LOS ANGELES – Law enforcement today unsealed criminal charges against five defendants who allegedly targeted employees of companies nationwide with phishing text messages and then used the harvested employee credentials to log in and steal non-public company data and information and to hack into virtual currency accounts to steal millions of dollars in cryptocurrency.
The following defendants are charged by a federal grand jury indictment with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft:
- Ahmed Hossam Eldin Elbadawy, 23, a.k.a. “AD,” of College Station, Texas;
- Noah Michael Urban, 20, a.k.a. “Sosa” and “Elijah,” of Palm Coast, Florida;
- Evans Onyeaka Osiebo, 20, of Dallas, Texas; and
- Joel Martin Evans, 25, a.k.a. “joeleoli,” of Jacksonville, North Carolina.
Evans was arrested Tuesday by the FBI in North Carolina and is expected to make his initial court appearance today. Urban also faces and has pleaded not guilty to several fraud charges in a separate criminal case in federal court in Jacksonville, Florida.
Also unsealed today was a criminal complaint charging Tyler Robert Buchanan, 22, of the United Kingdom, with conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.
“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said United States Attorney Martin Estrada. “As this case shows, phishing and hacking has become increasingly sophisticated and can result in enormous losses. If something about the text or email you received or website you’re viewing seems off, it probably is.”
“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” said Akil Davis, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “These types of fraudulent solicitations are ubiquitous and rob American victims of their hard-earned money with the click of a mouse. I’m proud of our stellar cyber agents whose work led to the identification of the alleged schemers who are facing significant prison time if convicted.”
According to court documents, from at least September 2021 to April 2023, the defendants conducted phishing attacks by sending mass short message service (SMS) text messages to mobile phones of numerous victim companies’ employees – messages that purported to be from the victim company or a contracted information technology or business services supplier of the victim company.
The phishing text messages often stated that the employees’ accounts were about to be deactivated and provided links to phishing websites which were designed to look like legitimate websites of the victim companies or their contracted suppliers and lure the recipient into providing confidential information, including account login credentials. Some employees went to the phishing websites, entered their credentials, and sometimes authenticated their identities using a two-factor authentication request sent to their mobile phones.
The defendants then used the stolen credentials to gain unauthorized access the accounts of victim companies’ employees and the companies’ computer systems to steal confidential information, including confidential work product, intellectual property, and personal identifying information, such as account access credentials, names, email addresses, and telephone numbers.
The group also used stolen information obtained from victim company intrusions, leaked data sets, and other sources, to gain unauthorized access to numerous individuals’ cryptocurrency accounts and wallets and steal millions of dollars’ worth of virtual currency.
An indictment and a complaint contain allegations that a defendant has committed a crime. Every defendant is presumed to be innocent until and unless proven guilty in court.
If convicted, each defendant would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years in federal prison for the conspiracy count, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan would face up to 20 years in prison for the wire fraud count as well.
The FBI is investigating these matters. The United States Attorney’s Office for the Eastern District of North Carolina, Police Scotland and the FBI field offices in Charlotte, Denver, Houston and Portland provided assistance during this investigation.
Assistant United States Attorneys Lauren Restrepo of the Cyber and Intellectual Property Crimes Section and Sue J. Bai of the Terrorism and Export Crimes Section are prosecuting these cases.
Source: U.S. Attorney’s Office, Central District of California
Related: Complaint in U.S.A. v. Buchanan, courtesy of Bleeping Computer
Update: Reuters’ coverage reports about how these defendants are allegedly all members of Scattered Spider.