A federal judge has sentenced a Florida man to 10 years in prison for his role in a sophisticated cybercrime operation that defrauded dozens of victims of millions in cryptocurrency.
As
Urban was a member of the cybercrime group Scattered Spider, which has earned heightened scrutiny from cybersecurity groups including the Financial Services Information and Analysis Center (FS-ISAC), a cybersecurity information sharing group for the financial sector, including for
Urban pleaded guilty on April 4, 2025, to conspiracy to commit wire fraud, wire fraud, and aggravated identity theft. The final 10-year sentence significantly exceeded the ranges implied by both the prosecution and defense under U.S. Sentencing Guidelines.
From a Florida county jail, Urban complained about bias by the judge in his case in a statement to cybersecurity journalist Brian Krebs on X.
"The judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case," Urban told Krebs. "He should have been removed as a judge much earlier on. But staying in county jail is torture."
U.S. prosecutors had argued for approximately 7 years (75 to 87 months), and the defense argued for approximately 6 years (65 to 75 months), based on U.S. sentencing guideline calculations.
Urban's criminal activities
From August 2022 through March 2023, Urban, using aliases including "King Bob," "Sosa," "Elijah," and "Gustavo Fring," engaged in a scheme to steal cryptocurrency from at least 59 victims across the United States.
He and his co-conspirators executed SIM swap attacks to obtain victims' personally identifiable information (PII). SIM swapping involves fraudulently obtaining the SIM card of a victim. Often, this is done by defrauding the victim's mobile carrier into providing the SIM card, giving the attacker access to make and receive phone calls and text messages using the victim's phone number.
Urban and the others then used this information and access to log into victims' online cryptocurrency accounts and unlawfully transfer funds.
Urban was also part of a group that targeted employees of companies nationwide with phishing text messages. These messages led employees to fraudulent websites designed to harvest their login credentials.
The group then used these stolen credentials to gain unauthorized access to victim companies' computer systems, stealing non-public company data and further facilitating cryptocurrency theft.
The FBI found evidence on Urban's computer linking him to victim email accounts and cryptocurrency wallets, confirming his direct involvement and the presence of approximately $4.8 million in stolen cryptocurrency on his devices.
Scattered Spider's MO
Scattered Spider is a financially motivated cybercriminal group known for its sophisticated social engineering tactics.
Also identified as Starfraud, UNC3944, Scatter Swine, Oktapus, Octo Tempest, Storm-0875, and Muddled Libra, this group primarily targets large companies and their contracted IT help desks, business process outsourcing (BPO) suppliers, and telecommunications firms.
Key aspects of Scattered Spider's operations are directly relevant to U.S. banks and credit unions, inspiring a warning in June from FS-ISAC and similar cybersecurity groups that represent other industries. The groups highlighted the following threats posed by Scattered Spider:
- As discussed previously, SIM swapping attacks that wrest control of phone numbers away from victims.
- Social engineering expertise: The group excels at social engineering, using phishing, smishing (SMS phishing), vishing (voice phishing), and "push bombing" (repeated multifactor authentication requests) to obtain credentials and bypass multifactor authentication. They often pose as company IT or help desk staff via phone calls or SMS messages, convincing employees to reveal credentials or run remote access tools.
- Targeting third-party suppliers: Scattered Spider frequently targets telecommunication and BPO entities. Compromising these suppliers provides a springboard for social engineering operations against their clients, including financial institutions.
- Data theft and extortion: The group primarily engages in data theft for extortion, threatening to release sensitive information without ransom payment. They steal data from various locations, including U.S.-based data centers and cloud storage services such as Amazon S3 and MEGA[.]NZ.
- Ransomware deployment: Scattered Spider also utilizes various ransomware variants, notably BlackCat/ALPHV and DragonForce. They deploy ransomware to encrypt victim files and demand a ransom for decryption, often encrypting VMware ESXi servers, which are a popular virtualized computing solution.
- Use of legitimate tools: They employ publicly available, legitimate remote access tunneling tools like Fleetdeck.io, Level.io, Mimikatz, Ngrok, and Pulseway to evade detection. They also use "living off the land" (LOTL) techniques, leveraging existing system features to blend in.
- Adaptability and persistence: Scattered Spider consistently modifies its tactics, techniques, and procedures (TTPs) to avoid detection. They conduct extensive reconnaissance to identify valuable targets and personas, even joining victim organizations' incident response calls to understand and counter defensive strategies.
- Targeting cloud environments: The group has shown a sophisticated understanding of cloud and on-premises environments, infiltrating cloud services and rapidly pivoting to on-premises assets. They search for Snowflake access to exfiltrate large data volumes.
The group consists of young, native English-speaking cybercriminals primarily from the U.S., UK, and Canada, operating as a loose coalition rather than a rigid cartel. Their flexible structure makes them incredibly challenging to neutralize. Financial institutions must remain vigilant against these evolving and highly adaptable threats.
