A 20-year-old Florida man at the center of a prolific cybercrime group known as \u201cScattered Spider<\/strong>\u201d was sentenced to 10 years in federal prison today, and ordered to pay roughly $13 million in restitution to victims.<\/p>\n Noah Michael Urban<\/strong> of Palm Coast, Fla. pleaded guilty in April 2025 to charges of wire fraud and conspiracy. Florida prosecutors alleged Urban conspired with others to steal at least $800,000<\/a> from five victims via SIM-swapping attacks<\/a> that diverted their mobile phone calls and text messages to devices controlled by Urban and his co-conspirators.<\/p>\n A booking photo of Noah Michael Urban released by the Volusia County Sheriff.<\/p>\n<\/div>\n Although prosecutors had asked for Urban to serve eight years, Jacksonville news outlet News4Jax.com<\/strong> reports<\/a> the federal judge in the case today opted to sentence Urban to 120 months in federal prison, ordering him to pay $13 million in restitution and undergo three years of supervised release after his sentence is completed.<\/p>\n In November 2024 Urban was charged by federal prosecutors in Los Angeles<\/a> as one of five members of Scattered Spider (a.k.a. \u201cOktapus,\u201d \u201cScatter Swine\u201d and \u201cUNC3944\u201d), which specialized in SMS and voice phishing attacks that tricked employees at victim companies into entering their credentials and one-time passcodes at phishing websites. Urban pleaded guilty to one count of conspiracy to commit wire fraud in the California case, and the $13 million in restitution is intended to cover victims from both cases.<\/p>\n The targeted SMS scams spanned several months during the summer of 2022<\/a>, asking employees to click a link and log in at a website that mimicked their employer\u2019s Okta authentication page. Some SMS phishing messages told employees their VPN credentials were expiring and needed to be changed; other missives advised employees about changes to their upcoming work schedule.<\/p>\n That phishing spree netted Urban and others access to more than 130 companies, including Twilio<\/strong>, LastPass<\/strong>, DoorDash<\/strong>, MailChimp<\/strong>, and Plex<\/strong>. The government says the group used that access to steal proprietary company data and customer information, and that members also phished people to steal millions of dollars worth of cryptocurrency.<\/p>\n For many years, Urban\u2019s online hacker aliases \u201cKing Bob<\/strong>\u201d and \u201cSosa<\/strong>\u201d were fixtures of the Com<\/a>, a mostly Telegram and Discord-based community of English-speaking cybercriminals wherein hackers boast loudly about high-profile exploits and hacks that almost invariably begin with social engineering. King Bob constantly bragged on the Com about stealing unreleased rap music recordings from popular artists, presumably through SIM-swapping attacks. Many of those purloined tracks or \u201cgrails\u201d he later sold or gave away on forums.<\/p>\n Noah \u201cKing Bob\u201d Urban, posting to Twitter\/X around the time of his sentencing today.<\/p>\n<\/div>\n Sosa also was active in a particularly destructive group of accomplished criminal SIM-swappers known as \u201cStar Fraud<\/strong>.\u201d Cyberscoop\u2019s AJ Vicens reported in 2023 that individuals within Star Fraud were likely involved in the high-profile Caesars Entertainment and MGM Resorts extortion attacks that same year.<\/p>\n The Star Fraud SIM-swapping group gained the ability to temporarily move targeted mobile numbers to devices they controlled by constantly phishing employees of the major mobile providers. In February 2023, KrebsOnSecurity published data taken from the Telegram channels for Star Fraud and two other SIM-swapping groups showing these crooks focused on SIM-swapping T-Mobile customers, and that they collectively claimed internal access to T-Mobile on 100 separate occasions over a 7-month period in 2022<\/a>.<\/span><\/p>\n Reached via one of his King Bob accounts on Twitter\/X, Urban called the sentence unjust, and said the judge in his case discounted his age as a factor.<\/p>\n \u201cThe judge purposefully ignored my age as a factor because of the fact another Scattered Spider member hacked him personally during the course of my case,\u201d Urban said in reply to questions, noting that he was sending the messages from a Florida county jail. \u201cHe should have been removed as a judge much earlier on. But staying in county jail is torture.\u201d<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2024\/01\/noahmichaelurban.png?resize=446%2C559&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/kingbobtweets.png?resize=601%2C485&ssl=1\")
<\/p>\n