The operation has been characterized as one of the most “advanced” phishing frauds ever recorded. Currently, five individuals alleged to be members of the cybercriminal organization termed “Scattered Spider” have been officially charged with federal offenses.

Four American citizens—Ahmed Hossam, Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, and Joel Martin Evans—have been indicted by a federal grand jury on counts of conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. Furthermore, Tyler Robert Buchanan, a citizen of the UK, is facing comparable charges alongside an additional count of wire fraud, as reported by the Department of Justice.

### Possible Sentences
If found guilty, the accused could face a maximum of 20 years in federal prison for conspiracy to commit wire fraud, five years for conspiracy, and a mandatory two-year sentence for aggravated identity theft. Buchanan, due to the added wire fraud charge, may also confront an additional maximum sentence of 20 years.

“We assert that this group of cybercriminals implemented a complex scheme to appropriate intellectual property and proprietary data worth tens of millions of dollars, in addition to personal information of hundreds of thousands of individuals,” stated U.S. Attorney Martin Estrada in a DOJ announcement. “This case highlights the evolution of phishing and hacking into highly sophisticated operations with severe repercussions.”

### What Was the Scattered Spider Operation?
As reported by *Ars Technica*, Microsoft researchers have identified Scattered Spider as “one of the most perilous financial criminal outfits.” The group is accused of executing a carefully orchestrated phishing campaign that targeted employees of major corporations such as MGM Resorts and Twilio.

One significant breach involved MGM Resorts, where the group allegedly accessed the company’s systems via a straightforward phone call to its help desk. This incident temporarily halted MGM’s hotel and casino operations, leading to losses estimated at $100 million.

Their approach consisted of sending text messages to employees, impersonating members of their company’s IT department. These messages urged the recipients to click on a provided link to log in, warning that failure to comply would lead to account deactivation. However, the link directed victims to a phishing site designed to capture their login credentials and two-factor authentication codes.

Upon obtaining this data, the group reportedly used it to infiltrate corporate systems and extract sensitive information. This encompassed intellectual property, confidential business documents, and personal data of employees, including names, email addresses, and phone numbers. Federal records indicate that the stolen information was also exploited to access victims’ cryptocurrency wallets, resulting in millions of dollars in theft.

### Timeline and Consequences
The Scattered Spider phishing operation is said to have occurred between September 2021 and April 2023. Throughout this period, the group reportedly inflicted substantial financial and operational harm on its victims.

“The defendants targeted unsuspecting individuals through this phishing scheme, leveraging their personal information as a route to steal millions from cryptocurrency accounts,” remarked Akil Davis, Assistant Director in Charge of the FBI’s Los Angeles Field Office. “Such fraudulent schemes are widespread and deprive Americans of their hard-earned money with mere clicks.”

This case stands as a sharp reminder of the increasing complexity of cybercrime and the critical need for vigilance in safeguarding personal and corporate data.