Alleged Scattered Spider SIM-swapper must pay back $13.2M to 59 victims – Source: go.theregister.com

Noah Michael Urban, 20, of alleged Scattered Spider infamy, has pleaded guilty to various charges and potentially faces decades in prison.

Urban was one of five spiders scattered across the US and UK indicted in November 2024 for their alleged roles in various cyberattacks, most of which used the group’s typical SIM-swapping MO.

The indictment was unsealed in California. However, Urban was previously indicted alone in Florida, where he resided in Palm Beach. Following his guilty plea, the charges he faced in both indictments will be sentenced jointly by a court in Florida at a date yet to be determined.

Urban pleaded guilty to two counts of wire fraud and one of aggravated identity theft in Florida, and also one count of wire fraud from the California indictment.

Each wire fraud counts carries a potential maximum prison sentence of 20 years, while the one count of aggravated identity theft will land him a minimum of two years. Altogether, Urban will additionally be fined at least $1 million – potentially more.

Urban, who is said to have gone by the handles “Sosa,” “Elijah,” “Gustavo Fring,” and “King Bob,” will have to pay back just over $13.2 million in restitution to 59 victims.

The number comprises organizations and individuals from whom Urban stole sums up to $3.5 million, either alone or with the help of other Scattered Spider members between August 2022 and March 2023.

But that’s not all. After having his residence raided, the feds seized more than $3 million worth of various cryptocurrencies (at today’s exchange rate), $27,702 in cash, jewelry, and six watches. Urban agreed to forfeit them all, on top of the other fines and forfeitures.

Following Urban’s arrest on January 9, 2024, his residence at the time – an Airbnb – was raided, and cops allege he was found downloading file-erasing tools to his computer.

Among the myriad incriminating discoveries were some of his victims’ passwords stored on his PC, as well as credentials for the various wallets from which he stole. These wallets also contained transaction histories linking Urban to numerous thefts.

There was evidence of him using VPNs, which are usually an OPSEC win, but also at the other end of the scale, feds said he wasn’t deleting his browser history, which they said showed the dates and times he logged into victims’ email accounts.

Urban was alleged to be part of Scattered Spider, a group of English-speaking cybercriminals primarily based in the US and UK known for their expertise in SIM swapping individuals as a means of gaining access to their accounts.

SIM swapping involves convincing mobile carrier support staff that a criminal is the rightful owner of a SIM card and fraudulently authorizing the carrier to swap the associated phone number to a SIM under their control. Doing this allows them to intercept account authentication codes where SMS-based 2FA is enabled. If they can gain access to a phone number and email account, then the pathway to other platforms, such as crypto exchanges, is a great deal easier.

• Man who SIM-swapped the SEC’s X account pleads guilty
• Five Scattered Spider suspects indicted for phishing spree and crypto heists
• Scattered Spider, BlackCat claw their way back from criminal underground
• UK cops arrest teen suspect in MGM Resorts cyberattack probe

The charges to which Urban pleaded guilty pertain to the period between August 2022 and March 2023, although the indictment in California, which levels charges against other suspected gang members, stated that alleged offenses date back to 2021, suggesting Urban joined Scattered Spider after it was formed.

Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan – all men in their twenties – were the others named in the California indictment. They reside in various locations across the US and UK.

Neither indictment explicitly linked any of the five men to ransomware attacks, although Scattered Spider members are suspected of being behind the attacks on MGM Resorts and Caesars Entertainment, as well as the supply chain hit on Okta.

According to his guilty plea [PDF], the incidents to which Urban is linked pre-dated these attacks, which are arguably Scattered Spider’s most high-profile to date. ®