​The U.S. Justice Department has charged five suspects believed to be part of the financially motivated Scattered Spider cybercrime gang with conspiracy to commit wire fraud.

Between September 2021 and April 2023, they were able to steal over $11 million from cryptocurrency wallets using victims’ credentials stolen in SMS phishing attacks targeting dozens of targets, including both individuals and companies.

According to court documents, they also used credentials stolen from hacked companies’ employees to exfiltrate confidential data, including databases, “confidential work product, intellectual property, and personal identifying information” from their systems.

This information was later used to hijack their victims’ email accounts in SIM swap attacks that allowed them to gain control over their phone numbers and virtual currency wallets to transfer millions to wallets under their control.

The five suspects—Ahmed Hossam Eldin Elbadawy aka “AD,” Noah Michael Urban aka “Sosa” and “Elijah,” Evans Onyeaka Osiebo, Joel Martin Evans aka “joeleoli,” and Tyler Robert Buchanan—now face charges of wire fraud, wire fraud conspiracy, and aggravated identity theft.

What is Scattered Spider?

Security vendors and organizations also track scattered Spider as 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra.

However, even though most think of it as a cohesive group, Scattered Spider is a loose-knit group of English-speaking threat actors, some as young as 16, with varied skill sets. They orchestrate various types of attacks and communicate using the same Telegram channels, Discord servers, and hacker forums.

Some Scattered Spider members are also believed to be part of the “Comm,” another hacking collective that is linked to cyberattacks and violent incidents. This fluid organizational structure makes it challenging for law enforcement to monitor their activities and to attribute specific attacks to a particular cybercrime gang or threat actor.

In a 2023 advisory, the FBI said they’re known for using various tactics to breach corporate networks, including social engineering, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping.

Since the start of 2023, Scattered Spider has also partnered with several Russian ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.

In July, UK police also arrested a 17-year-old suspect, believed to be a Scattered Spider hacking collective member who was involved in the 2023 MGM Resorts ransomware attack. Other high-profile attacks linked to this cybercrime gang include those on Caesars, DoorDash, MailChimp, Twilio, Riot Games, and Reddit.