US charges five alleged members of Scattered Spider gang

Law enforcement unsealed criminal charges against five alleged members of Scattered Spider, who allegedly targeted employees of companies nationwide with phishing text messages and then used the harvested employee credentials to log in and steal non-public company data and information and to hack into virtual currency accounts to steal millions of dollars in cryptocurrency.

A federal grand jury indictment charges the following defendants with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft:

• Ahmed Hossam Eldin Elbadawy, 23, a.k.a. “AD,” of College Station, Texas
• Noah Michael Urban, 20, a.k.a. “Sosa” and “Elijah,” of Palm Coast, Florida
• Evans Onyeaka Osiebo, 20, of Dallas, Texas
• Joel Martin Evans, 25, a.k.a. “joeleoli,” of Jacksonville, North Carolina

Evans was arrested Tuesday by the FBI in North Carolina. Urban faces and has pleaded not guilty to several fraud charges in a separate criminal case in federal court in Jacksonville, Florida.

“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said United States Attorney Martin Estrada.

Also unsealed was a criminal complaint charging Tyler Robert Buchanan, 22, of the United Kingdom, with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

According to court documents, from at least September 2021 to April 2023, the defendants conducted phishing attacks by sending mass SMS messages to mobile phones of numerous victim companies’ employees – messages that purported to be from the victim company or a contracted information technology or business services supplier of the victim company.

The phishing text messages often stated that the employees’ accounts were about to be deactivated and provided links to phishing websites that were designed to look like legitimate websites of the victim companies or their contracted suppliers and lure the recipient into giving confidential information, including account login credentials. Some employees went to the phishing websites, entered their credentials, and sometimes authenticated their identities using a 2FA request sent to their mobile phones.

The defendants then used the stolen credentials to gain unauthorized access the accounts of victim companies’ employees and the companies’ computer systems to steal confidential information, including confidential work product, intellectual property, and personal identifying information, such as account access credentials, names, email addresses, and telephone numbers.

The group also used stolen information obtained from victim company intrusions, leaked data sets, and other sources, to gain unauthorized access to numerous individuals’ cryptocurrency accounts and wallets and steal millions of dollars’ worth of virtual currency.

If convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.