Federal prosecutors in Los Angeles this week filed criminal charges against five men accused of being members of a hacking group responsible for a series of cyber intrusions at major US technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, IT-Mobile again Twilio.
A visual illustration of an attack by the SMS phishing group known as Scattered Spider, and Oktapus. Photo: Amitai Cohen twitter.com/amitaico.
The five men, aged 20 to 25, are suspected of being members of a robbery conspiracy called “Scattered spider” and “Oktapus,” which specialized in SMS-based phishing attacks that tricked employees at tech companies into entering their credentials and one-time pass codes on phishing websites.
Targeted SMS scams asked employees to click on a link and enter a website impersonating their employer’s Okta verification page. Some SMS phishing messages told employees that their VPN credentials were expiring and needed to be replaced; some phishing messages advise employees about changes in their upcoming work schedule.
The attack increased newly registered domains that often included the target company’s name, such as twilio-help.[.]com and ouryahoo-okta[.]com. Phishing websites were typically kept online for just one or two hours at a time, meaning they were often taken offline before being flagged by anti-phishing and security services.
The phishing kits used for these campaigns include a hidden Telegram instant messaging bot that transmits any credentials sent in real time. The bot allowed attackers to use a phishing username, password and one-time code to log in as that employee on the real employer’s website.
In August 2022, several security firms gained access to the server that was receiving data from that Telegram bot, which many times leaked the Telegram ID and handle of its developer, who used the alias “Joeleoli.”
The Telegram username “Joeleoli” can be seen embedded in data sent by people who know it is a phishing scam, as well as fraudulent data from real victims. Click to enlarge.
That’s Joeleoli’s moniker registered on the cyber crime scene Gusers 2018 via email address [email protected]which was also used to register accounts on several websites of Joel Evans of North Carolina. Indeed, prosecutors say that is Joeleoli’s real name Joel Martin Evansand is 25 years old from Jacksonville, North Carolina.
One of the first major victims of Scattered Spider on its 2022 phishing spree was Twilioa company that provides services for making and receiving text messages and calls. The group then used its access to Twilio to attack at least 163 of its customers. According to prosecutors, the group primarily sought to steal cryptocurrency from victim companies and their employees.
“The defendants are said to be robbing unsuspecting victims in this phishing scheme and using their information as a gateway to steal millions of their cryptocurrency accounts,” it said. Akhil Davisassistant director in charge of the FBI’s Los Angeles field office.
Many hacker group domains are registered through a registrar The name is Cheapand FBI investigators say records obtained from NameCheap show the person who ran those phishing websites did so from an Internet address in Scotland. The feds then obtained records from Virgin Media, which showed the address was rented for several months to Tyler Buchanan22 years old from Dundee, Scotland.
The Scattered Spider phishing lure was sent to Twilio employees.
As first reported here in June, Buchanan was arrested in Spain while trying to board a flight to Italy. Spanish police told the media that Buchanan, who allegedly went by the name “Tylerb,” at one point he had $27 million worth of Bitcoins.
The government says a large part of Tylerb’s cryptocurrency fortune is the result of success SIM replacement attack, where crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for verification, or password reset links sent via SMS.
According to SIM-swapping channels on Telegram that Tylerb is known to frequent, rival SIM-swappers hired thugs to attack his home in February 2023. Those accounts said the attackers attacked Tylerb’s mother during the home invasion, and threatened to burn it down. also with a blowtorch if he did not throw away the keys of the cryptocurrency wallets. Tylerb is said to have fled the United Kingdom after the attack.
A still frame from a video released by Spanish national police, showing Tyler Buchanan being taken into custody.
Prosecutors say Tylerb worked closely with the SIM-switching attack Noah Michael Urbananother alleged Scattered Spider member from Palm Coast, Fla. who walked by the handles “Sauce,” “Elijah,” and “Kingbob.”
Sosa was known as a senior member of the cyber crime community known as “Com,” where hackers brag about high-profile exploits and hacks that almost always start with social engineering — tricking people by phone, email or SMS into providing credentials that allow remote access to corporate networks.
In January 2024, KrebsOnSecurity broke the news that Urban had been arrested in Florida in connection with multiple SIM swapping attacks. That story noted that Sosa’s alter ego Kingbob often targeted people in the record industry to steal and share “songs,” a term that is misused to describe unreleased recordings from popular artists.
FBI investigators have identified a fourth alleged member of the conspiracy – Ahmed Hossam Eldin Elbadawy23, of College Station, Texas – after using part of the stolen cryptocurrency funds from the victim company to pay for an account used to register phishing sites.
A lawsuit filed Wednesday alleges that Elbadawy controlled dozens of cryptocurrency accounts used to receive the stolen money, along with another Texas man – Evans Onyeaka Osiebo20, from Dallas.
Members of Scattered Spider are suspected of involvement in the September 2023 ransomware attack against Scattered Spider. MGM Restaurants a hotel chain that quickly brought many of MGM’s casinos to a halt. In September 2024, KrebsOnSecurity reported that a 17-year-old boy from the United Kingdom was arrested last year by UK police as part of an FBI investigation into the MGM robbery.
Evans, Elbadawy, Osiebo and Urban were all charged with one count each of conspiracy to defraud, conspiracy and aggravated identity theft. Buchanan, named as a co-accused, has been charged with conspiracy to commit fraud, conspiracy, fraud and aggravated identity theft.
A Justice Department press release states that if convicted, each defendant faces a maximum statutory sentence of 20 years in state prison for conspiracy to defraud, five years in state prison for conspiracy, and two years consecutive. a prison sentence for serious identity theft. Buchanan faces up to 20 years in prison on the fraud charge.