The United States Department of Justice has unsealed indictments against five individuals connected to the Scattered Spider cybercrime group, alleging a sprawling phishing campaign that siphoned approximately $11 million in cryptocurrency from at least 29 victims between September 2021 and April 2023. The charges, announced on November 21, 2024, mark one of the most significant law enforcement actions against a group that has plagued corporate America and the digital asset ecosystem for years.
The five defendants — Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas; Noah Michael Urban, 20, of Palm Coast, Florida; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, of Jacksonville, North Carolina; and British national Tyler Robert Buchanan, 22 — face charges related to conspiracy, wire fraud, and identity theft. The group operated under several aliases, including Starfraud, UNC3944, Scatter Swine, and Mudicc, reflecting the dispersed and loosely organized nature of their operations.
The Exploit Mechanics
The indictment details a methodical social engineering campaign that exploited one of cybersecurity’s most persistent vulnerabilities: human trust. The defendants allegedly sent phishing text messages — known as SMS phishing or “smishing” — to employees at targeted companies, impersonating either the employer organization itself or one of its technology suppliers.
The messages typically carried a sense of urgency, falsely claiming that the employee’s account was about to be deactivated. Victims were directed to credential-harvesting websites that closely mimicked legitimate corporate login portals. Once an employee entered their username and password, the credentials were transmitted directly to the attackers’ infrastructure.
With valid credentials in hand, the defendants accessed corporate networks and escalated their privileges, moving laterally through interconnected systems. They exfiltrated confidential data, including names, phone numbers, email addresses, and internal account credentials. This stolen information then served as a bridge to cryptocurrency accounts belonging to both employees and customers of the compromised organizations.
The technique represents a textbook example of the “credential theft to crypto theft” pipeline that has become increasingly common. By targeting corporate IT help desks and business process outsourcing firms — the very suppliers responsible for managing enterprise access — the group gained entry points that traditional perimeter security could not defend against.
Affected Systems
According to the indictment, the conspiracy targeted at least 12 organizations across the United States. The victims span telecommunications providers, information technology firms, and business process outsourcing companies — entities that serve as gatekeepers to vast repositories of personal and financial data.
The cryptocurrency thefts were not limited to a single chain or wallet type. The defendants exploited access to individual crypto wallets across multiple platforms, stealing digital assets worth roughly $11 million at the time of the offenses. The funds were quickly moved through mixing services and converted to privacy coins in an effort to obscure the trail.
The scope of the attacks extends beyond the $11 million in direct crypto losses. The MGM Resorts breach in September 2023, which cost the company $110 million, has been attributed to the same loosely affiliated group. With Bitcoin trading near $98,500 and the broader crypto market capitalization exceeding $3.4 trillion at the time of the indictment, the potential for even larger thefts from compromised institutional accounts remains a pressing concern.
The Mitigation Strategy
The arrests demonstrate a coordinated multi-agency effort involving the FBI, the US Attorney’s Office for the Central District of California, and international law enforcement partners. Buchanan was apprehended in Spain while attempting to board a flight to Italy. Urban was arrested in January 2024, and Evans was taken into custody on the same day the indictment was unsealed.
For organizations seeking to protect themselves against similar attacks, the indictment underscores several critical measures. Multi-factor authentication that goes beyond SMS-based codes is essential, as the Scattered Spider group frequently intercepted one-time passwords. Hardware security keys, authenticator applications, and biometric verification provide substantially stronger protection against credential-based intrusions.
Employee training programs must specifically address smishing scenarios, emphasizing that legitimate IT departments rarely request credential verification via text message. Organizations should also implement strict access controls and zero-trust architectures that limit lateral movement even when initial credentials are compromised.
Lessons Learned
The Scattered Spider case illustrates a fundamental truth about modern cybercrime: technical sophistication is not always required when social engineering proves effective. The group relied on relatively simple phishing techniques but executed them at scale and with careful targeting of high-value supply chain partners.
The decentralized nature of the group — described in the indictment as “loosely organized” — also presents challenges for law enforcement. Members operated across jurisdictions and coordinated through encrypted messaging platforms, making attribution and arrest a complex international undertaking.
For the cryptocurrency industry specifically, the case highlights the interconnected risks between traditional corporate security and digital asset custody. When employees reuse credentials across corporate and personal accounts, a breach at one organization can cascade into cryptocurrency losses at entirely unrelated platforms.
User Action Required
Individual cryptocurrency holders should take immediate steps to secure their accounts. Enable hardware-based two-factor authentication on all exchange accounts. Use a dedicated password manager to generate and store unique credentials for every service. Never click links in unsolicited text messages or emails purporting to be from crypto platforms — always navigate directly to the official website. Monitor wallet activity regularly and consider moving long-term holdings to cold storage solutions that remain disconnected from internet-facing systems. The Scattered Spider indictment is a reminder that the human element remains the weakest link in any security chain, and personal vigilance is the first and most important line of defense.
Disclaimer: This article is for informational purposes only and does not constitute legal or financial advice. Always consult qualified professionals for guidance specific to your situation.
the indictment says they used SIM swaps to intercept 2FA but nobody talks about how easy it still is to social engineer carrier support in 2024. the telco infrastructure is the actual vulnerability
averaging 380k per victim across 29 hits means these guys had wallets mapped to specific targets. this wasnt spray and pray, it was recon-driven hunting
five people, 29 victims, $11M. and these were mostly SMS phishing attacks. if youre still clicking links from random texts in 2024 thats on you tbh
phish_trap 29 victims for 11M means they averaged almost 380k per victim. these werent random spam blasts, they were surgically targeted at high net worth crypto holders
SMS phishing is low effort high return. sim swap + phishing link and they had full wallet access. the sophistication was in the targeting not the technique
SMS is low tech but the targeting was sophisticated. they researched victims on linkedin and tailored messages to their crypto holdings. social engineering at scale
What gets me is the youngest one is 20 years old. A 20-year-old from Florida was allegedly part of a multi-million dollar cybercrime operation. Wild.
20 years old and facing federal wire fraud charges. one dumb decision and your entire life trajectory changes
Chidi 20 years old and coordinating cross-border phishing with a British national. federal wire fraud charges carry up to 20 years. the math on risk vs reward for these kids is completely broken
20 years old and already doing organized phishing for crypto. wonder how many more like him are still out there running the same playbook undetected
operating under aliases like Scatter Swine and Starfraud lol. at least they had sense of humor about being criminals
The SIM swap component is what made this work. They were not just sending phishing links, they were intercepting SMS 2FA. Once you control the phone number you control every exchange account linked to it.
five people across multiple countries coordinating phishing campaigns for two years. this was organized crime not some hobby project