Five men in their twenties were charged by US authorities on Wednesday, November 20. They are suspected of belonging to a sinister group of hackers nicknamed Scattered Spider by computer security specialists, and with a nefarious objective. The indictment released by the Department of Justice primarily accuses them of bank fraud and identity theft.
The name Scattered Spider was notably associated with the hacking of MGM Resorts casinos in the United States, which cost the company almost $100 million. The group or some of its members are also suspected of collaborating with BlackCat, one of the largest ransomware gangs in recent years. Scattered Spider would thus have played the role of affiliate, a name given to accomplices responsible for infiltrating a victim’s network to deploy malicious software that paralyzes connected computers.
The five suspects currently prosecuted by American justice, Ahmed Elbadawy, Noah Urban, Evans Osiebo, Joel Evans and Tyler Buchanan, are between 20 and 25 years old. At least three of them were arrested during several waves of arrests. Buchanan, the only British citizen on the list of suspects (the other four are Americans), was arrested in Spain in June, while Noah Urban, known under the pseudonym “Sosa,” was arrested in January. A final suspect, Joel Evans, was arrested on Tuesday, November 19, by federal investigators in North Carolina. However, it is unclear whether the five people charged represent the entire group.
Phishing, SIM swapping and theft of funds
From 2022, cybersecurity companies closely follow the group’s activities. An analysis by the company CrowdStrike determined at the time that hackers primarily targeted telecommunications companies and outsourcing companies. They infiltrated by sending phishing messages (phishing) or posing as employees over the phone, always with the aim of obtaining identifiers that allow them to access the network for the first time. The group then consolidated its base, for example by installing remote access software on company computers.
According to the indictment, Joel Evans, 25, of Jacksonville, known by the pseudonym joeleoli, is accused of having designed a tool to automate the transfer of passwords stolen through the group’s phishing campaigns. The credentials entered by the victims were then sent to a Telegram channel managed by Scattered Spider. In 2022, a report from the company Group IB estimated that around 10,000 people would have had their identifiers stolen by the group.
Once this data is recovered, one of Scattered Spider’s main goals is to extract funds, often in cryptocurrency, from its victims. Investigators estimate that the suspects managed to steal a total of more than 11 million dollars from thirty identified people. In 2021, the suspects reportedly managed to steal more than six million dollars in cryptocurrencies from a single victim. To do this, the group used the technique of SIM swapwhich involves forwarding a victim’s phone line to receive their text messages and calls, including verification codes that are sometimes sent to reset a password. In 2022, members of the group reportedly managed to break into the infrastructure of Twilio, a company specializing in sending text messages and phone calls.
Behind this vague group could hide a larger community. Researchers thus suspect that Scattered Spider is an emanation of The Com, a vast network of English-speaking hackers whose level of organization is unknown and which could have, according to recent statements by the FBI, nearly a thousand members.
