The U.S. government announced charges against five individuals accused of carrying out a multi-year hacking spree targeting tech giants and cryptocurrency owners, which security researchers dubbed 0ktapus.
On Wednesday, the U.S. Department of Justice announcing the charges against the five alleged hackers: Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas; Noah Michael Urban, 20, of Palm Coast, Florida; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, of Jacksonville, North Carolina; and Tyler Robert Buchanan, 22, from the United Kingdom, who was .
The press release said that the five accused hackers targeted employees at American companies with phishing text messages with the goal of stealing their credentials, which they then used to break in and steal company data, as well as cryptocurrency worth millions of dollars. The hackers also allegedly used SIM swapping attacks to steal employees’ phone numbers and get their passwords by using password reset features.
Victims mentioned in the court documents published on Wednesday include U.S. based organizations providing entertainment products, virtual currency, cloud communication platforms, and telecommunication services. The hackers allegedly stole $6.3 million in cryptocurrency from a single unnamed victim, the indictment says.
“We allege that this group of cybercriminals perpetrated a sophisticated scheme to steal intellectual property and proprietary information worth tens of millions of dollars and steal personal information belonging to hundreds of thousands of individuals,” said U.S. Attorney Martin Estrada, as quoted in the press release.
As part of the announcement, the DOJ related to the case.
Security researchers have previously linked the alleged hackers to a prolific hacking group called 0ktapus, for their use of spoofing Okta login portals used by tech giants. The hackers targeted hundreds of companies over , including Twilio, Coinbase, and DoorDash, and to target game makers, including Riot Games.
The hackers were later believed to be involved with other criminal cyberattacks under the group Scattered Spider. Ciaran McEvoy, a spokesperson for the DOJ, confirmed to TechCrunch that the five hackers are suspected of being part of the group known as Scattered Spider.
In one of the court documents, prosecutors describe the cybercriminal gang as “a loosely organized financially motivated cybercriminal group whose members primarily target large companies and their contracted telecommunications, information technology, and business process outsourcing suppliers.”
According to one of the court documents, which cites the FBI’s investigation, Buchanan and the other hackers targeted at least 45 companies in Canada, the U.S., the U.K., and other countries.
Urban is accused of having stolen more than $800,000 in Bitcoin and Ethereum from several victims, one of the court documents says. One of the documents also mentions an “unindicted co-conspirator,” and “other co-conspirators,” suggesting there’s more suspects that have yet to be publicly accused of crimes.
The hackers are said to be part of a wider cybercriminal community referred to by researchers as “the Com,” a largely nebulous network of , who are highly proficient in impersonation and social engineering techniques capable of tricking employees into handing over their corporate passwords.
Evans is accused of writing software used for phishing attacks, as well as managing online infrastructure, such as a Telegram channel, to exchange stolen credentials and virtual currency. Authorities found files that contained stolen credentials at the residence of Elbadawy in March 2023. In the case of several of the victims mentioned in the court documents, the hackers allegedly used fake websites of Okta, a popular secure authentication provider.
The National Crime Agency did not respond to a request for comment on Buchanan’s arrest.
Carly Page contributed reporting.