Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft
Summary:
A U.S. court sentenced 20-year-old Scattered Spider member Noah Michael Urban to 10 years in federal prison after his April 2025 guilty plea to wire fraud and aggravated identity theft tied to a string of high-impact hacks and cryptocurrency thefts. Urban, who used aliases including Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested in Florida in January 2024 for crimes committed between August 2022 and March 2023 that involved SIM swapping to seize victims’ crypto accounts, resulting in at least $800,000 stolen from at least five victims. In addition to 120 months in prison, he received three years of supervised release and was ordered to pay $13 million in restitution, a penalty he called unjust in remarks shared with journalist Brian Krebs.
In November, the Department of Justice unsealed broader charges against Urban and four other Scattered Spider members for social-engineering intrusions against U.S. companies to gain initial access, steal data, and siphon digital assets, and co-defendant Tyler Robert Buchanan was extradited from Spain in April following his arrest there the previous June. Reporting from Bloomberg and News4JAX highlighted the case’s significance as authorities continue to pressure the group, which has aligned with ShinyHunters and LAPSUS$ under the English-speaking collective known as The Com, expanding its access to tools, data, and infrastructure.
Security Officer Comments:
With law-enforcement pressure rising, sentencing and extraditions increase operator risk, but expect either quiet retooling or noisy “we’re still here” campaigns. Consolidation with ShinyHunters and LAPSUS$ under The Com likely expands initial-access options, leak infrastructure, and cross-pollination of tradecraft. Identity remains the blast radius as helpdesk social engineering, SIM swaps, and MFA fatigue reliably bypass strong technical controls. The crew’s wave-style targeting of a single vertical creates leverage via headlines and overwhelms peers, so one victim often signals industry-wide probing. Scattered Spider’s playbook is people-focused and pressure-driven, using vishing, smishing, MFA fatigue prompts, timed leaks, countdown threats, and public taunts to accelerate payouts, while Flashpoint notes the group often concentrates attacks in waves against a single industry to overwhelm defenses. Taken together, the sentencing, indictments, and cross-border extradition underscore sustained law-enforcement scrutiny even as Scattered Spider seeks strength through alliances and continues to exploit human factors to bypass technical controls.
Suggested Corrections:
Mitigate by enforcing phishing-resistant MFA for admins and VIPs, tightening helpdesk step-up proofing, setting no-port-out carrier PINs and monitoring SIM-change signals, disabling SMS/voice MFA where feasible, requiring just-in-time admin elevation with approvals, rate-limiting and alerting on push spamming and resets, and rehearsing 24-hour leak-clock response with legal and PR. For detection, correlate IdP events with telecom metadata, alert on post-ticket geovelocity spikes, flag risky OAuth consents, and hunt for device-trust removals followed by new sessions on unmanaged endpoints.
Link(s):
https://thehackernews.com/2025/08/scattered-spider-hacker-gets-10-years.html
A U.S. court sentenced 20-year-old Scattered Spider member Noah Michael Urban to 10 years in federal prison after his April 2025 guilty plea to wire fraud and aggravated identity theft tied to a string of high-impact hacks and cryptocurrency thefts. Urban, who used aliases including Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested in Florida in January 2024 for crimes committed between August 2022 and March 2023 that involved SIM swapping to seize victims’ crypto accounts, resulting in at least $800,000 stolen from at least five victims. In addition to 120 months in prison, he received three years of supervised release and was ordered to pay $13 million in restitution, a penalty he called unjust in remarks shared with journalist Brian Krebs.
In November, the Department of Justice unsealed broader charges against Urban and four other Scattered Spider members for social-engineering intrusions against U.S. companies to gain initial access, steal data, and siphon digital assets, and co-defendant Tyler Robert Buchanan was extradited from Spain in April following his arrest there the previous June. Reporting from Bloomberg and News4JAX highlighted the case’s significance as authorities continue to pressure the group, which has aligned with ShinyHunters and LAPSUS$ under the English-speaking collective known as The Com, expanding its access to tools, data, and infrastructure.
Security Officer Comments:
With law-enforcement pressure rising, sentencing and extraditions increase operator risk, but expect either quiet retooling or noisy “we’re still here” campaigns. Consolidation with ShinyHunters and LAPSUS$ under The Com likely expands initial-access options, leak infrastructure, and cross-pollination of tradecraft. Identity remains the blast radius as helpdesk social engineering, SIM swaps, and MFA fatigue reliably bypass strong technical controls. The crew’s wave-style targeting of a single vertical creates leverage via headlines and overwhelms peers, so one victim often signals industry-wide probing. Scattered Spider’s playbook is people-focused and pressure-driven, using vishing, smishing, MFA fatigue prompts, timed leaks, countdown threats, and public taunts to accelerate payouts, while Flashpoint notes the group often concentrates attacks in waves against a single industry to overwhelm defenses. Taken together, the sentencing, indictments, and cross-border extradition underscore sustained law-enforcement scrutiny even as Scattered Spider seeks strength through alliances and continues to exploit human factors to bypass technical controls.
Suggested Corrections:
Mitigate by enforcing phishing-resistant MFA for admins and VIPs, tightening helpdesk step-up proofing, setting no-port-out carrier PINs and monitoring SIM-change signals, disabling SMS/voice MFA where feasible, requiring just-in-time admin elevation with approvals, rate-limiting and alerting on push spamming and resets, and rehearsing 24-hour leak-clock response with legal and PR. For detection, correlate IdP events with telecom metadata, alert on post-ticket geovelocity spikes, flag risky OAuth consents, and hunt for device-trust removals followed by new sessions on unmanaged endpoints.
Link(s):
https://thehackernews.com/2025/08/scattered-spider-hacker-gets-10-years.html