The scheme was deemed one of the most “sophisticated” phishing scams of all time. But now, the five alleged cybercriminals thought to be behind the group that security researchers have called “Scattered Spider” have officially been criminally charged.

Four individuals from the U.S. – Ahmed Hossam, Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, and Joel Martin Evans – have been charged by a federal grand jury for conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. In addition, Tyler Robert Buchanan of the UK has also been charged with an additional wire fraud count.

The five defendants face a maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, as well as up to five years in federal prison for conspiracy, and a mandatory two year sentence for aggravated identity theft. Buchanan also faces up to 20 years in prison for the wire fraud charge.

“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said United States Attorney Martin Estrada according to a Department of Justice statement. “As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses,” Estrada continued.

What was the Scattered Spider scheme?

As Ars Technica reports, Microsoft researchers called Scattered Spider “one of the most dangerous financial criminal groups,” and for good reason.

The alleged cybercriminals are thought to have carefully planned out an elaborate and hyper-targeted phishing scam that went after employees of large companies like MGM and Twilio. In fact, Scattered Spider’s breach at MGM, which involved a phone call to the company’s help desk, resulted in a temporary shut down of the company’s hotel and casino operations, costing the company $100 million.

The Scattered Spider plan of attack involved sending text messages to employees at the targeted companies while pretending to be part of their employer’s IT department. The texts urged the employees to login to a link provided in the text message, otherwise, the text message claimed, their employee accounts would be deactivated.

Instead of an internal company page, the link led to a phishing website designed to steal the user’s information. Once on the fake website, employees would input their login credentials and two-factor authentication under the assumption that the request and website were legitimate.

From there, Scattered Spider would have the necessary information to access the computer systems of both employees and employers. Scattered Spider allegedly stole confidential information from businesses, such as intellectual property and confidential work products, and employees, such as names, email addresses, and telephone numbers.

According to federal documents, the group was able to utilize this information to steal millions of dollars from victims’ cryptocurrency wallets. 

Scattered Spider’s scam lasted from September 2021 to April 2023.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the Assistant Director in Charge of the FBI’s Los Angeles Field Office, in the DOJ’s statement. “These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse.”