DOJ charges 5 alleged Scattered Spider members

Five individuals from the U.S. and U.K. were charged with stealing millions in cryptocurrency via a phishing scheme, the U.S. Department of Justice announced Wednesday.

The individuals are alleged members of Scattered Spider, a prolific cybercrime outfit that has stolen millions of dollars in threat activity against organizations across the globe. Defendants include Ahmed Hossam Eldin Elbadawy, 23, of Texas; Evans Onyeaka Osiebo, 20, of Texas; Noah Michael Urban, 20, of Florida; Joel Martin Evans, 25, of North Carolina; and Tyler Robert Buchanan, 22, of the U.K. All defendants were charged with one count of conspiracy to commit wire fraud, one count of conspiracy and one count of aggravated identity theft.

Additionally, according to the DOJ announcement, Evans was arrested Tuesday by the FBI in North Carolina, and Urban separately faces several fraud charges in a Florida criminal case.

All five defendants are suspected of being part of Scattered Spider, a prolific cybercrime outfit that has stolen millions of dollars in threat activity against organizations across the globe. Some of the most infamous activities attributed to Scattered Spider involved a series of attacks against gaming giants MGM Resorts and Caesar's Entertainment. CISA and the FBI issued an alert warning of Scattered Spider last November.

Court documents unsealed Wednesday alleged that from at least September 2021 to April 2023, the defendants conducted phishing attacks by sending SMS text messages to victim company employees claiming to be an IT or business services supplier.

Once credentials were stolen, the defendants allegedly gained unauthorized access to company employee accounts, stole personally identifiable information and "used stolen information obtained from victim company intrusions, leaked data sets, and other sources, to gain unauthorized access to numerous individuals' cryptocurrency accounts and wallets and steal millions of dollars' worth of virtual currency."

However, court documents showed that post-exploitation activities did not solely include cryptocurrency theft.

"In some instances, [defendant and co-conspirators] would gain unauthorized access to the computer systems of Victim Companies and use that access to modify software configurations on the Victim Company system. In other instances, after gaining unauthorized access to Victim Company computer systems, [defendant and co-conspirators] would copy confidential databases from Victim Companies and attempt to sell the stolen information to others," the indictment read.

If convicted, the DOJ said, each defendant would face up to 20 years in federal prison for conspiracy to commit wire fraud, up to five for conspiracy and a mandatory two-year consecutive sentence for aggravated identity theft.

Charles Carmakal, CTO of Google Cloud's Mandiant Consulting, praised the arrests in a statement shared with TechTarget Editorial.

"These individuals, and other actors that they have collaborated with, have caused so much pain and financial harm to organizations across North America through their disruptive intrusions," he said. "This is a nice win for law enforcement that, over time, has significantly hampered the group's fast-paced tempo this year. We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences."

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.