Scattered Spider member pleads guilty to identity theft, wire fraud charges

A member of the Scattered Spider cybercrime group has pleaded guilty to multiple charges related to the theft of cryptocurrency and sensitive corporate documents.

Noah Michael Urban signed the plea agreement in Florida on Friday and is now facing up to 60 years in prison on several counts of wire fraud and aggravated identity theft. 

Urban, 20, was arrested last year after federal prosecutors accused him of being a key member of Scattered Spider — a notorious cybercriminal operation best known for using the SIM swap tactic to take over a victim’s phone to bypass two-factor authentication. 

Urban and four others were accused of using the tactic to steal millions of dollars’ worth of cryptocurrency and gain access to large corporations, exposing troves of sensitive company documents and more. Two other suspects have been apprehended, while the status of the final two is unknown.

Investigators seized a total of $2.89 million worth of cryptocurrency from Urban’s desktop computer during raids on his home in March 2023. 

Three of the charges he pleaded guilty to were filed by federal prosecutors in Florida and one more charge was transferred from federal courts in California. 

U.S. prosecutors said the amount of losses caused by his actions amount to between $9.5 million and $25 million. Urban is forfeiting all of the cryptocurrency seized during the raids and will pay more than $13 million in restitution to more than 30 victims.

Urban, who goes by the alias "Sosa," “Elijah,” and “King Bob” was "part of a group of loosely organized individuals who engage in account takeovers and [stole] cryptocurrency from online exchanges" from August 2022 through March 2023, according to the plea agreement.

The group used stolen IDs to break into systems and conducted “phishing attacks by sending SMS phishing messages to the mobile telephones of victim company employees, using credentials stolen through SMS phishing to access the accounts of victim company employees and the computer systems of victim companies to steal confidential information and cryptocurrency."

"Urban and his co-conspirators were able to obtain the victims' personally identifiable information and then exploit it by attempting to access different types of cryptocurrency exchanges,” prosecutors said. “They would reset the passwords of those exchanges, defeating a system of password security called two factor authentication."

Evidence trail

When the FBI accessed Urban’s desktop computer, they found in his browsing history access to the email accounts of multiple victims. Investigators traced stolen cryptocurrency to one of Urban’s digital wallets. 

When interviewed by the FBI, Urban admitted that all of the cryptocurrency found on his computer was the result of his work with Scattered Spider. Urban noted that they stole more than $2.6 million of cryptocurrency from at least 16 people.

In one instance, Urban broke into a victim's AOL email account, performed a SIM swap later confirmed by AT&T, and stole about $374,000 worth of cryptocurrency

"During a May 2023 interview with investigators, Urban estimated that he had personally made several million dollars between January 2021 and March 2023 through cryptocurrency theft and that he had been involved in the theft of several million more overall," prosecutors said. 

Cybersecurity journalist Brian Krebs previously said Urban also was heavily involved in several cyberattacks on prominent musicians, stealing and leaking troves of unreleased music. 

One of five suspects

Urban is accused of working with Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, Joel Martin Evans, Tyler Buchanan and others from August 2022 to March 2023 to hack into companies and steal cryptocurrency. 

The victims "included interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing suppliers, cloud communication providers, virtual currency companies and individuals." 

The charges against Urban and the four other men were unsealed in November and a Justice Department spokesperson confirmed at the time that the five are part of Scattered Spider group — responsible for several devastating cyber incidents including the ransomware attack on MGM Casino in 2023. 

Urban and Evans were arrested in 2024 but the whereabouts of the other two Americans are unconfirmed. Buchanan, who is a U.K. national, was arrested in Palma de Mallorca in June 2024 and is facing multiple charges in the U.S. 

The FBI said that the group is an offshoot of a larger pool of online criminals who dubbed themselves "the Community," or "the Com.” Several other alleged Scattered Spider members have been arrested internationally. British officials recently warned about broader activity by Com members.

Scattered Spider initially made a name for itself with several high-profile attacks, including networks of Coinbase, Twilio, Mailchimp, LastPass, Riot Games and Reddit.

A report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in nearly 10,000 accounts from more than 136 organizations being compromised.

As native English speakers, the group’s ability to deploy adversary-in-the-middle (AiTM) techniques, social engineering and SIM-swapping tactics separated it from many other hacker gangs, according to several U.S. law enforcement agencies. 

Microsoft previously called Scattered Spider “one of the most dangerous financial criminal groups.”