Full Report
Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.
Analysis Summary
# Threat Actor: Scattered Spider / Oktapus
## Attribution & Identity
The group is identified as a hacking conspiracy dubbed “**Scattered Spider**” and “**Oktapus**.” Federal prosecutors charged five individuals allegedly belonging to this group:
* **Joel Martin Evans** (Alias: “**Joeleoli**”)
* **Tyler Buchanan** (Alias: “**Tylerb**”)
* **Noah Michael Urban** (Aliases: “**Sosa**,” “**Elijah**,” “**Kingbob**”)
* **Ahmed Hossam Eldin Elbadawy**
* **Evans Onyeaka Osiebo**
The group is associated with the broader cybercrime community “**The Com**” (Urban's known affiliation).
## Activity Summary
The group specialized in cyber intrusions at major U.S. technology companies between 2021 and 2023. Their initial major victim was **Twilio** (August 2022), which they leveraged to target at least 163 of Twilio's customers. They are also reputed to have been involved in the September 2023 **MGM Resorts** ransomware attack.
## Tactics, Techniques & Procedures
* **SMS-Based Phishing (Vishing/Smishing):** Tricking employees into entering credentials and one-time passcodes (OTPs) on lookalike authentication pages.
* **MFA Bypass:** Phishing websites mimicked Okta authentication pages to harvest credentials and subsequent MFA codes in real-time.
* **Real-Time Credential Harvesting:** Phishing kits contained a hidden **Telegram instant message bot** that forwarded submitted credentials immediately, allowing attackers to log in instantly.
* **Domain Squatting:** Leveraging newly registered domains that often incorporated the targeted company's name (e.g., `twilio-help[.]com`, `ouryahoo-okta[.]com`).
* **Short-Lived Infrastructure:** Phishing domains were kept online for only one or two hours to evade security flagging.
* **SIM-Swapping:** Used extensively by members like Tylerb to gain control of victim phone numbers, enabling interception of SMS-delivered OTPs and password reset links.
## Targeting
* **Sectors:** Major U.S. technology companies. Mentioned victims include **LastPass, MailChimp, Okta, T-Mobile, Twilio,** and subsequently, over 163 customers of Twilio.
* **Geography:** Attacks targeted U.S. companies, though infrastructure management showed connections to **Scotland** (Buchanan) and North Carolina/Florida (Evans, Urban).
* **Victims:** Employees of targeted tech firms, as well as individuals in the recording industry targeted by Kingbob for stealing unreleased music ("grails").
## Tools & Infrastructure
* **Malware/Kits:** Phishing kits featuring an integrated **Telegram bot** for real-time data exfiltration.
* **Infrastructure:**
* Phishing domains registered primarily through **NameCheap**.
* Telegram handles used for command and communication, notably “**Joeleoli**.”
* Infrastructure linked to an IP address leased by Tyler Buchanan in **Scotland** (Virgin Media records).
## Implications
Scattered Spider demonstrates a highly effective, operationally mature approach to identity compromise, weaponizing social engineering (SMS phishing) combined with sophisticated MFA bypass techniques using real-time relaying. Their successful breach of a critical service provider like Twilio allowed them to pivot and compromise a large number of downstream customers. The group's objectives heavily focus on financial gain, specifically the theft of **cryptocurrency**.
## Mitigations
* Implement robust Anti-Phishing controls capable of rapidly detecting and taking down short-lived, lookalike domains.
* Prioritize phishing training emphasizing vigilance against SMS/text lures, especially when related to credential expiry or MFA prompts.
* Utilize phishing-resistant Multi-Factor Authentication (MFA) methods over SMS-based OTPs wherever possible.
* Monitor for real-time credential submissions indicative of MFA relaying attacks.