A 20-year-old Florida resident has pleaded guilty to federal charges related to his involvement with the Scattered Spider hacking group, including conspiracy to commit wire fraud, wire fraud, and aggravated identity theft in both Florida and California cases. The case represents one of the latest major prosecutions in an ongoing battle against SIM swapping attacks, which caused over $48 million in losses during 2023 alone.
Noah Urban, who operated online under the aliases “King Bob,” “Sosa,” and “Elijah,” admitted to stealing at least $800,000 in cryptocurrency from five victims between August 2022 and March 2023 through SIM swapping attacks. The technique involves fraudulently transferring victims’ phone numbers to attacker-controlled devices to reset cryptocurrency account passwords and drain funds. The attack method has become increasingly sophisticated, leading to several high-profile cases including a recent $33 million settlement involving T-Mobile.
Court documents reveal the total financial impact of Urban’s activities exceeded $13 million across 59 victims. As part of his plea agreement, Urban has committed to paying full restitution to all victims, including those not directly connected to the charges he pleaded guilty to. The agreement also includes the forfeiture of assets tied to his criminal activities, including cryptocurrency holdings, jewelry, and watches.
Scattered Spider, also known as UNC3944, 0ktapus, Scatter Swine, and Muddled Libra, operates across the United States, Western countries, and Eastern Europe. The group’s methodology includes phishing text messages, IT staff impersonation, and credential theft to access systems and deploy ransomware. Between September 2021 and April 2023, the group conducted phishing campaigns targeting employee login credentials and corporate data. Notable targets included MGM Resorts and Twilio, highlighting the growing threat to corporate security infrastructure.
Urban’s activities extended to the music industry, where his SIM swapping attacks resulted in the unauthorized release of unreleased music from artists including Playboi Carti, Ariana Grande, and Lil Uzi Vert. The case underscores the importance of enhanced mobile security measures, including the implementation of FIDO authentication standards and robust encryption as recommended by the U.S. Cybersecurity and Infrastructure Security Agency.
Sentencing is expected within approximately 75 days, pending a pre-sentencing report to determine the federal sentencing range. The conviction includes a mandatory two-year sentence for aggravated identity theft, which must be served consecutively after any other imposed sentences.
Sources: SecurityWeek, Security Affairs, GBHackers
Follow Us