Cryptocurrency Fraud , Cybercrime , Fraud Management & Cybercrime

Teen Could Serve Extended Prison Terms for Wire Fraud, Aggravated Identity Charges Prajeet Nair (@prajeetspeaks) • January 31, 2024    

U.S. federal prosecutors charged a Florida teenager allegedly involved in a cryptocurrency theft scam using SIM-swapping that stole at least $800,000 from a minimum of five victims.

See Also: OnDemand Panel | Securing Operational Excellence: Thwarting CISOs 5 Top Security Concerns

The suspect, Noah Michael Urban, 19, is part of a cybercriminal group known as Scattered Spider or 0ktapus, reported independent cybersecurity reporter Brian Krebs. The financially motivated group is behind a 2022 campaign that compromised more than 130 organizations, including customer engagement platform Twilio and email service provider Mailchimp (see: Twilio and Mailchimp Breaches Tie to Massive Phishing Effort).

Microsoft researchers in October said the group became the rare English-speaking affiliate of Russian-speaking ransomware group BlackCat, and cyberthreat intelligence has tied the group to ransomware attacks against casinos MGM Resorts and Caesars Entertainment in 2023 (Meet Octo Tempest, ‘Most Dangerous Financial’ Hackers).

Also known online as “Sosa,” “Elijah,” “Gustavo Fring” and “King Bob,” Urban faces 14 criminal counts including wire fraud and aggravated identity theft – charges that potentially add up to decades in prison. Authorities arrested Urban on Jan. 9. He is being kept in jail pending a trial set for later this year.

The charges in the indictment center on a conspiracy to steal cryptocurrency through SIM swapping in order to intercept one-time passwords sent via SMS. Urban allegedly orchestrated SIM-swapping attacks against email and financial accounts of victims between August 2022 and March 2023, prosecutors said.

The Daytona Beach News-Journal reported that Urban had no fixed address and was staying at an Airbnb under an alias. Police said that at the moment of his arrest, he had been downloading programs to delete computer files.

Group-IB dubbed 0ktapus, the criminal group behind the hacking spree that included Twilio. A common thread in the attacks was attempts to steal two-factor authentication and credentials (see: Okta Customer Data Exposed via Phishing Attack on Twilio).

Group-IB underscored the 0ktapus campaign’s strategy of phishing employees for their credentials. In this method, recipients of phishing emails are prompted to click on a link that redirects them to a deceptive page designed to replicate their employer’s Okta authentication portal and are prompted to providing a one-time password for multifactor authentication.