Florida SIM-Swapper Linked to Scattered Spider Gets 10-Year Sentence and $13M Restitution

If you’ve followed the rise of social-engineering-driven hacks over the last few years, this one will make you pause. A 20-year-old from Florida—tied by researchers to the group known as Scattered Spider (aka 0ktapus)—just received a decade-long federal prison sentence. He pleaded guilty to wire fraud conspiracy and identity theft tied to SIM swapping and large-scale phishing. He’s also on the hook for more than $13 million in restitution to dozens of victims.

Here’s why this case matters: it’s the first known prison sentence for a Scattered Spider member. It signals a tougher era of accountability for a crew that has hammered more than 130 organizations with cunning, low-tech attacks that hit where companies are vulnerable—their people, their help desks, and their identity systems.

In this deep dive, we’ll unpack what happened, why it matters, how Scattered Spider operates, and the practical steps you can take to protect your business and your personal accounts from the same playbook.

Who Is Noah Michael Urban—and What Did He Do?

Noah Michael Urban, a Florida resident, pleaded guilty to federal charges in two cases—one in Florida and one in California—stemming from SIM swapping, wire fraud, and identity theft schemes that ran from at least 2021 through 2023. He was sentenced to 10 years in prison. He also agreed to repay victims—far beyond the charges he admitted to—for a total of more than $13 million.

Urban operated online under aliases including “King Bob,” “Anthony Ramirez,” “Elijah,” “Gustavo Fring,” and “Sosa.” According to independent reporting and threat intelligence, he moved in the same underground circles as Scattered Spider and appears linked to the 0ktapus phishing campaign behind high-profile breaches.

In the Florida case, prosecutors tied him to a SIM swapping scheme that stole at least $800,000 in crypto from five victims (August 2022–March 2023).
In the California case, Urban and co-conspirators were accused of phishing employees across the U.S. to steal login credentials, break into company systems, lift sensitive data, and siphon millions in crypto (September 2021–April 2023).

The sentence, first reported by Jacksonville outlet News 4 Jax, reflects both cases combined. News4Jax has tracked the story locally.

Here’s why that matters: heavy sentences for social engineering crimes have been rare compared with technically “sophisticated” intrusions. This ruling underscores that courts now view SIM swapping and business credential theft as serious, organized financial crime.

Quick Timeline of Charges, Pleas, and Sentence

September 2021–April 2023: Series of phishing-for-credentials and intrusion schemes across multiple companies.
August 2022–March 2023: SIM swapping spree steals at least $800,000 in crypto from five people.
January 2024: Florida arrest tied to SIM swapping and identity theft.
November 2024: California indictment (with four others) for conspiracy, wire fraud, and aggravated identity theft.
2025: Urban pleads guilty in both cases. He receives a 10-year sentence and agrees to more than $13 million in restitution to 59 individuals—some not named in the charges he admitted to.

Unusual twist: Urban’s plea deal includes restitution to victims beyond the scope of his admitted crimes. Typically, restitution attaches to the counts of conviction. In his agreement, Urban explicitly waived that limitation.

What Is Scattered Spider (aka 0ktapus)?

Scattered Spider is one of the most disruptive social-engineering threat groups of the last few years. Researchers say they excel at tricking people—not servers. If you’ve seen “MFA fatigue” pop-ups, fake help desk calls, or text-based phishing that steals employee credentials, you’ve seen their playbook.

MITRE ATT&CK tracks Scattered Spider as a distinct threat group and documents their TTPs (tactics, techniques, and procedures) here.
The Group-IB team links Scattered Spider to the 0ktapus phishing campaign that hit Twilio, Cloudflare, and many others in 2022. Read Group-IB’s 0ktapus report here.
The Malpedia repository associates “Scattered Spider” (and 0ktapus) in its actor listings here.

Security vendors have used different names for the same cluster, including “Octo Tempest” (Microsoft) and “UNC3944” (Mandiant). Microsoft’s threat intel team details the group’s evolution—and its collaborations with ransomware affiliates—here.

This group’s hallmark: persistent, multi-channel social engineering. They phish employees by SMS, impersonate IT staff on calls, persuade help desks to reset MFA, and then move quickly to commandeer identity systems, cloud consoles, and high-value apps.

