5 charged in “Scattered Spider,” one of the most profitable phishing scams ever

Prosecutors allege that the phishing attacks ran from at least September 2021 to April 2023. During that time, the defendants sent text messages to mobile phones of employees of the targeted companies that purported to come from the IT departments of their employers.

The text messages often falsely warned that the employees’ accounts would be deactivated imminently unless they clicked on links to malicious sites that were designed to look like legitimate websites used by victim companies. The phishing sites attempted to lure the employees into providing confidential information, including account login credentials. Some employees took the bait by visiting the sites, entering their credentials, and authenticating their identities with two-factor authentication. Scattered Spider then entered the intercepted passwords and 2FA credentials into the legitimate sites and gained access to the employee accounts.

Once inside targeted companies’ networks, the defendants allegedly stole confidential information, including personal information, such as account credentials, names, email addresses, and telephone numbers. Prosecutors said the defendants also used information stolen from hacked companies and elsewhere to access cryptocurrency accounts or wallets of “numerous individuals” and take millions of dollars’ worth of digital coins.

If convicted, each defendant faces a maximum sentence of 20 years in prison for conspiracy to commit wire fraud, up to five years in federal prison for one count of conspiracy, and a mandatory two-year consecutive prison sentence for aggravated identity theft. Buchanan also faces up to 20 years in prison if he is convicted of wire fraud.