Scattered Spider Hacker Sentenced to 10 Years and $13M Restitution for SIM-Swapping Crypto Heists

What kind of cybercriminal can steal millions with nothing more than a phone number and a convincing voice? In 2025, U.S. prosecutors answered that question in court. A 20-year-old tied to the notorious Scattered Spider crew just received 10 years in federal prison, plus $13 million in restitution, for SIM-swapping scams that drained victims’ cryptocurrency accounts.

If you’ve ever used SMS for two-factor authentication—or your company still relies on it—this case is a wake-up call. It’s not just about one hacker. It’s about how well-funded, English-speaking threat groups combine social engineering, telecom loopholes, and identity tricks to outpace traditional defenses.

In this deep dive, we’ll unpack what happened, why this sentence matters, and how you can protect yourself and your organization from the attack methods behind it.

The Case: A 20-Year-Old Scattered Spider Member Gets 10 Years

Noah Michael Urban, known online as Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, pleaded guilty in April 2025 to wire fraud and aggravated identity theft. In August 2025, a U.S. court sentenced him to:

120 months (10 years) in federal prison
Three years of supervised release
$13 million in restitution

According to reports from Bloomberg and Jacksonville outlet News4JAX, Urban called the sentence unjust in a statement shared with journalist Brian Krebs. Federal court documents tie him to SIM-swapping attacks between August 2022 and March 2023—schemes that hijacked victims’ phone numbers to reset logins and loot crypto accounts. The U.S. Department of Justice (DoJ) has linked Urban and co-conspirators to at least $800,000 stolen from at least five different victims in that period, with prosecutors later unsealing broader charges against members of Scattered Spider in November 2024.

Coverage and context:
News reporting: News4JAX and Bloomberg
Background on SIM-swapping risks: FBI IC3 PSA
KrebsOnSecurity (industry reporting): KrebsOnSecurity

Urban’s indictment wasn’t a one-off. Another alleged member, Tyler Robert Buchanan, was extradited from Spain to the U.S. in April 2025, signaling law enforcement’s growing reach and resolve across borders.

Here’s why that matters: heavy sentences and extraditions raise the cost of entry for would-be attackers, especially in social-engineering crews with young members drawn by fast crypto money.

Who Is Scattered Spider?

Scattered Spider is a financially motivated, English-speaking cybercrime group with a reputation for audacious social engineering. The crew has been tracked by multiple security vendors and is associated with a broader underground collective often referred to as “The Com.” Research and reporting describe the group’s playbook as a fast, media-savvy blend of pressure tactics and high-impact intrusions.

Typical activities:
Social engineering (posing as employees, vendors, or IT)
Credential theft and initial access brokering
SIM swapping to seize accounts, including crypto
Ransomware deployment, data theft, and extortion
“MFA fatigue” bombardment to trick users into approving logins
Vishing (voice phishing) and smishing (SMS phishing)

According to analysts, Scattered Spider has also joined forces with ShinyHunters and LAPSUS$—a new alliance that increases access to tools, data, and infrastructure. As ZeroFox’s Adam Darrah told The Hacker News, these groups lean on timed leaks, countdown threats, and aggressive taunts to drive attention and force faster payouts. Consolidation like this often happens when law enforcement pressure increases.

Read more:
Threat actor profile (industry coverage): The Hacker News
ZeroFox insights on social engineering crews: ZeroFox
Flashpoint’s group analysis: Flashpoint

SIM Swapping 101: How the Heist Works

SIM swapping is simple in concept and brutal in effect. The attacker convinces a mobile carrier to transfer your phone number to a SIM card they control. Once they control your number, they can intercept SMS messages, including one-time passcodes (OTPs) used for login and account recovery.

