{ "id": "c95a186f-aef4-4e66-b731-482a8d3c526a", "created_at": "2026-04-06T00:21:43.418262Z", "updated_at": "2026-04-10T03:31:50.014744Z", "deleted_at": null, "sha1_hash": "55d35f01aae30c92469ee79b15148cddda19082d", "title": "US arrests Scattered Spider suspect linked to telecom hacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3849223, "plain_text": "US arrests Scattered Spider suspect linked to telecom hacks\r\nBy Sergiu Gatlan\r\nPublished: 2024-12-05 · Archived: 2026-04-05 13:10:31 UTC\r\nU.S. authorities have arrested a 19-year-old teenager linked to the notorious Scattered Spider cybercrime gang who is now\r\ncharged with breaching a U.S. financial institution and two unnamed telecommunications firms.\r\nRemington Goy Ogletree (also known online as \"remi\") breached the three companies' networks using credentials stolen in\r\ntext and voice phishing messages targeting their employees.\r\nHe also impersonated the victims' IT support departments in calls designed to pressure the employees into accessing\r\nphishing sites where they were asked to enter their user names and passwords.\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe U.S. financial institution allegedly hacked by Ogletree told the FBI that roughly 149 of its employees were targeted in a\r\nphishing campaign (between late October 2023 and mid-November 2023) that redirected them to phishing landing pages\r\nimpersonating the company.\r\nThese phishing websites were designed to ask the targeted employees to enter credentials they used to access the financial\r\ninstitution's systems.\r\n\"A review of screenshots of the phishing messages revealed statements intended to mislead the employees into providing\r\ntheir credentials, including fraudulent messages claiming their 'employee benefits package [was] updated' and 'your\r\nemployee schedule has been modified',\" the complaint reads.\r\n\"Some of the phishing messages told employees that they had 'an inquiry from HR' or that their 'VPN profile was updated'.\"\r\nAlso, between October 2023 and May 2024, Ogletree used his access to the telecoms' systems to send over 8.6\r\nmillion phishing text messages to phone numbers across the United States designed to help steal recipients' cryptocurrency.\r\nCrypto-themed phishing messages sent by Ogletree (US DOJ)\r\nAs Trend Micro reported in October 2023, some of these attacks targeted the customers of legitimate crypto\r\nplatforms Gemini and KuCoin using the yourgeminiclaims[.]net and kucoinclaims[.]com domains.\r\nKuCoin phishing text message (Trend Micro)\r\nIn February, while searching his residence in Forth Worth, Texas, the FBI found extensive proof of Ogletree's criminal\r\nactivity on his seized iPhone, including screenshots of phishing texts impersonating a tech company, screenshots of\r\ncredential harvesting phishing pages, and screenshots of crypto wallets with tens of thousands of dollars in cryptocurrency.\r\nDuring his subsequent interview with the FBI, Ogletree said he knew \"people who commit all sorts of crimes\" and \"key\r\nScattered Spider members,\" adding that the hacking group targets business process outsourcing (BPO) companies because\r\n\"they have less security\" than the companies they work for.\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nPage 3 of 5\n\nPrevious Scattered Spider arrests\r\nLast month, the U.S. Justice Department arrested and charged five other suspects linked to the cybercrime gang who\r\nallegedly stole millions in cryptocurrency using SMS phishing attacks targeting dozens of targets.\r\nThese five suspects face charges of wire fraud, wire fraud conspiracy, and aggravated identity theft, each facing at least 20\r\nyears in prison:\r\nAhmed Hossam Eldin Elbadawy, 23, a.k.a. “AD,” of College Station, Texas;\r\nNoah Michael Urban, 20, a.k.a. \"Sosa\" and \"Elijah,\" of Palm Coast, Florida;\r\nEvans Onyeaka Osiebo, 20, of Dallas, Texas;\r\nJoel Martin Evans, 25, a.k.a. \"joeleoli,\" of Jacksonville, North Carolina;\r\nTyler Robert Buchanan, 22, of the United Kingdom.\r\nUK police also arrested a 17-year-old suspect in July, believed to be part of the Scattered Spider hacking collective who was\r\ninvolved in the 2023 MGM Resorts ransomware attack.\r\nOther high-profile attacks linked to this hacking group include those on Caesars, MailChimp, Twilio, DoorDash, Riot\r\nGames, and Reddit.\r\nSince the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including Qilin,\r\nBlackCat/AlphV, and RansomHub.\r\nWhat is Scattered Spider?\r\nSecurity vendors also track the financially motivated Scattered Spider cybercrime gang as 0ktapus, UNC3944, Scatter\r\nSwine, Octo Tempest, and Muddled Libra.\r\nThis group of English-speaking threat actors, some as young as 16, has a fluid organizational structure and communicates\r\nvia the same Telegram channels, Discord servers, and hacker forums to coordinate and orchestrate various attacks.\r\nSome of its members are also believed to be part of \"the Com,\" another hacking collective previously linked to violent\r\nincidents and cyberattacks.\r\nThe groups' loose-knit organization makes it harder for law enforcement to keep track of their criminal activity and attribute\r\nspecific attacks to a specific gang member.\r\nThe FBI says they're using various tactics to breach corporate networks, including phishing, social engineering, SIM\r\nswapping, and multi-factor authentication (MFA) bombing (targeted MFA fatigue).\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nhttps://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/us-arrests-scattered-spider-suspect-linked-to-telecom-hacks/" ], "report_names": [ "us-arrests-scattered-spider-suspect-linked-to-telecom-hacks" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434903, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55d35f01aae30c92469ee79b15148cddda19082d.pdf", "text": "https://archive.orkl.eu/55d35f01aae30c92469ee79b15148cddda19082d.txt", "img": "https://archive.orkl.eu/55d35f01aae30c92469ee79b15148cddda19082d.jpg" } }