THE FALL OF “SOSA”: Scattered Spider Hacker Pleads Guilty in Multi-Million Dollar Crypto Heist

Posted on By John Neff No Comments on THE FALL OF “SOSA”: Scattered Spider Hacker Pleads Guilty in Multi-Million Dollar Crypto Heist
Day
00
–:–
Post Activated

Discovery Date: March 2023 (FBI Raid)

Threat Group: Scattered Spider (linked to “the Com”)

Victims: Over 30 individuals, major tech and telecom companies, virtual currency exchanges

Breach Period: August 2022 – March 2023

Primary Objective: Large-scale cryptocurrency theft, corporate infiltration, and unauthorized data access

The Guilty Plea That Pulled Back the Curtain

Noah Michael Urban — alias Sosa, also known online as “Elijah” and “King Bob” — has pleaded guilty to a slate of federal charges in one of the most far-reaching cybercrime cases of the decade. The 20-year-old hacker, a confirmed member of the Scattered Spider cybercriminal syndicate, now faces up to 60 years behind bars after prosecutors tied him to more than $25 million in damages.

Urban signed the plea agreement in Florida federal court, admitting to wire fraud, aggravated identity theft, and widespread involvement in SIM swapping, phishing operations, and crypto fraud. The case marks a major milestone in the ongoing war between law enforcement and one of the most dangerous digital threat groups operating today.

Scattered Spider: A New Breed of Hacker

Unlike typical cyber gangs hidden behind language barriers and encryption layers, Scattered Spider is American-born, English-speaking, and intimately familiar with Western tech systems and communication methods. Their tactics go beyond brute force—they rely on psychological intrusion, social engineering, and SIM hijacking to bypass 2FA systems and take over high-value accounts.

According to the FBI, this group — considered a spin-off of the earlier hacking syndicate known as “the Com” or “the Community” — built its reputation with adversary-in-the-middle (AiTM) phishing campaigns, credential stuffing, and voice-phishing (vishing) tactics that tricked support staff into granting account-level access.

Inside the Crimes: What Urban Did

Urban’s activities spanned both individual and corporate targets. From January 2021 to March 2023, he:

  • Stole over $2.6 million in cryptocurrency from at least 16 victims, most using stolen IDs and social engineering.
  • Executed a confirmed SIM swap on an AT&T customer, using it to drain $374,000 in crypto.
  • Gained access to AOL, Gmail, and corporate email systems through phishing attacks and intercepted SMS 2FA codes.
  • Was personally involved in operations that triggered total losses estimated between $9.5M and $25M, according to DOJ records.

The FBI raid on his Florida home in March 2023 uncovered a desktop loaded with cryptocurrency wallets, access logs to victim emails, and notes referencing account credentials. They seized $2.89M in crypto tied directly to stolen assets.

During a May 2023 FBI interview, Urban admitted that “all of the funds found were related to Scattered Spider activities.”

More Than Just Crypto

Urban wasn’t just a financial hacker — he was also part of the music leak underground. Cybersecurity journalist Brian Krebs linked him to high-profile intrusions involving unreleased material from globally recognized musicians. The stolen tracks were leaked online, costing artists and labels millions in unrecoverable damages and shattering trust in cloud-stored music archives.

Network of Chaos: The Other Operatives

Urban was one of five suspects tied to this particular string of breaches:

  • Ahmed Hossam Eldin Elbadawy
  • Evans Onyeaka Osiebo
  • Joel Martin Evans
  • Tyler Buchanan (UK national, arrested June 2024 in Spain)

While Urban and Evans were arrested in 2024, two others remain at large, and federal authorities are actively hunting them down. Prosecutors stated that their joint operations targeted:

  • Telecom giants
  • Cloud communication providers
  • Crypto platforms
  • Business outsourcing companies
  • Entertainment companies (including those tied to the MGM ransomware breach)

This crew operated like a decentralized cartel — skill-swapping, trading stolen access, and weaponizing PII (personally identifiable information) for entry into increasingly hardened systems.

How the Spider Spun Its Web

Group-IB’s recent analysis revealed that one phishing campaign alone compromised nearly 10,000 accounts across 136 organizations — an astonishing hit rate for a group this young.

Tactics used by Scattered Spider:

  • AiTM Kits: Intercepted login credentials and 2FA tokens in real-time.
  • SIM Swaps: Reassigned phone numbers to attacker-controlled devices, granting full access to victims’ cloud accounts.
  • Smishing: Targeted SMS campaigns that prompted employees to “verify” credentials via fake portals.
  • Deep Recon: Gathered target profiles, behavioral patterns, and internal comms to make impersonation easier.

Microsoft’s Warning

Even Microsoft rang the alarm in 2023, calling Scattered Spider:

“One of the most dangerous financial criminal groups active today, with advanced capabilities rivaling those of nation-state actors.”

Their ability to infiltrate Coinbase, Riot Games, Reddit, Twilio, LastPass, and even MGM gave them unprecedented access to both customer and enterprise data — often leaving zero trace until it was too late.

Restitution and Fallout

As part of the plea agreement, Urban has forfeited all crypto assets seized and agreed to pay over $13 million in restitution to more than 30 victims. But whether those victims will ever see full recovery remains uncertain, especially with international suspects still missing and assets often scattered across decentralized wallets.

The Bigger Picture: Digital Gangs, Real World Consequences

The Urban plea reveals more than just a crime — it exposes the soft underbelly of a world increasingly reliant on insecure digital platforms and overconfident in biometric locks, SMS 2FA, and outsourced trust.

Scattered Spider isn’t gone — it’s simply been wounded. The new breed of cybercriminals they represent isn’t hiding in the shadows of foreign servers. They’re here, operating in plain sight, leveraging U.S.-based infrastructure, speaking fluent English, and beating systems from the inside.

The next version of “Sosa” could already be inside your company’s Slack channel — disguised as a help desk request or pretending to reset a password.

Noah Urban, in a 2024 booking photo. Image: Volusia County Sheriff’s Office

🔥 NOW AVAILABLE! 🔥

📖 INK & FIRE: BOOK 1 📖

A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.

🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB

Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire

🚨 NOW AVAILABLE! 🚨

📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖

A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.

🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP

Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra

🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed

What if the moon landing was just the cover story?

Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.

🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon

Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified

Help us bring real change! Corporate lobbying has corrupted our system for too long, and it’s time to take action. Please sign and share this petition—your support is crucial in restoring accountability to our government. Every signature counts! Thank you!

https://www.ipetitions.com/petition/restore-our-republic-end-lobbying

Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!

https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a

Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com

Blogging, Cryptocurrency and Blockchain, Cybersecurity, Digital Warfare, Federal Crime Watch, Investigations, Threat Actor Profiles, Uncategorized Tags:, , , , , , , , , , , , , ,

Related Posts

Reimagining Our Wild Encounters: A Call for Ethical Wildlife Experiences Animal Welfare
Unveiling the Hidden Control: Google’s Influence on Social Media Giants Like Facebook and X, and Its Reach at SpaceX and Tesla Autonomous Vehicles
The Mirror’s Curse: The Halloween Grip – Story Time Ancient Legends
Hackers Compromise Argentina’s Airport Security Payroll System: A Broader Threat to National Infrastructure Blogging
Veil of Vapors: Alora’s Mystical Dance Alora
Legacy of Light Blogging

Leave a Reply

Discover more from The Realist Juggernaut

Subscribe now to keep reading and get access to the full archive.

Continue reading