Authorities in Los Angeles recently laid out charges against five individuals believed to have participated in a hacking team that carried out numerous cyber breaches at prominent U.S. tech corporations from 2021 to 2023, such as LastPass, MailChimp, Okta, T-Mobile, and Twilio.
A visual representation of the assaults by the SMS deception group called Scattered Spider, and Oktapus. Illustration: Amitai Cohen twitter.com/amitaico.
The quintet, ranging from 20 to 25 years old, purportedly belong to a hacking collaboration known as “Scattered Spider” and “Oktapus,” which specialized in SMS-focused deceitful operations tricking tech company employees into divulging their login details and temporary codes on fraudulent websites.
The fraudulent SMS communications urged employees to tap a link and sign in at a site mirroring their company’s Okta verification page. Some misleading SMSs informed employees their VPN access was expiring and needed renewal, while others notified about alterations in their forthcoming work timetable.
These offensives made use of just-acquired domains that commonly integrated the targeted corporation’s name, like twilio-help[.]com and ouryahoo-okta[.]com. Typically, the fraudulent sites were live for just an hour or two at a stretch, hence promptly taken offline before being sighted by anti-phishing and security amenities.
The phishing sets utilized in these campaigns featured a concealed Telegram instant message mechanism that immediately transmitted any entered details. This mechanism empowered the assailants to exploit the fraudulently acquired username, password, and code to access the genuine company portal as the targeted employee.
In August 2022, numerous security corporations accessed the server receiving data from the Telegram bot, inadvertently exposing the Telegram ID and pseudonym of its creator, identified as “Joeleoli.”
The Telegram username “Joeleoli” can be seen sandwiched between data submitted by people who knew it was a phish, and data phished from actual victims. Click to enlarge.
This Joeleoli handle emerged on the illicit online forum OGusers in 2018, linked to the email address joelebruh@gmail.com, which was also utilized to sign up on multiple platforms by a Joel Evans residing in North Carolina. In reality, investigators assert Joeleoli’s true identity to be Joel Martin Evans, a 25-year-old from Jacksonville, North Carolina.
Among Scattered Spider’s primary targets during its SMS deception campaign of 2022 was Twilio, a company facilitating text and call services. Following that breach, the group exploited this access to strike at least 163 of its patrons. According to law enforcement, the primary aim was cryptocurrency theft from the victim businesses and their employees.
“The suspects apparently preyed on unsuspecting individuals in this deceit operation, exploiting their personal data to illicitly access millions from their cryptocurrency holdings,” stated Akil Davis, the overseeing assistant director at the FBI’s Los Angeles office.
A substantial portion of the group’s fraudulent domains were registered through NameCheap, and FBI agents disclosed that info obtained from NameCheap implicated the individual behind these deceptive sites operated from an IP address in Scotland. Subsequently, additional records from Virgin Media revealed the holder of this address leased it under the name of Tyler Buchanan, a 22-year-old from Dundee, Scotland.
A false lure sent to Twilio staff by Scattered Spider.
As initially disclosed in June, Buchanan was apprehended in Spain while trying to board a flight heading for Italy. Spanish law enforcement informed local outlets that Buchanan, under the alias “Tylerb,” had at one point owned Bitcoins valued at $27 million.
Per authorities, a substantial portion of Tylerb’s cryptocurrency fortune stemmed from successful SIM-swapping offenses, wherein criminals transfer the victim’s phone number to their own device, intercepting any SMS or calls — which often include authentication codes or password reset links.
Reports from SIM-swapping groups on Telegram, places Tylerb was frequent, relay that adversary SIM-swappers enlisted individuals to break into his residence in February 2023. These sources specify that the intruders physically harmed Tylerb’s mother in the invasion and threatened him with violence if he didn’t surrender the keys to his cryptocurrency wallets. Tylerb apparently fled the UK post that incident.
Taken into custody at the airport, a still image from a video released by the Spanish national police depicting Tyler Buchanan.
Authorities allege Tylerb collaborated closely on SIM-swapping activities with Noah Michael Urban, another accused Scattered Spider associate from Palm Coast, Fla., identified as “Sosa,” “Elijah,” and “Kingbob.”
Sosawas recognized as a prominent figure in the larger online community of cybercriminals referred to as “The Com.” This group of hackers often brags about high-profile exploits and breaches that typically involve social engineering tactics, such as deceiving individuals through phone calls, emails, or text messages to obtain credentials for unauthorized access to corporate networks.
Back in January 2024, KrebsOnSecurity revealed that Urban had been apprehended in Florida in relation to several SIM-swapping attacks. The article highlighted that Sosa, also known as Kingbob, had a habit of specifically targeting individuals in the music industry to pilfer and distribute “grails,” a term used to describe unreleased music tracks from popular artists.
Following the theft of cryptocurrency funds from a victim company to fund a phishing domain registration, FBI investigators were able to pinpoint a fourth suspected collaborator in the scheme – Ahmed Hossam Eldin Elbadawy, a 23-year-old from College Station, Texas.
According to the unveiled indictment, Elbadawy managed multiple cryptocurrency accounts used for receiving stolen funds, alongside another individual from Texas — Evans Onyeaka Osiebo, aged 20 and hailing from Dallas.
Reports suggest that members of Scattered Spider allegedly participated in a ransomware attack in September 2023 against the MGM Resorts hotel chain, resulting in the temporary shutdown of various MGM casinos. In September 2024, KrebsOnSecurity published a report detailing the arrest of a 17-year-old from the United Kingdom by U.K. authorities as part of an FBI probe into the MGM breach.
Charges of conspiracy to commit wire fraud, conspiracy, and aggravated identity theft were all leveled against Evans, Elbadawy, Osiebo, and Urban. Buchanan, identified as a co-conspirator in the indictment, faced charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
According to a statement released by the Justice Department, each defendant could potentially be sentenced to a maximum of 20 years in federal prison for conspiracy to commit wire fraud, up to five years for the conspiracy charge, and a mandatory additional two-year prison term for aggravated identity theft. For Buchanan, the wire fraud charge could lead to a maximum sentence of 20 years in prison.
To delve deeper into this topic, consider exploring the following resources:
The redacted complaint filed against Buchanan (PDF)
Charges lodged against Urban and other defendants (PDF).
About Author
