A 20-year-old Florida man, who was among five people indicted last year for being part of the notorious Scattered Spider cybercrime group, is expected to spend the next 10 years in federal prison.
Noah Michael Urban was arrested in Florida in January 2024 and indicted in November 2024, and in April pleaded guilty to wire fraud and conspiracy charges. In a sentencing hearing this week, U.S. prosecutors recommended an eight-year term and Urban’s lawyer asked for five years, but the judge surpassed both, sentencing him to 10 years in federal prison and ordering him to pay about $13 million in restitution to victims.
After his release, Urban will face another three years of supervised release.
News of the sentence was reported by Bloomberg and Florida TV news station News4Jax, whose reporter was in the courtroom.
Urban, who was known by such online aliases as King Bob, Sosa, Elijah, and Gustavo Fring, told cybersecurity specialist Brian Krebs in a series of messages on X (formerly Twitter) from a county jail in Florida that the sentence was unfair and that the judge in the case did not take into account his age when making his decision.
Scattered Spider’s Trail of Victims
Most of the charges Urban pleaded guilty to were related to cases in Florida, though one was transferred from California. The $13 million in restitution is aimed at covering victims in all those cases.
He and the other four suspects indicted were accused of being foundational to Scattered Spider, a threat group that made its name with extortion attacks on such high-profile companies as Caesars Entertainment and MGM Resorts International and against customers of Snowflake’s cloud storage services.
More recently, the group targeted companies across sectors including retail, insurance and aviation.
Phishing, SIM Swapping, Credential Theft
Urban pleaded guilty to a series of phishing scams that ran from August 2022 to March 2023. He admitted that he and his cohorts in Scattered Spider – which also is known as Oktapus, Scatter Swine, Muddled Libra, and UNC3944 – targeted employees at organizations with SMS and video phishing schemes, tricking them into divulging their credentials and one-time passcodes.
The bad actors then used the stolen information to access the victims’ accounts and steal corporate and customer information and cryptocurrency. Their scams included a website that looked like a legitimate Okta authentication page, with the phishing messages in some instances telling their targets that they needed to change their VPN credentials. Other messages told targets that their work schedules were changing.
They also used SIM swapping – where threat actors trick mobile service providers into switching a victim’s phone number to a SIM card they control, giving them access to such information as calls, messages, and security codes and the ability to take control of their online accounts – to bypass multifactor authentication to access such accounts.
Through the attacks, the Scattered Spider suspects were able to gain access into the systems of more than 100 organizations.
A Part of The Com
Scattered Spider is believed to be associated with a larger group that calls itself The Com, a collective comprising young, English-speaking hackers known for a range of attacks, from phishing and SIM-swapping to ransomware, initial access, data theft, and extortion.
Scattered Spider “surfaced in 2022 but has surged in notoriety through 2023 and into 2025 due to a series of high-impact attacks on sectors like telecommunications, technology, healthcare, and aviation,” researchers with Cyware wrote in a report this month. “Unusually for a financially motivated group, Scattered Spider mimics state-backed Advanced Persistent Threats (APTs) in sophistication. Its members are often native English speakers, skilled in both social engineering and technical compromise. They are experts in exploiting identity systems, bypassing multifactor authentication (MFA), and abusing legitimate IT tools for persistence and lateral movement.”
It began as a group that ran SIM-swapping and phishing attacks aimed at telecoms and financial platforms, the Cyware researchers wrote. A year later, it expanded its targets to include enterprise networks and this year evolved beyond SIM swapping and phishing to include adversary-in-the-middle (AiTM) phishing kits, which allowed them to intercept MFA tokens in real time, “enabling near-universal bypass of multi-factor authentication mechanisms even in hardened environments,” they wrote.
Continuing Evolution
In 2025, Scattered Spider dramatically refined its operational playbook: moving beyond broad SIM-swap and phishing gambits, the group adopted advanced Adversary-in-the-Middle (AiTM) phishing kits to intercept MFA tokens in real time, enabling near-universal bypass of multifactor authentication mechanisms even in hardened environments.
“Their phishing domains became more nuanced and targeted, often mimicking corporate SSO [single sign-on] or help‑desk portals … and hosted on dynamic DNS providers to evade heuristic detection,” the researchers wrote.
There are also reports by ReliaQuest and others that Scattered Spider is aligning itself with the ShinyHunters threat group – which most recently is behind a series of CRM platform-based attacks against the likes of Workday, Google, Pandora, and others – and possibly LAPSUS$ to create a more formidable cyberthreat alliance.
