Full Report
Noah Urban, one of five Scattered Spider suspects identified by U.S. authorities, pleaded guilty in Florida to charges related to the cybercrime operation.
Analysis Summary
# Threat Actor: Scattered Spider
## Attribution & Identity
**Primary Identity:** Scattered Spider (also known as "the Community" or "the Com").
**Known Aliases/Members (specific to this context):** Noah Michael Urban (aliases: "Sosa," “Elijah,” and “King Bob”).
**Known Associations:** Urban and co-conspirators (Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, Joel Martin Evans, Tyler Buchanan, and others) were operating as loosely organized individuals within the group. The group is linked to the 2023 MGM Casino ransomware attack.
## Activity Summary
The primary activity detailed involves the theft of cryptocurrency and sensitive corporate documents through account takeovers (ATOs) between August 2022 and March 2023. Noah Urban pleaded guilty to charges related to these activities, which resulted in losses estimated between $9.5 million and $25 million. Specific cryptocurrency theft cited involved stealing over $2.6 million from at least 16 people, including one instance of stealing $374,000 in crypto via a successful SIM swap. The group is also known for breaching major tech, entertainment, and communication companies, stealing unreleased music from musicians, and is considered "one of the most dangerous financial criminal groups" by Microsoft.
## Tactics, Techniques & Procedures
- **SIM Swapping:** Notorious for using this tactic to take over a victim's phone/mobile number to bypass two-factor authentication (2FA).
- **Phishing/Social Engineering:** Conducted *phishing attacks by sending SMS phishing messages* to victim company employees.
- **Credential Exploitation:** Used stolen credentials to access employee accounts and company computer systems.
- **Identity Theft:** Used stolen Personally Identifiable Information (PII) to break into systems and reset passwords on cryptocurrency exchanges.
- **Adversary-in-the-Middle (AiTM) techniques.**
- Exploited stolen IDs to gain access to systems.
- **MITRE ATT&CK IDs:** T1550 (Use Alternate Authentication Material - related to 2FA bypass/SIM swap) is strongly implied.
## Targeting
- **Sectors:** Interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing suppliers, cloud communication providers, and virtual currency companies.
- **Geography:** While the activities are global, the legal proceedings involving Urban occurred in federal courts in Florida and California (USA). The group's English-speaking nature aids their operations globally.
- **Victims:** Specific victims/targets mentioned in the overall context of the group include Coinbase, Twilio, Mailchimp, LastPass, Riot Games, and Reddit.
## Tools & Infrastructure
- **Malware Families Used:** Not specifically detailed, but the use of AiTM techniques suggests proprietary or off-the-shelf phishing/credential harvesting tools.
- **Infrastructure:** Digital cryptocurrency wallets associated with Noah Urban were seized, valued at $2.89 million.
## Implications
Scattered Spider is assessed as a highly dangerous, sophisticated cybercrime organization due to its ability to leverage social engineering and English-language fluency alongside advanced TTPs like SIM swapping and AiTM. Their focus on high-value targets, including major technology and entertainment corporations, results in significant financial and data loss. The successful prosecution of a key member like Urban signals successful law enforcement penetration against the group's operational structure.
## Mitigations
- Harden multi-factor authentication (MFA) mechanisms to ensure they are phishing-resistant (e.g., using FIDO2/hardware keys rather than SMS or basic TOTP).
- Remain vigilant against SMS-based phishing (smishing) attempts aimed at acquiring corporate or personal access credentials.
- Secure employee PII to prevent identity theft used for account takeovers.