The 2022 Twilio Breach: A Classic 0ktapus Campaign

In July–August 2022, a phishing wave targeted Twilio and other companies. Attackers sent employees text messages that spoofed internal login pages. When victims entered credentials and MFA codes, the attackers used them in real time to break in.

Twilio’s own post-incident report is a must-read on this technique here.
Group-IB’s forensic analysis ties the campaign to a broader 0ktapus operation here.

The same crew has been linked by researchers to attacks on LastPass, DoorDash, Mailchimp, and streaming and retail brands. In 2023, casino giants MGM and Caesars suffered major disruptions and ransom demands after social-engineering-driven intrusions. See Reuters’ reporting on those events here.

How the Schemes Worked: SIM Swapping and Phishing-for-Credentials

Let’s break down the two core schemes behind this case. Both are simple to explain, but their impact can be massive.

SIM Swapping: Taking Over a Phone Number to Drain Accounts

SIM swapping is when an attacker convinces or corrupts a mobile carrier to move your phone number to a SIM card they control. Once they control your number, they can intercept SMS messages and calls—including password reset links and 2FA codes.

Why it works: – Many banks, crypto platforms, and email providers still rely on SMS for login or account recovery. – Carriers sometimes have weak or overburdened customer support processes. – Attackers prep by collecting personal data on targets to pass “security” checks.

Once the attacker takes your number, they reset passwords, log in, and empty accounts within minutes. It’s devastating, fast, and tough to roll back.

If you want a clear primer, the FCC’s guidance on SIM swapping scams is a solid resource. Learn more from the FCC here.

How to reduce your risk: – Use app-based or hardware security keys instead of SMS for 2FA whenever possible. CISA’s guidance on stronger MFA is here. – Set a SIM PIN on your device. Apple’s instructions are here; Google’s guidance is here. – Add a port-out PIN with your carrier and enable any “account lock” features they offer. – For crypto, use hardware wallets or multi-sig. Avoid relying on SMS for exchange logins or recovery. – Watch for “no service” signals out of the blue. If your phone drops off the network, contact your carrier from another device immediately.

Let me be blunt: SMS-based security is the flimsiest link in your chain. Upgrade it, especially for any account that can move money or reset other accounts.

Phishing and Help Desk Social Engineering: Beating MFA the Old-Fashioned Way

The California case describes widespread phishing of employee credentials. The attackers then sweet-talked or pressured support staff into resetting MFA to let them in. This is the Scattered Spider sweet spot: persistent, believable impersonation followed by rapid abuse of identity systems.

Common tactics in this playbook: – SMS or email links to realistic, branded login pages. – MFA fatigue: repeated push notifications to get you to tap “approve.” – Live relay attacks: as soon as a victim enters credentials, attackers use them on the real site. – Help desk impersonation: calling in as an executive or VIP to reset MFA. – Identity provider abuse: once inside, attackers escalate privileges, mint tokens, or register new devices.

The joint CISA/FBI advisory on Scattered Spider/UNC3944 gives a thorough overview of these TTPs and how to defend against them. Read it here.

Why this works so well: – Many companies still allow help desks to reset MFA with weak verification. – Legacy MFA methods (like push or SMS) can be socially engineered. – Identity systems are complex. A single weak workflow can open the door.

The fix isn’t just better tech. It’s better process. Train staff, lock down support procedures, and use phishing-resistant MFA whenever possible.

The Legal Outcome: 10 Years in Prison and a Rare Restitution Deal

Urban pleaded guilty to: – Conspiracy to commit wire fraud (Florida case). – Conspiracy to commit wire fraud, wire fraud, and aggravated identity theft (California case).

The judge imposed a 10-year prison term and a restitution order exceeding $13 million to 59 individuals across both cases. Under his plea, he agreed to repay victims beyond the counts he admitted to—an uncommon but significant concession.

Why the restitution piece is a big deal: – It signals prosecutors pushed for whole-of-harm recovery, not just count-by-count. – It gives victims a clearer path to compensation, though collection often takes years. – It sets a precedent other defendants may now face in multi-victim cybercrime cases.

For anyone tempted to view social engineering as a “low risk, high reward” hustle, this sentence says otherwise.

