(Bloomberg) -- Five alleged members of the notorious Scattered Spider gang were accused by US prosecutors of a hacking spree that targeted dozens of companies and individuals, resulting in the theft of sensitive data and at least $11 million in cryptocurrency, according to a complaint and indictment unsealed Wednesday.
The defendants relied on a variety of fraudulent techniques, including text phishing and SIM swapping, to obtain legitimate credentials from employees so they could gain unauthorized access to their accounts and company networks between late 2021 and the spring of 2023, according to federal prosecutors in California. They used that access to steal confidential data and to identify and gain access to individuals’ virtual currency accounts and wallets, the US said.
Scattered Spider, a loosely organized group, has become notorious not only because of its use of social engineering techniques to trick IT workers to gain access to company networks, but also because some of its members are based in the US and UK. Cybercrime is often attributed to gangs based in Russia, North Korea, Nigeria or other distant locales.
Noah Urban, 20, of Florida, Joel Evans, of North Carolina, 25, and two Texas residents, Ahmed Elbadawy, 23, and Evans Osiebo, 20, in addition to Tyler Buchanan, 22, of Scotland, were charged for their role in the cyberattacks, which includes hacks of at least 29 individuals, according to Martin Estrada, US Attorney for the Central District of California. The defendants are members of the hacking group known as Scattered Spider, which is sometimes referred to as Oktapus or Octo Tempest, he said.
“This case highlights how a relatively small group of individuals in a relatively small amount of time — about a year and a half — can cause massive damage to companies, steal incredibly important information, intellectual property and cause those companies tremendous damage,” Estrada said in an interview with Bloomberg News. “The damage they caused was massive.”
Court filings don’t identify the names of the hacking victims, but one of them was Riot Games Inc., according to a person familiar with the matter. Riot Games declined to comment.
Other victims of the defendants’ alleged crimes include four US-based telecommunication companies, two US-based IT outsourcing companies and one US-based cryptocurrency company.
Roughly $4 million of the stolen cryptocurrency has been recovered, according to prosecutors. Investigators are still working out the total value of the data theft, Estrada added.
Buchanan remained outside of the US as of Monday, according to Estrada.
Investigators traced Buchanan through domain registration records for fake websites, which was used to trick victims, according to court records. When investigators searched Buchanan’s devices in April 2023 as part of a separate investigation, they found a customer database from a US telecommunications company and data from a cryptocurrency exchange, according to the complaint.
Law enforcement also found employee credentials for several US companies, including from an unidentified social media company, an email marketing company, a software company and a venture capital firm, as well as an Indian information technology company, according to the complaint.
Urban, known as “Sosa” within the SIM-swapping world, was arrested for charges relating to individual SIM swaps in Florida earlier this year and has since pleaded guilty. SIM swapping is when a hacker fraudulently activates a target’s phone number on a different device to intercept their calls and messages, enabling them to bypass security measures and break into their email, social media or cryptocurrency accounts.
Urban’s attorney declined to comment. Attorneys for Buchanan and the remaining three defendants couldn’t be reached for comment.
Members of Scattered Spider have been tied to attacks on MGM Resorts International, Caesars Entertainment, Coinbase and others. UK police in July arrested a 17-year-old in the West Midlands for his alleged role in Scattered Spider.
(Updates with additional information beginning in first paragraph.)
©2024 Bloomberg L.P.