Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison on Wednesday after pleading guilty to charges of wire fraud and conspiracy in April.
He was arrested in January 2024, and in November, the U.S. Justice Department charged Urban (also known as King Bob, Gustavo Fring, Elijah, and Sosa), along with four other suspects linked to the same financially motivated cybercrime group. The charges included wire fraud, conspiracy to commit wire fraud, and aggravated identity theft.
According to court documents, they were able to steal millions from cryptocurrency wallets between September 2021 and April 2023, using credentials stolen in SMS phishing attacks targeting dozens of individuals and companies.
They also used credentials stolen from hacked companies’ employees to loot confidential data, including databases, personal identifying information, as well as “confidential work product, intellectual property” from their systems.
All this stolen information was later used to hijack victims’ email accounts in SIM swap attacks, allowing them to gain control of their phone numbers and cryptocurrency wallets to transfer millions to wallets under their control.
In a May 2023 interview with investigators, Urban stated that he had made “several million dollars” from cryptocurrency theft between January 2021 and March 2023, in addition to being involved in the theft of several million more, adding he still had a few million left after losing most of his earnings on gambling sites.
As News4Jax first reported, Urban received a 120-month prison sentence, despite prosecutors having only requested eight years, and will also be required to pay $13 million in restitution to the victims.
When investigative journalist Brian Krebs contacted Urban on Twitter after the sentencing, Urban responded from a county jail in Florida, stating that he believed the sentence was unjust. He argued that the judge had not considered his age as a mitigating factor because another Scattered Spider member had hacked the judge during the case.
The Scattered Spider cybercrime collective
Scattered Spider (also tracked as 0ktapus, Scatter Swine, UNC3944, and Muddled Libra, among others) is a fluid collective of threat actors known for sophisticated social engineering attacks targeting high-profile organizations worldwide and for using a wide range of tactics, including phishing, SIM swapping, and multi-factor authentication (MFA) bombing.
Their attacks escalated in September 2023, when they breached MGM Resorts and encrypted more than 100 VMware ESXi hypervisors using BlackCat ransomware after gaining access by impersonating an employee.
In some cases, Scattered Spider members have also partnered with ransomware operations, such as Qilin, RansomHub, and DragonForce.
High-profile organizations targeted by Scattered Spider in recent years include Twilio, Coinbase, DoorDash, Caesars, MailChimp, Riot Games, and Reddit.
More recently, the threat actors switched their focus from retail and insurance companies to targeting the aviation and transportation industries.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.