What This Means for Businesses: Practical, High-Impact Defenses

You don’t have to be Twilio or MGM to be a target. If you run payroll, handle customer data, or manage crypto or loyalty points, you’re in scope. Here’s a prioritized roadmap.

1) Move to phishing-resistant MFA

Deploy FIDO2/WebAuthn passkeys or security keys for admins, developers, finance, and support teams. Start with your identity provider and cloud consoles.
Make SMS and simple push approvals the exception, not the default.
Educate users on MFA fatigue and set rate limits or number matching to reduce “accidental approves.”
Resources: CISA on MFA here, FIDO Alliance passkeys overview here.

2) Lock down help desk and recovery workflows

Require strong identity proofing before any MFA reset (recorded callbacks to verified numbers, identity questions not in HRIS, or SSO-backed approvals).
Disallow ad hoc resets for VIPs without a second admin’s approval.
Force re-enrollment in person or via high-assurance channels.
Audit ticket notes and call logs. Randomly review resets for red flags.

3) Harden your identity provider (IdP) and admin paths

Monitor for suspicious events: new device enrollments, token minting, rogue app registrations, impossible travel, and atypical API use.
Enforce conditional access: block risky logins from unfamiliar networks and require stronger MFA for sensitive apps.
Restrict access to password reset and MFA admin APIs. Use just-in-time privileges.

4) Reduce blast radius

Segment admin roles. No single admin should have full control of IdP, email, and endpoint management.
Use just-in-time elevation for privileged actions. Log and alert on changes.
Limit data exposure by default. If an attacker gets in, they shouldn’t find everything.

5) Train people to recognize “the voice of the attacker”

Share real SMS phish examples. Teach the signs: urgent language, unfamiliar links, fake branded domains.
Run live drills. Practice how to escalate suspicious help desk requests.
Empower employees to say “no” and follow the playbook—even for VIPs.

6) Prepare an “MFA reset under attack” playbook

Who gets paged when an MFA reset looks suspicious?
How do you rapidly revoke tokens, block devices, and force re-auth?
How do you communicate with affected users without making it easier for the attacker?

If you want a strategic overview of Scattered Spider’s evolving tactics, Microsoft’s analysis of “Octo Tempest” is invaluable here.

What Individuals and Crypto Holders Should Do Now

SIM swapping and account takeover often begins with a single weak link—usually SMS 2FA or easy account recovery. You can close that gap today.

Replace SMS codes with app-based 2FA or passkeys wherever possible. If a site supports security keys, use them.
Set a SIM PIN on your phone and a port-out PIN with your carrier.
Use a hardware wallet for significant crypto. Assume exchange accounts can be phished.
Don’t reuse passwords. Use a reputable password manager with strong, unique passwords.
Monitor for “no service” or sudden SIM errors. That can be your first sign of a swap in progress.
Keep your primary email hyper-secure. It’s the master key for resetting everything else.
Consider a credit freeze at the big bureaus to limit identity-based attacks.
Learn how to spot phishing. If a text or email demands urgent action, slow down and verify out-of-band.

The FCC’s consumer guide to SIM swapping is a helpful starting point here, and CISA’s “Secure Our World” tips are practical and up to date here.

The Cultural Piece: “The Com,” Clout, and Cybercrime as a Lifestyle

Urban, under the handles “King Bob” and “Sosa,” was reportedly a visible figure in “The Com,” a loose online scene where hackers and fraudsters trade techniques, share “wins,” and celebrate social engineering exploits. According to reporting from veteran journalist Brian Krebs, “King Bob” bragged about leaking unreleased rap tracks, likely obtained via SIM swapping, on underground forums. Krebs covers this ecosystem extensively at KrebsOnSecurity.

Here’s the uncomfortable truth: many of the people behind these intrusions are very young, very online, and highly persistent. They’re not writing zero-days. They’re calling your help desk. They’re DMing your interns. They’re texting your contractors at midnight.

The best defense is not to out-tech them. It’s to out-process them. Make social engineering hard. Make resets boring and slow. Make identity changes require two humans. Reward gatekeeping. Celebrate “no.”

