Full Report
Noah Urban’s sentence stems from a broader conspiracy involving four other defendants who conducted attacks from September 2021 to April 2023. The post Florida man gets 10 years in prison in first Scattered Spider sentencing appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Scattered Spider (0ktapus, UNC3944)
## Attribution & Identity
The actor is the notorious cybercrime organization **Scattered Spider**.
Known aliases and associated groups referenced include **0ktapus** and **UNC3944**.
The group is believed to have evolved from a broader community of young, English-speaking cybercriminals, specifically mentioning association with the online forum **"The Com,"** where hackers share social engineering techniques. Noah Michael Urban also operated under aliases like "King Bob," "Sosa," and "Gustavo Fring."
## Activity Summary
The summary details the sentencing of core member Noah Michael Urban (10 years in prison) for involvement in schemes spanning September 2021 to April 2023. The group is responsible for breaching more than 130 major companies.
Their activities included:
1. **Conspiracy and Fraud (Sept 2021 - Apr 2023):** Broader phishing attacks against company employees across California and Florida cases.
2. **Cryptocurrency Theft (Aug 2022 - Mar 2023):** Stealing at least $800,000 in crypto from five victims using SIM swapping.
Recent activity (2025) shows the group resuming operations after a brief lull post-MGM attack, targeting airlines, insurance companies, and retailers.
## Tactics, Techniques & Procedures
- **Social Engineering:** Use of sophisticated cybercrime schemes involving phishing attacks directed at employees.
- **Credential Harvesting:** Directing targets to fraudulent websites designed to steal login credentials.
- **SIM Swapping:** Convincing telecom providers to transfer a victim’s phone number to a criminal-controlled device to bypass MFA and reset passwords for financial accounts.
- **Community Sharing:** Sharing social engineering techniques on the "The Com" forum.
- *MITRE ATT&CK IDs are not explicitly mentioned in the text.*
## Targeting
- **Sectors:** Major companies (historically), Airlines, Insurance companies, and Retailers (recently, 2025).
- **Geography:** Attacks spanned operations tracked federally in **Florida** and **California**. One associated defendant was arrested in **Spain**.
- **Victims:** Historically linked to high-profile breaches at **Twilio, LastPass, DoorDash, Mailchimp, Caesars Entertainment, and MGM Resorts**. Specific victims of Urban’s SIM swapping attacks included five individuals losing cryptocurrency.
## Tools & Infrastructure
- **Malware families used:** Not specified.
- **Infrastructure (C2, domains, IPs):** Fraudulent websites were used to harvest credentials. No specific C2/IP/Domain information was provided in a defangable format.
## Implications
Scattered Spider represents a persistent, evolving threat composed primarily of young, English-speaking cybercriminals capable of sophisticated social engineering and large-scale corporate breaches. They have demonstrated adaptability by resuming operations and pivoting targeting sectors (e.g., insurance/airlines) following major incidents. Estimated losses from Urban’s activities alone ranged from $9.5 million to $25 million.
## Mitigations
- Strong defense against **SIM swapping** attacks on employee accounts via telecommunication providers.
- Robust implementation of **Multi-Factor Authentication (MFA)** that is resilient to SMS or voice-based MFA bypasses.
- Employee training focused on identifying sophisticated **phishing and credential harvesting attempts** via SMS (smishing) leading to fake login portals.
- Monitoring for discussions and tactics shared within associated dark web/hacker forums such as "The Com."