A 20-year-old man from Florida implicated in a notorious cybercrime organization referred to as “Scattered Spider” was sentenced to 10 years in a federal correctional facility today and instructed to pay approximately $13 million in restitution to the affected parties.

Noah Michael Urban, hailing from Palm Coast, Fla., admitted guilt in April 2025 to counts of wire fraud and conspiracy. Prosecutors from Florida asserted that Urban collaborated with others to unlawfully obtain at least $800,000 from five victims through SIM-swapping schemes that redirected their mobile communications to devices managed by Urban and his accomplices.

Although prosecutors sought an eight-year term for Urban, Jacksonville outlet News4Jax.com reports that the federal judge presiding over the case opted to impose a sentence of 120 months in federal custody, mandating Urban to pay $13 million in restitution and to undergo three years of supervised release following the completion of his term.

In November 2024, Urban was indicted by federal authorities in Los Angeles as one of five participants in Scattered Spider (also known as “Oktapus,” “Scatter Swine,” and “UNC3944”), which focused on SMS and voice phishing operations that deceived employees of victim organizations into entering their login credentials and one-time passcodes on counterfeit websites. Urban pleaded guilty to a single charge of conspiracy to commit wire fraud in the California case, and the restitution of $13 million aims to compensate victims from both cases.

The targeted SMS scams spanned several months during the summer of 2022, prompting employees to click a link and log in at a site that duplicated their employer’s Okta authentication interface. Some SMS phishing communications alerted employees that their VPN credentials would expire and required modification; others informed employees of alterations to their approaching work schedules.

This phishing campaign granted Urban and his associates access to over 130 corporations, including Twilio, LastPass, DoorDash, MailChimp, and Plex. The authorities assert that the group exploited this access to steal proprietary data and customer information, while also phishing individuals to acquire millions of dollars in cryptocurrency.

For several years, Urban’s online hacker pseudonyms “King Bob” and “Sosa” were prominent in the Com, a largely Telegram and Discord-based community of English-speaking cybercriminals who boast extensively about high-profile exploits and hacks that typically begin with social engineering. King Bob frequently boasted on the Com about stealing unreleased rap music recordings from well-known artists, presumably through SIM-swapping tactics. Many of these stolen tracks or “grails” he later sold or distributed on forums.

Sosa was also engaged in a notably damaging group of skilled criminal SIM-swappers identified as “Star Fraud.” Cyberscoop’s AJ Vicens reported in 2023 that members of Star Fraud were likely involved in the high-profile extortion attacks against Caesars Entertainment and MGM Resorts that took place that same year.

The Star Fraud SIM-swapping cadre acquired the ability to temporarily transfer targeted mobile numbers to their controlled devices by persistently phishing employees of major mobile service providers. In February 2023, KrebsOnSecurity released data sourced from the Telegram channels for Star Fraud and two other SIM-swapping collectives, indicating these criminals concentrated on SIM-swapping T-Mobile customers, and that they collectively asserted internal access to T-Mobile on 100 distinct occasions over a 7-month duration in 2022.

Contacted through one of his King Bob accounts on Twitter/X, Urban termed the sentence as unjust, contending that the judge in his case disregarded his age as an influencing factor.

“The judge intentionally overlooked my age since another Scattered Spider affiliate hacked him personally during my legal proceedings,” Urban stated in responses to inquiries, noting that he was sending messages from a Florida county jail. “He should have been disqualified as a judge much earlier. But remaining in county jail is torturous.”

A court transcript (PDF) from a status hearing in February 2025 confirms Urban’s account regarding the hacking incident that transpired while he was in federal custody. It involved an intrusion into a magistrate judge’s email account, through which a copy of Urban’s sealed indictment was stolen. The judge informed attorneys for both parties that a co-defendant in the California case was attempting to uncover details about Mr. Urban’s activities in Florida.

“What it ultimately turned into was a significant error,” Judge Harvey E. Schlesinger remarked. “The Court’s password…operations are managed by an external contractor. And someone contacted the external contractor representing Judge Toomey, stating, ‘I need a password change.’ And they granted the password change. That’s how whoever made the call accessed the court.”