Why This Case Is a Turning Point

First sentencing linked to Scattered Spider: Until now, the group’s members seemed slippery and out of reach. A 10-year term is a message.
Restitution beyond admitted counts: Prosecutors are pushing for fuller victim compensation in complex, multi-jurisdiction cases.
Law enforcement is catching up to social engineering: These aren’t “kids pranking IT.” They’re organized criminal conspiracies, and the justice system is responding in kind.

Expect more arrests and more cooperation between agencies and tech companies. Expect broader indictments across states. And expect courts to treat SIM swapping and corporate credential theft as major financial crimes—not youthful mischief.

Key Takeaways

Social engineering is the primary attack vector for many of today’s biggest breaches.
SMS-based 2FA is no longer adequate for high-value accounts, corporate or personal.
Help desks and identity recovery workflows are the softest targets in many organizations.
A 10-year sentence signals that courts view SIM swapping and phishing-for-credentials as serious felonies with real victims.
You can materially reduce risk with phishing-resistant MFA, stronger support procedures, and a culture that empowers “verify, then act.”

If you remember nothing else, remember this: close the identity gaps. Attackers go where the process is weakest, not where the tech is strongest.

Frequently Asked Questions

Who is Noah Michael Urban?

He’s a 20-year-old Florida man who pleaded guilty in federal court to conspiracy to commit wire fraud, wire fraud, and aggravated identity theft tied to SIM swapping and large-scale phishing. He received a 10-year prison sentence and must repay more than $13 million to victims.

What is Scattered Spider (aka 0ktapus)?

A social-engineering-focused threat group linked to widespread credential-phishing campaigns, MFA bypass, and help desk impersonation. MITRE tracks the group here, and Group-IB’s report on the 0ktapus campaign is here.

Is Scattered Spider the same as 0ktapus?

Researchers often use the names interchangeably for overlapping activity clusters. Group-IB’s 0ktapus research and MITRE’s Scattered Spider profile refer to the same broader phenomenon of social-engineering-led intrusions. Malpedia consolidates the actor naming here.

What sentence did Urban receive?

Ten years in federal prison, with a restitution order of more than $13 million. He agreed to compensate 59 victims, including some not tied to the specific charges he admitted to—an uncommon element in plea deals.

How did the SIM swapping work in this case?

Attackers allegedly convinced carriers to move victims’ phone numbers to SIMs they controlled, intercepting SMS 2FA and password resets to drain crypto accounts. The FCC’s overview of SIM swap scams is here.

What were the phishing techniques?

SMS-based phishing (smishing) that captured logins and MFA codes on spoofed portals, along with help desk impersonation to reset MFA. The CISA/FBI advisory on Scattered Spider TTPs is here.

Were other people charged?

Yes, in the California case, Urban was charged alongside four others with conspiracy and identity theft offenses related to phishing and corporate intrusions. Additional prosecutions are likely as investigations continue.

How can companies protect themselves from Scattered Spider-style attacks?

Adopt phishing-resistant MFA (passkeys/security keys) for high-risk users.
Tighten help desk identity verification and require two-person approvals for MFA resets.
Lock down IdP admin paths, monitor unusual events, and reduce privileges by default.
Train staff on phishing and social-engineering tactics using real examples.

How can individuals protect against SIM swapping?

Use app-based 2FA or security keys instead of SMS where possible.
Set a SIM PIN and a port-out PIN with your carrier.
Secure your primary email with the strongest MFA available.
Consider hardware wallets for crypto and monitor accounts for unusual activity.

What major companies has Scattered Spider targeted?

Researchers link the group to campaigns affecting Twilio, LastPass, DoorDash, Mailchimp, Plex, and 2023 incidents at MGM Resorts and Caesars Entertainment. See Twilio’s incident review here and Reuters’ coverage of the casino breaches here.

The Bottom Line

This sentence is a line in the sand. The era of viewing SIM swapping and “just phishing” as low-risk is over. Prosecutors, judges, and companies now recognize these schemes for what they are: organized attacks on identity that can drain bank accounts, cripple operations, and expose sensitive data.

Your next move is clear: – Replace SMS with phishing-resistant MFA on high-value accounts. – Make help desk resets slow, verified, and auditable. – Train your people and pressure-test your identity workflows.

If this breakdown was helpful, stick around for more practical, plain-English security guides. Subscribe to get future explainers and playbooks in your inbox—and turn today’s headlines into tomorrow’s defenses.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!