On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated id theft, and conspiring with others to make use of SIM-swapping to steal cryptocurrency. Sources near the investigation inform KrebsOnSecurity the accused was a key member of a felony hacking group blamed for a string of cyber intrusions at main U.S. expertise firms through the summer time of 2022.
A graphic depicting how 0ktapus leveraged one sufferer to assault one other. Picture credit score: Amitai Cohen of Wiz.
Prosecutors say Noah Michael City of Palm Coast, Fla., stole at the least $800,000 from at the least 5 victims between August 2022 and March 2023. In every assault, the victims noticed their e-mail and monetary accounts compromised after struggling an unauthorized SIM-swap, whereby attackers transferred every sufferer’s cell phone quantity to a brand new system that they managed.
The federal government says City glided by the aliases “Sosa” and “King Bob,” amongst others. A number of trusted sources informed KrebsOnSecurity that Sosa/King Bob was a core member of a hacking group behind the 2022 breach at Twilio, an organization that gives companies for making and receiving textual content messages and cellphone calls. Twilio disclosed in Aug. 2022 that an intrusion had uncovered a “restricted quantity” of Twilio buyer accounts by means of a classy social engineering assault designed to steal worker credentials.
Shortly after that disclosure, the safety agency Group-IB printed a report linking the attackers behind the Twilio intrusion to separate breaches at greater than 130 organizations, together with LastPass, DoorDash, Mailchimp, and Plex. A number of safety corporations quickly assigned the hacking group the nickname “Scattered Spider.”
Group-IB dubbed the gang by a unique identify — 0ktapus — which was a nod to how the felony group phished staff for credentials. The missives requested customers to click on a hyperlink and log in at a phishing web page that mimicked their employer’s Okta authentication web page. Those that submitted credentials had been then prompted to offer the one-time password wanted for multi-factor authentication.
A reserving picture of Noah Michael City launched by the Volusia County Sheriff.
0ktapus used newly-registered domains that always included the identify of the focused firm, and despatched textual content messages urging staff to click on on hyperlinks to those domains to view details about a pending change of their work schedule. The phishing websites used a Telegram prompt message bot to ahead any submitted credentials in real-time, permitting the attackers to make use of the phished username, password and one-time code to log in as that worker at the actual employer web site.
0ktapus typically leveraged data or entry gained in a single breach to perpetrate one other. As documented by Group-IB, the group pivoted from its entry to Twilio to assault at the least 163 of its clients. Amongst these was the encrypted messaging app Sign, which mentioned the breach might have let attackers re-register the cellphone quantity on one other system for about 1,900 customers.
On July 28 and once more on Aug. 7, a number of staff at e-mail supply agency Mailchimp supplied their distant entry credentials to this phishing group. In keeping with an Aug. 12 weblog submit, the attackers used their entry to Mailchimp worker accounts to steal knowledge from 214 clients concerned in cryptocurrency and finance.
On August 25, 2022, the password supervisor service LastPass disclosed a breach by which attackers stole some supply code and proprietary LastPass technical data, and weeks later LastPass mentioned an investigation revealed no buyer knowledge or password vaults had been accessed.
Nonetheless, on November 30, 2022 LastPass disclosed a much more severe breach that the corporate mentioned leveraged knowledge stolen within the August breach. LastPass mentioned felony hackers had stolen encrypted copies of some password vaults, in addition to different private data.
In February 2023, LastPass disclosed that the intrusion concerned a extremely complicated, focused assault in opposition to a DevOps engineer who was one among solely 4 LastPass staff with entry to the company vault. In that incident, the attackers exploited a safety vulnerability in a Plex media server that the worker was operating on his dwelling community, and succeeded in putting in malicious software program that stole passwords and different authentication credentials. The vulnerability exploited by the intruders was patched again in 2020, however the worker by no means up to date his Plex software program.
Because it occurs, Plex introduced its personal knowledge breach at some point earlier than LastPass disclosed its preliminary August intrusion. On August 24, 2022, Plex’s safety crew urged customers to reset their passwords, saying an intruder had accessed buyer emails, usernames and encrypted passwords.
