Scattered Spider scammers charge in sophisticated multi-million dollar phishing scheme

The scheme was considered one of the most “sophisticated” phishing scams of all time. But now, the five alleged cybercriminals believed to be behind the group that security researchers have dubbed “Scattered Spider” have been formally charged criminally.

Four people from the US – Ahmed Hossam, Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo and Joel Martin Evans – were charged by a federal grand jury for conspiracy to commit wire fraud, conspiracy and aggravated identity theft. In addition, Tyler Robert Buchanan of the UK was also charged with an additional count of wire fraud.

The five defendants face a maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, as well as up to five years in federal prison for conspiracy and a mandatory sentence of two years for aggravated identity theft. Buchanan also faces up to 20 years in prison on the wire fraud charge.

“We allege that this group of cyber criminals perpetrated a sophisticated scheme to steal tens of millions of dollars worth of intellectual property and proprietary information and to steal personal information belonging to hundreds of thousands of people,” said US Attorney Martin Estrada , according to the Department of Justice. statement. “As this case shows, phishing and hacking have become increasingly sophisticated and can lead to enormous losses,” Estrada continued.

What was the Scattered Spider scheme?

That Ars Technica reports, Microsoft researchers called Scattered Spider “one of the most dangerous financial crime groups,” and for good reason.

The alleged cybercriminals are believed to have carefully planned an elaborate and hyper-targeted phishing scam that went after employees of major companies such as MGM and Twilio. In fact, Spider’s breakout at MGM, which involved a phone call to the company’s help desk, resulted in a temporary shutdown of the company’s hotel and casino operations, costing the company $100 million.

The Scattered Spider attack plan involved sending text messages to employees of targeted companies, pretending to be part of their employer’s IT department. The texts prompted employees to log in to a link provided in the text message, or else, the text message claimed, their employee accounts would be disabled.

Instead of an internal company page, the link led to a phishing website designed to steal user information. Once on the fake website, employees would enter their login details and two-factor authentication, assuming the application and website were legitimate.

From there, Scattered Spider would have the information needed to access the computer systems of both employees and employers. Scattered Spider allegedly stole confidential information from companies, such as intellectual property and confidential work products, and employees, such as names, email addresses, and phone numbers.

According to federal documents, the group was able to use this information to steal millions of dollars from victims’ cryptocurrency wallets.

Scattered Spider’s scam ran from September 2021 to April 2023.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to siphon millions into their cryptocurrency accounts,” Akil Davis, deputy director in charge of the FBI’s Los Angeles office, said in the statement DOJ. . “These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse.”