the information to others.”

The crew operated from at least September 2021 to April 2023, using mass short message service (SMS) text messages to convince employees of a company to click on malicious links. Most of the texts were made to look like they came from the victim company or a related technology provider.  

The hackers convinced people to click on links by pretending the employee’s work account was going to be deactivated if they did not sign in immediately. 

One June 2, 2022 text message said: “WARNING!! Your [Victim Company 1] VPN is being deactivated, to keep your VPN active, please head over to [Victim Company 1]-vpn.net.”

Using phishing websites that looked like legitimate company portals, the hackers were able to steal workers’ login information. 

The hackers used their access to take confidential information, intellectual property and other personal information that allowed them to rob cryptocurrency from employee wallets. 

Prosecutors obtained internal messages of the hackers communicating with each other, often sharing stolen credentials to facilitate further intrusions into company systems. 

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the assistant director in charge of the FBI’s Los Angeles field office. 

“These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse.”

The group’s attack on MGM Casino paralyzed Las Vegas for weeks, causing millions of losses for the casino and other properties it owned. 

As native English speakers, the group’s ability to deploy adversary-in-the-middle (AiTM) techniques, social engineering and SIM-swapping tactics separates it from many other hacker gangs, according to several U.S. law enforcement agencies. 

Last October, Microsoft called Scattered Spider “one of the most dangerous financial criminal groups.” 

The group started out attacking mobile telecommunications and business process outsourcing organizations — selling access to other hackers or using their intrusions to facilitate cryptocurrency thefts. Scattered Spider began to extort the companies it attacked starting in late 2022 and early 2023, according to both Microsoft and Google. 

Microsoft investigators noted the group’s cruelty during their attacks, explaining that they often sent text messages to employees threatening to get them fired or send hitmen to their home. 

“These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access,” Microsoft said.