Here’s a typical SIM-swap attack path:

Recon and targeting – The attacker collects your name, phone number, email, employer, and possibly your last four SSN digits. They scrape social media, buy data dumps, or phish you directly.
Social engineering the carrier – They call your mobile provider pretending to be you. They claim a lost phone or urgent port-out. They may use stolen PII, deepfakes, or even bribe an insider.
The “port-out” – The carrier ports your number to a new SIM. Your phone suddenly loses service. The attacker now receives your calls and texts.
Account takeover – They reset passwords using SMS-based codes. – They pivot into your email, then to banks, crypto exchanges, and password managers. – They change recovery options to lock you out.
Cash out – For crypto exchanges, they initiate withdrawals to attacker-controlled wallets. – They may enable instant sell orders, use mixers, or hop across chains to obfuscate funds.

Why it works: – SMS is not a secure second factor. It’s a convenience layer that depends on phone company processes that can be tricked. – Many recovery flows still use SMS, even when you have stronger MFA enabled. Attackers exploit the weakest link.

For background on the risks, see the FBI’s alert on SIM swapping and account takeovers: FBI IC3 PSA. The FCC also maintains consumer guidance on port-out fraud: FCC’s SIM swapping overview.

The New Alliance: Scattered Spider + ShinyHunters + LAPSUS$

Consolidation among cybercrime crews is bad news for defenders. When groups like Scattered Spider join forces with ShinyHunters and LAPSUS$, they pool:

Compromised credentials and insider contacts
Access to initial access brokers and malware developers
Infrastructure for phishing, hosting, and data leaks
Public pressure tactics to coerce faster payments

Why the alliance matters: – Bigger target lists, faster operations – More varied tactics, making detection harder – Increased resilience when law enforcement takes down infrastructure

Flashpoint describes Scattered Spider’s “wave-like” campaigns: they pick a vertical (say, tech or hospitality) and hit many organizations in a short burst. That swarming behavior can overwhelm defenders and exploit news cycles to maximize pressure. You can find ongoing reporting and profiles at Flashpoint and The Hacker News.

Urban’s Sentence: Why 10 Years and $13M Matter

The numbers send a message beyond one case:

10 years in prison: For a 20-year-old, this is a strong deterrent signal aimed at the next generation of “keyboard hustlers.”
$13 million in restitution: Courts can tie restitution to the broader harm caused by the conspiracy, not just a single heist.
Extraditions are on the table: Arrests abroad, like Buchanan’s, show coordination across jurisdictions.

Law enforcement is catching up on social engineering-driven cybercrime. As pressure rises, expect more groups to consolidate, rebrand, or pivot tactics. But don’t expect them to stop. The payoff remains high, and the weakest link remains human trust.

For context on social engineering threats and defense guidance, see CISA’s social engineering resources.

Tactics You’ll See (and Should Train Against)

Scattered Spider and similar crews excel at human-centered attacks. The technical payload often comes later.

Common techniques: – MFA fatigue attacks: Flooding push notifications until a user taps “Approve.” – Vishing: Calling the help desk as a frazzled employee to reset MFA or add a new device. – Smishing: SMS messages that mimic IT alerts or shipping notices to steal credentials. – Identity spoofing: Using stolen HR data, voice clones, or convincingly spoofed caller IDs. – Okta or SSO abuse: Resetting factors, enrolling devices, or creating hidden admin accounts after a foothold. – SIM swapping: Seizing phone numbers to intercept OTPs and take over accounts.

Tip: “Phishing-resistant” MFA, such as FIDO2 security keys and passkeys, cuts off many of these paths. Microsoft’s profile of “Octo Tempest” (a label some vendors use for similar activity) underscores how effective social engineering can be even against advanced environments—until phishing-resistant MFA is enforced across critical workflows. Learn more about passkeys via the FIDO Alliance.

