Following his arrest on January 9, 2024, a 19-year-old Florida man has found himself in the hot seat as he faces charges of wire fraud, aggravated identity theft, and involvement in a scheme to use SIM-swapping for the purpose of stealing cryptocurrency. The accused, Noah Michael Urban of Palm Coast, Fla., is believed to have masterminded several cyber intrusions at major U.S. technology companies during the summer of 2022.
According to prosecutors, Urban was purportedly involved in stealing at least $800,000 from at least five victims between August 2022 and March 2023. In each instance, the victims’ email and financial accounts were compromised through unauthorized SIM-swaps, enabling the attackers to gain control over the victims’ mobile phone numbers by transferring them to new devices. Urban was known to operate under various aliases, including “Sosa” and “King Bob,” among others.
It has been reported that Urban was a core member of a hacking group that was responsible for the 2022 breach at Twilio, a company that provides services for making and receiving text messages and phone calls. Following this breach, the security firm Group-IB connected the same group of attackers with separate breaches at more than 130 organizations, including LastPass, DoorDash, Mailchimp, and Plex. The group was known by multiple nicknames, including “Scattered Spider” and “0ktapus”.
0ktapus employed a phishing tactic that involved setting up newly-registered domains that were named after the targeted companies. Employees of these companies were sent text messages urging them to click on the links to these domains in order to view information about a pending change in their work schedule. This ploy was used in multiple instances to extract credentials from employees and gain unauthorized access to their systems.
Furthermore, the 0ktapus group showed a tendency to leverage information or access gained in one breach to perpetrate another. They exploited the breach at Twilio to attack at least 163 of its customers, and infiltrated the systems of companies such as Mailchimp, LastPass, and Plex.
A review of thousands of messages posted by “Sosa” and “King Bob” over the past two years revealed that Noah Michael Urban was focused primarily on two activities: SIM-swapping and trading in stolen, unreleased rap music recordings from popular artists. Urban boasted about obtaining thousands of unreleased music recordings, commonly referred to as “grails,” and was particularly fond of recordings from artists such as Lil Uzi Vert, Playboi Carti, and Juice Wrld.
The extent of Urban’s involvement in the criminal activities, as well as the financial implications of his actions, is still being investigated. It is evident that Urban had established a reputation within certain online forums and was known for sharing the stolen music with the community. Additionally, efforts to sell some of these unreleased recordings reflected a potential monetization of his criminal exploits.
The arrest and subsequent legal proceedings have halted Urban’s activities within these forums, leading to speculations among other users regarding the cause of the disruption. Meanwhile, law enforcement agencies are continuing their efforts to uncover the extent of Urban’s involvement in these criminal activities and bring him to justice.
This case sheds light on the magnitude of cyber threats and the financial losses incurred by victims of such criminal activities. It also underscores the need for increased vigilance and security measures to combat these cyber intrusions and protect individuals and organizations from falling victim to such fraudulent schemes. As the investigation unfolds, it is hoped that justice will be served for the victims of these crimes, and efforts will be made to prevent similar incidents from occurring in the future.