Full Report
Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison on Wednesday after pleading guilty to charges of wire fraud and conspiracy in April. [...]
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
**Threat Actor Group:** Scattered Spider
**Known Aliases:** 0ktapus, Scatter Swine, Muddled Libra.
**Associated Individuals/Arrests:** Noah Michael Urban (sentenced to 10 years in prison; known online as King Bob, Gustavo Fring, Elijah, and Sosa). Other suspects charged in November (linked to financially motivated activity). A 17-year-old member linked to the MGM Resorts attack was arrested in July 2024. A 19-year-old suspect known online as "remi" was arrested in December 2024.
**Nature:** A fluid collective of threat actors focused on financially motivated cybercrime, sophisticated social engineering, and network intrusion.
## Activity Summary
Noah Michael Urban was sentenced for participating in activities between September 2021 and April 2023 involving the theft of millions from cryptocurrency wallets using stolen credentials obtained via SMS phishing. They also stole confidential data (databases, PII, intellectual property) from hacked companies to facilitate account takeovers.
**Recent Activities/Campaigns Mentioned:**
* **Large-Scale Breaches:** Targeting high-profile organizations like Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.
* **Ransomware Affiliations (Partnerships):** Collaborated with ransomware operations including Qilin, RansomHub, and DragonForce.
* **September 2023 Escalation:** Breached MGM Resorts, using impersonation to gain access and subsequently encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware.
* **Target Shift:** Recently shifted focus from retail and insurance companies toward the aviation and transportation industries.
* **Law Enforcement Actions:** Multiple arrests associated with the group, including:
* Noah Michael Urban (US, January 2024 arrest; sentenced August 2025).
* A 17-year-old linked to the MGM attack (UK arrest, July 2024).
* A 19-year-old "remi" linked to breaches against a U.S. financial institution and two telecom firms (US arrest, December 2024).
## Tactics, Techniques & Procedures
- Sophisticated social engineering attacks.
- SMS phishing attacks (smishing) to steal initial credentials.
- SIM swapping attacks to gain control of victims' phone numbers.
- Multi-factor authentication (MFA) bombing.
- Impersonating employees to breach corporate defenses (e.g., via MFA prompts).
- Utilizing credentials stolen from employees to loot sensitive data (databases, IP).
- Use of BlackCat ransomware (following initial access at MGM).
- Breaching cloud infrastructure (VMware ESXi hypervisors).
- **MITRE ATT&CK Coverage (Inferred/Implied):** Credential Access (T1003), Initial Access (T1566 via Phishing/Smishing), Defense Evasion (via Account Takeover/SIM Swap).
## Targeting
**Sectors:** Initially targeted high-profile organizations across various sectors; recently shifted focus to:
* Aviation Industry
* Transportation Industry
* Retail companies (past focus)
* Insurance companies (past focus)
* Financial Institutions (mentioned in relation to "remi" arrest)
* Telecommunications firms (mentioned in relation to "remi" arrest)
**Geography:** Worldwide (targets high-profile organizations globally). Several members arrested in the US and UK.
**Victims:** Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, Reddit, MGM Resorts, a U.S. financial institution, two telecommunications firms.
## Tools & Infrastructure
**Malware Families Used:** BlackCat ransomware (in partnership with Qilin/others).
**Infrastructure:**
* Utilized SIM swapping to gain full control of phone numbers.
* Used stolen credentials to hijack email accounts.
* Transferred millions of stolen funds to wallets under actor control.
* (No specific C2 domains/IPs were defanged in the provided text fragment for this actor).
## Implications
Scattered Spider is a highly adaptive and versatile financially motivated group capable of executing complex intrusions involving social engineering, advanced credential harvesting (SMS phishing/SIM swapping), and collaboration with ransomware affiliates. Their ability to pivot between initial access brokering and direct extortion (via ransomware deployment like BlackCat) poses a significant and multifaceted risk to large enterprises. Recent arrests indicate successful disruption of key nodes, but the group continues to operate and adapt its targeting profile.
## Mitigations
- Implement robust controls against social engineering, specifically targeting MFA fatigue/bombing via SMS/voice channels.
- Enhance SMS-based authentication security, heavily scrutinize SIM swap attempts on high-value accounts.
- Strong vetting and process control around credential-based access to internal infrastructure.
- Review virtualization security (VMware ESXi) given the actor's use of BlackCat ransomware against these systems.
- Harden defenses against sophisticated phishing attempts that yield valid employee credentials.