CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce. In a separate development, two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data. Jubair and Flowers are also facing additional charges related to attacks on other organizations, including SSM Health Care Corporation, Sutter Health, and U.S. courts.

Timeline

  1. 21.11.2025 17:41 1 articles · 23h ago

    Scattered Spider teens charged for TfL breach

    Two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges at Southwark Crown Court. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data, including names, addresses, and contact details. Flowers is also facing charges involving conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States. Jubair was charged by the U.S. Department of Justice with conspiracy to commit computer fraud, money laundering, and wire fraud, relating to at least 120 incidents of network breaches between May 2022 and September 2025, affecting at least 47 U.S. organizations and including extortion attempts worldwide and attacks on critical infrastructure entities and U.S. courts. Victims have paid Jubair and his accomplices over $115 million in ransom payments.

    Show sources
    Open in new tab
  2. 21.08.2025 11:34 4 articles · 3mo ago

    Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

    Noah Michael Urban, known by the aliases 'King Bob' and 'Sosa,' was sentenced to 10 years in prison plus three years of supervised release for wire fraud and conspiracy. Urban, arrested in January 2024 and pleaded guilty in April, was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies. Urban will also pay $13 million in restitution to more than 30 victims. Urban's actions led to the compromise of over 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Urban was also involved in a hacking incident that targeted a magistrate judge's email account while he was in federal custody. The US Department of Justice reported losses exceeding $13 million due to Urban's actions. Urban, known as 'King Bob,' was considered a key figure in the Scattered Spider cybercrime ring, using SIM swapping and other sophisticated social engineering attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SIM-box operation dismantled, enabling global telecom fraud

European law enforcement dismantled a sophisticated cybercrime-as-a-service (CaaS) platform that operated a SIM farm, enabling over 49 million fake online accounts and facilitating over 3,200 fraud cases resulting in at least 4.5 million euros in losses. The service provided phone numbers for various telecommunication crimes, including phishing, investment fraud, impersonation, extortion, migrant smuggling, and the distribution of child sexual abuse material (CSAM). The operation, codenamed 'SIMCARTEL,' involved multiple countries and seized significant infrastructure and assets. The SIM-box service operated through two websites, gogetsms.com and apisim.com, which have been seized. The service rented out phone numbers registered in over 80 countries, enabling the creation of fraudulent online accounts. The operation resulted in the arrest of seven individuals, including five Latvian nationals, and the seizure of 1,200 SIM-box devices, 40,000 SIM cards, five servers, and luxury vehicles. Financial assets totaling EUR 431,000 and $333,000 in crypto were also frozen. The operation's main raids occurred during an action day in Latvia on October 10, where 26 searches were carried out and five Latvian nationals were arrested. Three suspects were subject to a non-custodial security measure and a court imposed a security measure on a man born in 1982. Latvian law enforcement shared footage of a raid on a workspace packed with computer hardware, specialized equipment and large quantities of SIM cards.

Open in new tab

GXC Team CaaS Platform Dismantled in Spain

Spanish authorities have dismantled the GXC Team, a crime-as-a-service (CaaS) operation. The group offered AI-powered phishing kits, Android malware, and voice-scam tools. The leader, a 25-year-old Brazilian known as “GoogleXcoder,” was arrested in San Vicente de la Barquera, Cantabria, after a year-long investigation involving six coordinated raids across Spain. The group targeted banks, transport, and e-commerce entities in multiple countries. The operation involved coordinated raids across seven Spanish regions, seizing electronic devices and cryptocurrency. The investigation is ongoing, with potential further arrests. The GXC Team's leader, known as GoogleXcoder, lived as a digital nomad, relocating between multiple homes in different Spanish provinces. The police identified six other individuals allegedly associated with the CaaS operation. The GXC Team's Telegram channels were deactivated, and digital evidence is being examined to identify other suspects. The CaaS operation emerged in 2023, offering advanced phishing kits, an SMS-stealing Android trojan, and tools for AI-supported voice scams.

Open in new tab

Discord User Data Compromised in Third-Party Breach

Hackers claim to have stolen data from 5.5 million unique Discord users after compromising a third-party customer service provider. The attack occurred on September 20, 2025, affecting users who interacted with Discord’s customer support and/or Trust and Safety teams. The breach appears to be financially motivated, with hackers demanding a ransom. The Scattered Lapsus$ Hunters (SLH) threat group claimed responsibility for the attack, stating they breached a Zendesk instance used by Discord for customer support. The compromised data includes real names, usernames, email addresses, contact details, IP addresses, messages, attachments, photos of government-issued identification documents, partial billing information, and purchase history. Discord took immediate action to isolate the support provider from its ticketing system and launched an investigation with the help of a forensics firm and law enforcement. The hackers also accessed corporate data, including training materials and internal presentations. Discord has notified law enforcement and relevant data protection authorities about the incident. No full credit card numbers, CVV codes, passwords, or authentication data were compromised. Additionally, no messages or activity on Discord outside of communication with customer support were obtained by the attackers.

Open in new tab

WestJet data breach impacts 1.2 million customers

WestJet, a major Canadian airline, has confirmed that a cyberattack on June 13, 2025, compromised the personal information of 1.2 million customers. The breach involved the theft of travel documents, including passports and ID documents. The attackers gained access to the network through a Citrix system after resetting an employee's password via social engineering. The breach was attributed to threat actors associated with Scattered Spider, although no official attribution has been made. The compromised data includes full names, dates of birth, mailing addresses, travel documents, requested accommodations, filed complaints, WestJet Rewards Member IDs, and details of WestJet RBC Mastercard information. No credit card or debit card numbers, expiry dates, CVV numbers, or user passwords were compromised. The airline is working with the FBI and has offered a free 2-year identity theft protection and monitoring service to affected customers. The breach was first identified on June 13, 2025, and the data breach notification was sent to the Office of the Maine Attorney General on September 29, 2025.

Open in new tab

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The U.S. has established a new task force, the Scam Center Strike Force, to disrupt Chinese cryptocurrency scam networks. This task force, supported by the U.S. Attorney's Office, the Department of Justice, the FBI, and the Secret Service, has already seized over $401 million in cryptocurrency and filed forfeiture proceedings for an additional $80 million in stolen funds. The Treasury Department’s Office of Foreign Assets Control has imposed additional sanctions on the Democratic Karen Benevolent Army (DKBA) and related entities. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab