CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce.

Timeline

  1. 21.08.2025 11:34 2 articles · 1mo ago

    Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

    Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison plus three years of supervised release for wire fraud and conspiracy. Urban, arrested in January 2024 and pleaded guilty in April, was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies. Urban will also pay $13 million in restitution to more than 30 victims. The US Department of Justice reported losses exceeding $13 million due to Urban's actions. Urban, known as 'King Bob,' was considered a key figure in the Scattered Spider cybercrime ring, using SIM swapping and other sophisticated social engineering attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. The operation was supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns, while TRM Labs pursued leads tied to the Bl00dy ransomware group in Ghana and RansomHub. Notable actions included dismantling 25 cryptocurrency mining centres in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. Additionally, a transnational inheritance scam originating in Germany was disrupted, with losses estimated at $1.6 million. Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. Earlier, Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices. The operation was part of the 'African Joint Operation against Cybercrime.' Participating countries included Seychelles, Tanzania, Ghana, Kenya, and others. Operation Serengeti 2.0 is part of a series of multi-month investigations and arrests highlighted by Interpol. The original Operation Serengeti involved two months of investigations with the African Union's Afripol and raids against 1,006 suspects in September and October 2024. In 2022, Interpol and 27 African nations conducted joint investigations as part of Operation Cyber Surge, following up in April 2023 with Operation Cyber Surge II. These joint investigations aim to train local law enforcement and prosecutors, which Interpol has noted are often hard-pressed to deal with the technical requirements of cybercrime prosecutions. In addition, the race is to deter cybercrime, redirect youth into more productive activities, and train law enforcement before the cybercriminals become too smart.

Open in new tab

Warlock Ransomware Exploits Vulnerable SharePoint Servers

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk.

Open in new tab

Inotiv ransomware attack disrupts operations

Inotiv, a U.S.-based pharmaceutical company, experienced a ransomware attack on August 8, 2025, claimed by the Qilin ransomware group. The incident encrypted certain systems and data, disrupting business operations. The company is working to restore affected systems and mitigate the impact. The Qilin ransomware group has been active, also targeting Creative Box Inc. (CBI), a subsidiary of Nissan, on August 16, 2025, stealing four terabytes of data, including 3D vehicle design models and internal reports. The attack involved unauthorized access and encryption of systems, with the Qilin ransomware gang claiming to have stolen approximately 162,000 files totaling 176GB from Inotiv. The company has engaged external security experts and notified law enforcement. The disruption affects databases and internal applications used in business processes, with no estimated timeline for full recovery.

Open in new tab

MS-ISAC funding cuts threaten US state and local cybersecurity

The Multi-State Information Sharing and Analysis Center (MS-ISAC) faces funding cuts that will expire on September 30, 2025, potentially leaving state and local governments vulnerable to cyberattacks. Recent ransomware attacks on Nevada, St. Paul, the Lower Sioux Indian Community, and Pennsylvania underscore the growing threat to local governments. MS-ISAC, which detected over 40,000 potential cyberattacks in 2024, will have to start charging for its services without federal funding. This includes cyber threat analysis and threat intelligence distribution to critical infrastructure such as schools, hospitals, and utilities. The Center for Internet Security (CIS), which operates MS-ISAC, has been temporarily funding the center at a cost of over $1 million per month. Without reinstated funding, the MS-ISAC's services will be at risk, leaving many state and local governments unable to maintain the security of their public services.

Open in new tab