KING BOB’S GRAILS
The Justice Division says City glided by glided by the nicknames “Sosa,” “Elijah,” and “King Bob.” A evaluation of 1000’s of messages that these customers posted to a number of public boards and Discord servers over the previous two years exhibits that the particular person behind these identities was primarily centered on two issues: Sim-swapping, and buying and selling in stolen, unreleased rap music recordings from well-liked artists.
Certainly, these messages present Sosa/King Bob was obsessive about discovering new “grails,” the slang time period utilized in some cybercrime dialogue channels to explain recordings from well-liked artists which have by no means been formally launched. It stands to purpose that King Bob was SIM-swapping essential folks within the music business to acquire these information, though there’s little to help this conclusion from the general public chat data accessible.
“I acquired essentially the most music within the com,” King Bob bragged in a Discord server in November 2022. “I acquired 1000’s of grails.”
King Bob’s chats present he was significantly enamored of stealing the unreleased works of his favourite artists — Lil Uzi Vert, Playboi Carti, and Juice Wrld. When one other Discord person requested if he has Eminem grails, King Bob mentioned he was uncertain.
“I’ve two folders,” King Bob defined. “One with Uzi, Carti, Juicewrld. After which I’ve ‘each different artist.’ Each different artist is unorganized as fuck and has 1000’s of random shit.”
King Bob’s posts on Discord present he rapidly turned a celeb on Leaked[.]cx, one among most energetic boards for buying and selling, shopping for and promoting unreleased music from well-liked artists. The extra grails that customers share with the Leaked[.]cx neighborhood, the extra their standing and entry on the discussion board grows.
The final cache of Leaked dot cx listed by the archive.org on Jan. 11, 2024.
And King Bob shared numerous his purloined tunes with this neighborhood. Nonetheless others he tried to promote. It’s unclear what number of of these gross sales had been ever consummated, however it’s not uncommon for a prized grail to promote for anyplace from $5,000 to $20,000.
In mid-January 2024, a number of Leaked[.]cx regulars started complaining that they hadn’t seen King Bob shortly and had been actually lacking his grails. On or round Jan. 11, the identical day the Justice Division unsealed the indictment in opposition to City, Leaked[.]cx began blocking individuals who had been making an attempt to go to the location from america.
Days later, annoyed Leaked[.]cx customers speculated about what may very well be the reason for the blockage.
“Probs blocked as a part of king bob investigation i feel?,” wrote the person “Plsdontarrest.” “Doubt he solely hacked US artists/ppl which is why it’s taking place in a number of nations.”
FORESHADOWING
On Sept. 21, 2022, KrebsOnSecurity informed the story of a “Foreshadow,” the nickname chosen by a Florida teenager who was working for a SIM-swapping crew when he was kidnapped, overwhelmed and held for a $200,000 ransom. A rival SIM-swapping group claimed that Foreshadow and his associates had robbed them of their fair proportion of the income from a latest SIM-swap.
In a video launched by his abductors on Telegram, a bloodied, battered Foreshadow was made to say they might kill him except the ransom was paid.
As I wrote in that story, Foreshadow seems to have served as a “holder” — a time period used to explain a low-level member of any SIM-swapping group who agrees to hold out the riskiest and least rewarding position of the crime: Bodily holding and managing the varied cellular gadgets and SIM playing cards which can be utilized in SIM-swapping scams.
KrebsOnSecurity has since realized that Foreshadow was a holder for a very energetic SIM-swapper who glided by “Elijah,” which was one other nickname that prosecutors say City used.
Shortly after Foreshadow’s hostage video started circulating on Telegram and Discord, a number of identified actors within the SIM-swapping area informed everybody within the channels to delete any earlier messages with Foreshadow, claiming he was totally cooperating with the FBI.