What Organizations Should Do Now (Priority Playbook)

If you run security for a company that handles money, personal data, or has brand leverage, assume you’re on the list. Here’s a layered plan, starting with the highest impact:

Kill SMS for critical accounts – Migrate to phishing-resistant MFA (FIDO2/WebAuthn security keys or platform passkeys) for admins, executives, finance, support, and anyone with access to identity systems. – Block SMS and voice calls as MFA for privileged access and for account recovery. – Align with NIST SP 800-63B guidance.
Harden identity and help desk workflows – Require step-up verification for any MFA reset, enrollment, or phone number change—using phishing-resistant methods, not SMS. – Implement time delays and dual approval for sensitive changes (e.g., factor changes, password resets for privileged accounts). – Enforce change-of-custody logging and out-of-band confirmations.
Lock down telecom exposure – Establish carrier “port-out” locks and enterprise account PINs for staff with elevated access. – Maintain a rapid-contact process with carriers’ fraud teams. – Do not rely on employee phone numbers as a recovery factor for admin accounts.
Reduce social-engineering success – Train support staff with realistic vishing simulations. – Use caller ID verification tools, but never as a single proof of identity. – Publish clear internal runbooks: when in doubt, hang up and call back via a verified directory number.
Protect email and SSO like crown jewels – Enforce conditional access, device posture checks, and network segmentation. – Monitor for unusual Okta/SSO events: mass push prompts, new device enrollment, and admin role changes. – Require hardware-backed keys for access to IAM consoles.
Limit and monitor high-risk actions – Finance controls: withdrawal whitelists, 24–48 hour holds after factor changes, multi-person approvals, and out-of-band verification for new beneficiaries. – IT controls: just-in-time admin access, short-lived tokens, and automated session revocation on risk events.
Prepare for the inevitable – Build SIM-swap playbooks: steps to take when a key employee’s number is hijacked. – Tabletop exercises focusing on help-desk social engineering and MFA reset abuse. – Establish rapid response with IR partners and telecom contacts.

For broad social engineering defense tips, check out CISA’s guidance.

Protecting Yourself: Personal SIM-Swap and Crypto Safety

You can’t control a carrier’s every move, but you can make yourself a harder target.

Do this today: – Replace SMS 2FA with app-based TOTP (e.g., Authenticator apps) or, better, passkeys/security keys. – Set a strong carrier account PIN and turn on port-out/number lock protections. – Verizon: Number Lock – T-Mobile: Add extra account security – AT&T: Extra security – Remove your phone number as a recovery factor wherever possible. Use authenticator apps or recovery codes. – Use passkeys where supported (they’re phishing-resistant). Learn more from the FIDO Alliance. – Lock down email first. It’s the hub that resets everything else. – For crypto: – Enable withdrawal allowlists and time delays. – Use hardware wallets for long-term holdings. – Don’t store seed phrases online—keep them offline and split or shard if possible. – Turn on account alerts for logins, password changes, and recovery changes. – Consider Google’s Advanced Protection Program if you’re high-risk. – Freeze your credit at the bureaus and set up fraud alerts.

Myth-busting: – A SIM PIN protects a physical SIM in your phone, not carrier port-outs. It doesn’t stop SIM swapping. – Authenticator apps are safer than SMS, but still phishable. Passkeys/security keys add the strongest protection for most people.

Signs You’re Being SIM-Swapped (And What to Do)

Red flags: – Your phone suddenly shows “No Service” while others around you have coverage. – You stop receiving texts and calls, or get a flood of “account recovery” messages. – You see alerts about new logins or password resets you didn’t initiate. – Your carrier sends a “SIM change” or “welcome to your new device” message.

Act fast—every minute counts: 1. Get online via Wi‑Fi. 2. Contact your carrier’s fraud line immediately. Ask them to reverse the port-out and lock the account. 3. Change email and financial account passwords from a known-safe device. Revoke all sessions. 4. Rotate MFA factors and remove phone numbers from recovery flows. 5. Alert your crypto exchange/broker to freeze withdrawals, if applicable. 6. Check inbox rules and forwarding in your email—attackers often set up silent forwarding. 7. File reports: – FBI IC3: ic3.gov – Identity theft: identitytheft.gov 8. If it’s a work number or work accounts, notify your security team immediately.

