A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts.
Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX.
In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust.
Urban, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims, per the U.S. Department of Justice (DoJ).
Prosecutors said Urban and his co-conspirators engaged in SIM swapping attacks to hijack victims’ cryptocurrency accounts and plunder the digital assets.
Later that November, the DoJ unsealed criminal charges against Urban and four other members of Scattered Spider for using social engineering techniques to target employees of companies across the U.S. and to break into corporate networks and steal proprietary data and to siphon millions of dollars in cryptocurrency.
Tyler Robert Buchanan, who is among those indicted, was extradited from Spain to the U.S. in April following his arrest in the European nation last June.
The development comes as Scattered Spider has joined forces with other threat groups ShinyHunters and LAPSUS$ to form a new cybercrime alliance. The group, associated with a broader English-speaking cybercriminal collective called The Com, has a history of conducting social engineering, credential theft, and SIM swapping, initial access, ransomware deployment, data theft, and extortion attacks.
“Scattered Spider has historically leaned on tactics that generate urgency, drive media and industry attention, create fear of exposure, and help force victims to payout quicker,” Adam Darrah, vice president of intelligence at ZeroFox, told The Hacker News in a statement.
“Timed leaks, countdown threats, and taunts directed at security firms are all part of their playbook. They have ties to a wider network of like-minded actors, which has given them access to more tools, data, and infrastructure, multiplying their effectiveness. We regularly see groups team up when there is an increase in external pressures, like law enforcement crackdowns. To survive, these groups need to consolidate. And the result is often a more versatile and potentially dangerous combined operation.”
Cybersecurity firm Flashpoint, which published a profile of Scattered Spider last week, said the financially-motivated hacking group adopts a wave-like approach by choosing a specific sector and attacking as many organizations within that vertical over a short span of time.
“The tactics employed by Scattered Spider demonstrate their ability to exploit weaknesses in security programs by targeting people rather than strictly systems or technical vulnerabilities,” it said. “Their use of social engineering, via vishing, smishing, and MFA fatigue attacks, proves that even the most advanced technical defenses can be circumvented through human deception.”