This was not the primary time Sosa and his crew had been hit with violent assaults from rival SIM-swapping teams. In early 2022, a video surfaced on a preferred cybercrime channel purporting to point out attackers hurling a brick by means of a window at an handle that matches the spacious and upscale dwelling of City’s dad and mom in Sanford, Fl.
“Brickings” are among the many “violence-as-a-service” choices broadly accessible on many cybercrime channels. SIM-swapping and adjoining cybercrime channels are replete with job presents for in-person assignments and duties that may be discovered if one searches for posts titled, “For those who dwell close to,” or “IRL job” — quick for “in actual life” job.
A variety of these labeled adverts are in service of performing brickings, the place somebody is employed to go to a selected handle and toss a brick by means of the goal’s window. Different typical IRL job presents contain tire slashings and even drive-by shootings.
THE COM
Sosa was identified to be a prime member of the broader cybercriminal neighborhood on-line referred to as “The Com,” whereby hackers boast loudly about high-profile exploits and hacks that nearly invariably start with social engineering — tricking folks over the cellphone, e-mail or SMS into gifting away credentials that permit distant entry to company inside networks.
Sosa additionally was energetic in a very harmful group of achieved felony SIM-swappers referred to as “Star Fraud.” Cyberscoop’s AJ Vicens reported final 12 months that people inside Star Fraud had been probably concerned within the high-profile Caesars Leisure an MGM Resorts extortion assaults.
“ALPHV, a longtime ransomware-as-a-service operation regarded as primarily based in Russia and linked to assaults on dozens of entities, claimed accountability for Caesars and MGM assaults in a notice posted to its web site earlier this month,” Vicens wrote. “Consultants had mentioned the assaults had been the work of a bunch tracked variously as UNC 3944 or Scattered Spider, which has been described as an affiliate working with ALPHV made up of individuals in america and Britain who excel at social engineering.”
In February 2023, KrebsOnSecurity printed knowledge taken from the Telegram channels for Star Fraud and two different SIM-swapping teams displaying these crooks centered on SIM-swapping T-Cellular clients, and that they collectively claimed entry to T-Cellular on 100 separate events over a 7-month interval in 2022.
The SIM-swapping teams had been in a position to change focused cellphone numbers to a different system on demand as a result of they always phished T-Cellular staff into giving up credentials to employee-only instruments. In every of these instances the objective was the identical: Phish T-Cellular staff for entry to inside firm instruments, after which convert that entry right into a cybercrime service that may very well be employed to divert any T-Cellular person’s textual content messages and cellphone calls to a different system.
Allison Nixon, chief analysis officer on the New York cybersecurity consultancy Unit 221B, mentioned the growing brazenness of many Com members is a operate of how lengthy it has taken federal authorities to go after guys like Sosa.
“These incidents present what occurs when it takes too lengthy for cybercriminals to get arrested,” Nixon mentioned. “If governments fail to prioritize this supply of risk, violence originating from the Web will have an effect on common folks.”
NO FIXED ADDRESS
The Daytona Seashore Information-Journal studies that City was arrested Jan. 9 and his trial is scheduled to start within the trial time period beginning March 4 in Jacksonville. The publication mentioned the decide overseeing City’s case denied bail as a result of the defendant was a robust flight threat.
At City’s arraignment, it emerged that he had no fastened handle and had been utilizing an alias to remain at an Airbnb. The decide reportedly mentioned that when a search warrant was executed at City’s residence, the defendant was downloading packages to delete pc information.
What’s extra, the decide defined, regardless of telling authorities in Could that he wouldn’t have any extra contact along with his co-conspirators and wouldn’t interact in cryptocurrency transactions, he did so anyway.
City entered a plea of not responsible. City’s court-appointed legal professional mentioned her consumer would haven’t any remark right now.
Prosecutors charged City with eight counts of wire fraud, one rely of conspiracy to commit wire fraud, and 5 counts of aggravated id theft. In keeping with the federal government, if convicted City faces as much as 20 years in federal jail on every wire fraud cost. He additionally faces a minimal necessary penalty of two years in jail for the aggravated id offenses, which can run consecutive to some other jail sentence imposed.
