What is 'Scattered Spider'? How this massive phishing scam worked.

Five people have been charged for stealing millions in cryptocurrency.
By Matt Binder  on 
Phishing campaign via mobile device
A notorious phishing group has just been charged for their scam campaign which stole millions from their victims. Credit: Just_Super via Getty Images

The spammers. The scammers. And you. Telemarketers and junk mail has evolved in the digital age to a behemoth of persistent trickery. In Scammed, we help you navigate a connected world that’s out for your money, your information, or just your attention.


The scheme was deemed one of the most "sophisticated" phishing scams of all time. But now, the five alleged cybercriminals thought to be behind the group that security researchers have called "Scattered Spider" have officially been criminally charged.

Four individuals from the U.S. – Ahmed Hossam, Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, and Joel Martin Evans – have been charged by a federal grand jury for conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. In addition, Tyler Robert Buchanan of the UK has also been charged with an additional wire fraud count.

The five defendants face a maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, as well as up to five years in federal prison for conspiracy, and a mandatory two year sentence for aggravated identity theft. Buchanan also faces up to 20 years in prison for the wire fraud charge.

"We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals," said United States Attorney Martin Estrada according to a Department of Justice statement. "As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses," Estrada continued.

What was the Scattered Spider scheme?

As Ars Technica reports, Microsoft researchers called Scattered Spider "one of the most dangerous financial criminal groups," and for good reason.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

The alleged cybercriminals are thought to have carefully planned out an elaborate and hyper-targeted phishing scam that went after employees of large companies like MGM and Twilio. In fact, Scattered Spider's breach at MGM, which involved a phone call to the company's help desk, resulted in a temporary shut down of the company's hotel and casino operations, costing the company $100 million.

The Scattered Spider plan of attack involved sending text messages to employees at the targeted companies while pretending to be part of their employer's IT department. The texts urged the employees to login to a link provided in the text message, otherwise, the text message claimed, their employee accounts would be deactivated.

Instead of an internal company page, the link led to a phishing website designed to steal the user's information. Once on the fake website, employees would input their login credentials and two-factor authentication under the assumption that the request and website were legitimate.

From there, Scattered Spider would have the necessary information to access the computer systems of both employees and employers. Scattered Spider allegedly stole confidential information from businesses, such as intellectual property and confidential work products, and employees, such as names, email addresses, and telephone numbers.

According to federal documents, the group was able to utilize this information to steal millions of dollars from victims' cryptocurrency wallets. 

Scattered Spider's scam lasted from September 2021 to April 2023.

"The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts," said Akil Davis, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, in the DOJ's statement. "These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse."

Topics Cybersecurity


More from Scammed
Meet 'Daisy' an AI bot that wastes phone scammers' time
An elderly woman looks into the camera holding a landline telephone.

Somehow crypto scams grew by nearly 50 percent last year
Bitcoin on a red backlit keyboard

New online scam claims to have proof your spouse is cheating on you
Scam email


[Update: Meta responds] Scammers are using Meta's copyright takedown tool against influencers
Facebook and Instagram app logos

Recommended For You
New online scam claims to have proof your spouse is cheating on you
Scam email

The 20 best action movies on Netflix right now
Composite of images from Netflix action movies.

Report: Google removed voter scam ads from search results
A voter leans over their ballot in a voting booth.

One thing to know before you buy a gift card
A store displays gift cards for purchase.

'Chainsaws Were Singing' review: This '70s horror throwback is a time capsule… of the early 2010s?
Laura Niils and Karl-Joosep Ilves in "Chainsaws Were Singing."

Trending on Mashable
NYT Connections hints today: Clues, answers for December 6, 2024
A phone displaying the New York Times game 'Connections.'

NYT Mini crossword answers, hints for December 6, 2024
Closeup view of crossword puzzle clues

At 2 a.m., an unexpected event led to a surprise planet discovery
A NASA conception of what the exoplanet Kepler-51e might look like.

Wordle today: Answer, hints for December 6
a phone displaying Wordle

Tesla suspends Cybertruck production. Who could have predicted this?
Tesla vehicles, including Cybertrucks, loaded on a transport that seems to be going nowhere.
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!