The FBI recently unmasked the cybercriminals behind Scattered Spider and Phobos ransomware operators, charging them with wire fraud and identity theft among other crimes. .png?width=1920&height=1080&name=Scattered%20Spider%20and%20Phobos%20Ransomware%20Unmasked%20(1).png)
On November 20th, the Department of Justice publicly shared charges against five men who used a phishing scheme to steal employee credential information of companies and hack into cryptocurrency wallets, stealing the equivalent of $11 million. Their victims included at least 12 companies, and hundreds of thousands of individuals all over gaming, outsourcing, telecommunications, and cryptocurrency industries. The five were also part of Scattered Spider, a decentralized, highly-sophisticated, native-English speaking cyber-extortion group, also referred to by other security vendors as ‘UNC3944’, ‘Roasted 0ktapus’, ‘Octo Tempest’, and ‘Storm-0875’ active since 2022.
Microsoft called Scattered Spider “one of the most dangerous financial criminal groups” after the group claimed responsibility for the ransomware attacks on MGM and Caesars in 2023. The notorious attack forced MGM to shut down their computers and slot machines for 10 days, costing the business around $100 million. The group’s wide-reaching abilities come from techniques that aren’t as common in other threat models - like advanced social engineering, SIM swapping and SMS phishing. They have even used aggressive fear-mongering to scare targets with the credentials they want over phone calls and texts. Until recently, law enforcement had a hard time pinning down any members of the group, making them a bigger threat to their victims.
The five who were charged were Joel Martin Evans from Jacksonville, North Carolina, Evans Osiebo (20) from Dallas, Texas, Noah Urban (20) from Palm Coast, Florida, Ahmed Elbadawy (23) from College Station, Texas, and Tyler Buchanan (22) from the United Kingdom. Buchanan was arrested earlier in June at an airport in Spain, and Evans was arrested on November 19th. All hackers were in their teens or early 20s at the time of committing the crime, which is typical for members of Scattered Spider, as the gang is derived from ‘the Com’ - a “nebulous ring of approximately 1,000 young cybercriminals that are mainly organized on online platforms.” True to form, another suspect in the Scattered Spider group arrested earlier this year in connection with the MGM and Caesars attack was only 17.
In this case, the five defendants were not connected directly to the MGM attack, but are still facing serious time in federal prison for conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. According to the press release, if convicted, each suspect “would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft.”
The Justice Department unsealed similar charges for another cybercriminal, Evgenii Ptitsyn (42), a Russian national. Ptitsyn managed the sale, distribution and operation of Phobos ransomware which extorted more than $16 million from over 1,000 entities in the United States, ranging from large corporations to schools, hospitals, nonprofits, and a federally recognized tribe. Phobos was administered through the ransomware as a service (RaaS) model, where Ptitsyn and his co-conspirators created the ransomware, and sold access to the programming to other cybercriminals who then used Phobos on their victims. Ptitsyn would earn more money after a successful attack, as the affiliates had to pay for decryption keys, too.
Ptitsyn’s indictment has 13 counts total for wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, and four counts each of causing intentional damage to protected computers and extortion in relation to hacking. If convicted, Ptitsyn could spend the rest of his life behind bars, as wire fraud has a maximum sentence of 20 years and each count of computer hacking could mean 10 years.
Both of these arrests demonstrate the FBI’s hard work, as well as the vast amount of loss that can come from just a few cyber criminals. Referring to the Scattered Spider case, US Attorney Martin Estrada said “this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals. As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.” This is valuable advice, especially as November - Critical Infrastructure Security and Resilience Month - comes to an end. The Cybersecurity and Infrastructure Security Agency (CISA) has resources to help people recognize and report phishing, which can prevent the next series of attacks from being so impactful.