{ "id": "1ca263ca-5612-4319-9910-adc1606a951b", "created_at": "2026-04-06T00:15:50.365971Z", "updated_at": "2026-04-10T03:31:50.064723Z", "deleted_at": null, "sha1_hash": "b55d55d254786951498e3fdf4cf95a2803bc857d", "title": "US charges five linked to Scattered Spider cybercrime gang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3220271, "plain_text": "US charges five linked to Scattered Spider cybercrime gang\r\nBy Sergiu Gatlan\r\nPublished: 2024-11-20 · Archived: 2026-04-05 20:35:54 UTC\r\nThe U.S. Justice Department has charged five suspects believed to be part of the financially motivated Scattered Spider\r\ncybercrime gang with conspiracy to commit wire fraud.\r\nBetween September 2021 and April 2023, they were able to steal millions from cryptocurrency wallets using victims'\r\ncredentials stolen in SMS phishing attacks targeting dozens of targets, including both individuals and companies.\r\nScattered Spider specializes in social engineering attacks, impersonating help desk technicians, and using phishing/smishing\r\nattacks to steal credentials from targeted companies' employees. In an attack on an interactive entertainment products and\r\nsoftware company, the threat actors sent phishing messages that warned employees their VPN was being deactivated and to\r\nvisit a site to reactivate it.\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"WARNING!! Your [Victim Company 1] VPN is being deactivated, to keep your VPN active, please head over to [Victim\r\nCompany 1]-vpn.net,\" the phishing message said. Other phishing campaigns pretended to be password change notifications,\r\nprompting recipients to click a link if they did not change their password.\r\nAccording to court documents, they also used credentials stolen from hacked companies' employees to exfiltrate confidential\r\ndata, including databases, \"confidential work product, intellectual property, and personal identifying information\" from their\r\nsystems.\r\nThis information was later used to hijack their victims' email accounts in SIM swap attacks that allowed them to gain control\r\nover their phone numbers and virtual currency wallets to transfer millions to wallets under their control.\r\nThese five suspects now face charges of wire fraud, wire fraud conspiracy, and aggravated identity theft:\r\nAhmed Hossam Eldin Elbadawy, 23, a.k.a. “AD,” of College Station, Texas;\r\nNoah Michael Urban, 20, a.k.a. \"Sosa\" and \"Elijah,\" of Palm Coast, Florida;\r\nEvans Onyeaka Osiebo, 20, of Dallas, Texas;\r\nJoel Martin Evans, 25, a.k.a. \"joeleoli,\" of Jacksonville, North Carolina;\r\nTyler Robert Buchanan, 22, of the United Kingdom.\r\n\"We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary\r\ninformation worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of\r\nindividuals,\" said United States Attorney Martin Estrada in a Wednesday press release.\r\nIf convicted, each defendant faces up to 20 years in prison for conspiracy to commit wire fraud, five years for the conspiracy\r\ncharge, and a mandatory two-year consecutive sentence for aggravated identity theft. Buchanan also faces up to 20 years for\r\nthe wire fraud charge.\r\nWhat is Scattered Spider?\r\nSecurity vendors and organizations also track scattered Spider as 0ktapus, Scatter Swine, Octo Tempest, Starfraud,\r\nUNC3944, and Muddled Libra.\r\nHowever, even though most think of it as a cohesive group, Scattered Spider is a loose-knit group of English-speaking threat\r\nactors, some as young as 16, with varied skill sets. They orchestrate various types of attacks and communicate using the\r\nsame Telegram channels, Discord servers, and hacker forums.\r\nSome Scattered Spider members are also believed to be part of \"the Com,\" another hacking collective linked to cyberattacks\r\nand violent incidents. This fluid organizational structure makes it challenging for law enforcement to monitor their activities\r\nand to attribute specific attacks to a particular cybercrime gang or threat actor.\r\nIn a 2023 advisory, the FBI said they're known for using various tactics to breach corporate networks, including social\r\nengineering, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping.\r\nSince the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including\r\nBlackCat/AlphV, Qilin, and RansomHub.\r\nIn July, UK police also arrested a 17-year-old suspect, believed to be a Scattered Spider hacking collective member who was\r\ninvolved in the 2023 MGM Resorts ransomware attack. Other high-profile attacks linked to this cybercrime gang include\r\nthose on Caesars, DoorDash, MailChimp, Twilio, Riot Games, and Reddit.\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/\r\nhttps://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/us-charges-five-linked-to-scattered-spider-cybercrime-gang/" ], "report_names": [ "us-charges-five-linked-to-scattered-spider-cybercrime-gang" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434550, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b55d55d254786951498e3fdf4cf95a2803bc857d.pdf", "text": "https://archive.orkl.eu/b55d55d254786951498e3fdf4cf95a2803bc857d.txt", "img": "https://archive.orkl.eu/b55d55d254786951498e3fdf4cf95a2803bc857d.jpg" } }