Alleged Scattered Spider Member Pleads Guilty to Cybercrimes, Ordered to Repay $13.2M

• A 20-year-old who is believed to be a member of the notorious Scattered Spider threat actor pleaded guilty in court.
• The man relied on SIM-swapping techniques to target victims, of which almost 60 were identified.
• The individual operated under several aliases, including “Sosa,” “Elijah,” and “King Bob."

Noah Michael Urban, a 20-year-old linked to the infamous Scattered Spider hacking group, has pleaded guilty to multiple cybercrime charges, including wire fraud and identity theft, facing up to 60 years in prison and over $13.2 million in restitution.  

Urban admitted to using the group's notorious SIM-swapping techniques to target victims, defrauding 59 individuals and organizations of over $13.2 million between August 2022 and March 2023. 

Urban intercepted SMS-based two-factor authentication codes, granting unauthorized access to sensitive accounts, including email and cryptocurrency wallets.  

Urban's downfall can be attributed to poor operational security (OPSEC). U.S. law enforcement authorities raided his Palm Beach Airbnb residence in early 2024, finding incriminating evidence, including stolen passwords, browser histories showing access to victim email accounts, and cryptocurrency wallet credentials detailing transaction histories linked to thefts. 

Despite using VPNs to mask his activity, Urban failed to delete his browsing history, creating a timeline of his cybercrimes.

During the raid, authorities confiscated $3 million worth of cryptocurrency, $27,702 in cash, luxury watches, and jewelry, all of which will be forfeited alongside additional fines.

Along with imprisonment, Urban faces a mandatory minimum of two years for aggravated identity theft and up to 20 years per wire fraud count. His plea also includes restitution of the stolen $13.2 million to the impacted parties.  

Scattered Spider, primarily comprised of English-speaking operatives based in the U.S. and U.K., has been linked to high-profile attacks targeting MGM Resorts and Caesars Entertainment, with its members also suspected in the Okta supply chain breach. 

The group is known not only for phishing and SIM-swapping techniques but also for leveraging advanced social engineering and adversary-in-the-middle (AiTM) tactics.

The wider indictment names four other suspects – Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan – in connection to cyberattacks as far back as 2021. 

While Urban and some members have been apprehended, others remain at large. Buchanan, a U.K. national, is currently facing charges in the U.S. following his arrest in Spain.