Five members of Scattered Spider pirate group arrested

Five men in their twenties were indicted by American authorities on Wednesday, November 20. They are suspected of belonging to a sinister group of hackers nicknamed Scattered Spider by computer security specialists, and with a nefarious goal. The indictment released by the Department of Justice mainly accuses them of bank fraud and identity theft.

The name Scattered Spider was notably associated with the hacking of MGM Resorts casinos in the United States, which cost the company nearly $100 million. The group or some of its members are also suspected of having collaborated with BlackCat, one of the largest ransomware gangs in recent years. Scattered Spider would thus have played the role of affiliate, the name given to accomplices responsible for infiltrating a victim’s network to deploy malicious software that paralyzes connected computers.

The five suspects now being prosecuted by American justice, Ahmed Elbadawy, Noah Urban, Evans Osiebo, Joel Evans and Tyler Buchanan, are all between 20 and 25 years old. At least three of them were arrested during several waves of arrests. Mr. Buchanan, the only British national on the list of suspects (the other four are Americans), was arrested in Spain in June, while Noah Urban, known under the pseudonym “Sosa”, was arrested in January. A final suspect, Joel Evans, was arrested Tuesday, November 19 by federal investigators in North Carolina. However, it is unclear whether the five people charged represent the entire group.

Phishing, « SIM swapping » et vols de fonds

Since 2022, IT security companies have closely followed the group’s activities. An analysis by the company CrowdStrike established at the time that the hackers mainly targeted telecommunications companies and subcontracting companies. They infiltrated by sending phishing messages (phishing) or by impersonating employees on the telephone, always with the aim of obtaining identifiers allowing them to gain a first foothold in the network. The group then solidified its base, for example by installing remote access software on company computers.

According to the indictment, Joel Evans, 25, of Jacksonville and known by the pseudonym joeleoli, is accused of having designed a tool to automate the transfer of passwords stolen by phishing campaigns of the group. The credentials entered by victims were then sent to a Telegram channel managed by Scattered Spider. In 2022, a report from the company Group IB estimated that nearly 10,000 people would have seen their identifiers stolen by the group.

Once this data has been recovered, one of the main objectives of Scattered Spider is then to extract funds, often in cryptocurrency, from their victims. Investigators estimate that the suspects managed to steal a total of more than $11 million from around thirty identified people. In 2021, the suspects would have succeeded in stealing more than six million dollars in cryptocurrencies from a single victim. To do this, the group used the technique of SIM swappingwhich involves forwarding a victim’s phone line to receive their text messages and calls, including verification codes sometimes sent to reset a password. In 2022, members of the group reportedly managed to break into the infrastructure of Twilio, a company specializing in sending text messages and phone calls.

Behind this vague group could hide a larger community. Researchers thus suspect Scattered Spider of being an emanation of The Com, a vast network of English-speaking pirates whose level of organization is unknown and which could count, according to recent statements from the FBI, nearly a thousand members.