Five Scattered Spider suspects indicted for phishing spree and crypto heists

The US Department of Justice has issued an indictment that names five people accused of stealing millions in cryptocurrency – and we are told they are suspected members of cyber-gang Scattered Spider.

The arachnid-inspired crew is thought to have masterminded the ransomware attack on casino operators MGM Resorts and Caesars Entertainment, and to have cracked identity services vendor Okta – then attacked many of its customers. The crew uses SMS phishing and social engineering.

The five suspects have been named as:

• Ahmed Hossam Eldin Elbadawy, 23, aka "AD," of College Station, Texas;
• Noah Michael Urban, 20, aka "Sosa" and "Elijah," of Palm Coast, Florida;
• Evans Onyeaka Osiebo, 20, of Dallas, Texas;
• Joel Martin Evans, 25, aka "joeleoli," of Jacksonville, North Carolina;
• Tyler Robert Buchanan, 22, of the United Kingdom.

Urban was arrested in January on fraud charges and Evans was picked up on Tuesday in North Carolina.

Buchanan was cuffed in Spain in June, and local authorities suggested that he leads the gang. According to court documents [PDF], when the Scottish police raided Buchanan's home in 2023 they found "approximately twenty devices" – and copies of the data they contained was sent to the FBI.

The court documents state that one of Buchanan's devices was found to contain a phishing kit that was "designed specifically to transmit the captured information to a Telegram channel."

Buchanan's browser history also allegedly showed he had registered websites used in the gang's phishing campaigns and moderated a Telegram channel that the criminals are believed to have used to coordinate their activities.

According to the indictments [PDF], the quintet ran a multi-year campaign to steal cryptocurrency – initially using SMS phishing, telling victims that they needed to reset their login details and providing a link to a convincing-looking site. That attack saw some cough up their credentials, giving the gang access to corporate systems that they used to look for useful databases and personal information. Some of the info was used to find new phishing targets. And some of the harvested creds were used to access crypto wallets and steal their contents.

"We allege that this group of cyber criminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals," wrote US attorney Martin Estrada.

"As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you're viewing seems off, it probably is."

In one case the gang managed to get access to a victim's cryptocurrency wallet and stole 98.5 Bitcoin – worth about $9.2 million at today's prices.

The five are each charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. Each charge carries a maximum prison sentence of 20 years. Buchanan has picked up an extra charge of wire fraud that could mean an extra 20 years inside.

"The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts," declared Akil Davis, the assistant director in charge of the FBI's Los Angeles Field Office.

"These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse. I'm proud of our stellar cyber agents whose work led to the identification of the alleged schemers who are facing significant prison time if convicted." ®