The Bigger Picture: Why Social Engineering Still Wins

Modern security stacks are impressive. Yet attackers keep winning by attacking people and processes instead of exploiting zero-days. Scattered Spider’s operations highlight that:

Urgency is a weapon. The more frantic the story, the more likely someone will override process.
Help desks are target-rich. Support staff want to help; attackers leverage that instinct.
Recovery paths are blind spots. If your “break glass” flow uses SMS or email only, attackers will find it.
Public pressure shapes outcomes. Countdown timers and data leak sites push victims toward quick decisions.

As law enforcement cracks down, expect two things: – Teams will consolidate to share tools and access, becoming more capable. – Social engineering will intensify because it remains cost-effective and scalable.

Key Takeaways You Can Act On Today

SMS is not security. Replace it with phishing-resistant MFA (passkeys/security keys) for any account that matters.
Tighten identity recovery flows. Make it hard to reset MFA or change phone numbers without strong verification and time delays.
Train your help desk like your SOC. They’re gatekeepers to your identity systems.
Build a SIM-swap playbook. Know exactly who to call and what to shut off when a key number is hijacked.
For crypto, assume attackers will target exchange accounts and recovery paths. Use allowlists, delays, and hardware wallets.

If you found this useful, consider subscribing for more practical breakdowns of cyber threats and the defenses that actually work.

FAQs

Q: What sentence did the Scattered Spider hacker receive? A: Noah Michael Urban was sentenced to 10 years in federal prison, three years of supervised release, and ordered to pay $13 million in restitution for SIM-swapping and related crypto theft, per reports from Bloomberg and News4JAX.

Q: What is SIM swapping and how does it steal crypto? A: SIM swapping tricks a carrier into transferring your phone number to a new SIM controlled by the attacker. With your number, they intercept SMS codes, reset passwords, and take over accounts—including crypto exchanges—to initiate withdrawals. See the FBI’s PSA for details.

Q: Is SMS-based 2FA safe? A: It’s better than no MFA, but it’s vulnerable to SIM swapping and interception. Move to phishing-resistant MFA like passkeys or security keys. Reference: NIST SP 800-63B and the FIDO Alliance.

Q: How do I stop a SIM swap on my account? A: Add a carrier account PIN and enable port-out locks/number locks: – Verizon Number Lock – T-Mobile Extra Security – AT&T Extra Security Also remove phone numbers as recovery methods and use passkeys or authenticator apps.

Q: What is “MFA fatigue” and how do attackers use it? A: MFA fatigue is a barrage of push notifications meant to annoy users into tapping “Approve.” Attackers combine this with social engineering (e.g., “It’s IT—please approve to sync your device”). Phishing-resistant MFA stops this because there’s nothing to “approve.”

Q: Who is Scattered Spider connected to? A: Reporting and analysis indicate Scattered Spider has aligned with other groups including ShinyHunters and LAPSUS$, collectively linked to a broader community sometimes referred to as “The Com.” See industry coverage at The Hacker News and research from Flashpoint.

Q: I think I’ve been SIM-swapped—who do I report it to? A: Contact your carrier immediately to reverse the port. Then report the incident to the FBI via ic3.gov. If identity theft is involved, use identitytheft.gov. If funds were stolen, notify your bank or exchange at once to attempt a freeze.

Q: Are passkeys really better than SMS 2FA? A: Yes. Passkeys are phishing-resistant and don’t rely on text messages or passwords. They use public-key cryptography tied to your device. Learn more at the FIDO Alliance.

Staying ahead of groups like Scattered Spider isn’t about buying another tool—it’s about removing your weakest links. Replace SMS with phishing-resistant MFA, harden your help desk, and rehearse your response. That’s how you turn a headline risk into a non-event.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

The Rise of Crypto-Hackers: How North Koreans Steal $2.2 Billion

Oregon Man Charged as Alleged “Rapper Bot” Admin in Massive DDoS-for-Hire Case

The Global Fallout of North Korea’s Alleged $308 Million Crypto Heist

Florida SIM-Swapper Linked to Scattered Spider Gets 10-Year Sentence and $13M Restitution

Europe’s Cyber Resilience Act: A New Era for Digital Security