Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Recently Charged Scattered Spider Suspect Did Poor Job at Covering Tracks

A California teen suspected of being a Scattered Spider member left a long trail of evidence and even used an FBI service to launder money.

Snowflake hacker arrested

A 19-year-old from California has been charged over his alleged role in Scattered Spider attacks, and court documents show that he did a poor job at covering his tracks.

Bloomberg [paywalled article] reported that the teen, Remington Ogletree, was arrested last month and released on bail.

According to court documents, Ogletree conducted cybercriminal activities between at least October 2023 and May 2024. He has been accused of gaining unauthorized access to various companies’ networks, stealing confidential data and selling some of it on the dark web, and stealing cryptocurrency, with losses caused by his actions totaling over $4 million.

The teen is said to have used social engineering, including phone calls and phishing text messages, to obtain the credentials needed to gain access to targets’ networks, which is common for Scattered Spider attacks.

A criminal complaint describes Ogletree’s role in an attack targeting an unnamed telecom business, from which he obtained API keys that gave him access to customer accounts, which he abused to send and attempt to send out roughly 8.5 million phishing texts to people in the US. The phishing attack’s goal was the theft of cryptocurrency from individuals. 

Investigators linked Ogletree to the attack based on an iCloud account and phone number that belonged to him and were used to conduct tests for the massive phishing campaign. 

The complaint also describes attacks on an unnamed financial institution and a second telecom company, which were also compromised after an employee’s credentials were obtained through phishing. 

These attacks were also tied to Ogletree, based on information associated with an account on a video gaming platform, various email accounts, and IP addresses that were used in attacks and were linked to the suspect, including based on his own confirmation during an interview with FBI agents who conducted a search of his residence.

Advertisement. Scroll to continue reading.

In the same interview, Ogletree admitted knowing about Scattered Spider and possessing hacking skills. Two days after his residence was searched, according to investigators, Ogletree attempted to convert $50,000 and later $75,000 worth of cryptocurrency to cash, but he unwittingly used a money laundering service that was part of an undercover FBI operation. 

He had previously used the same money laundering service on several occasions to convert tens of thousands of dollars worth of cryptocurrency to cash. He had the money delivered to his own residence, as well as addresses associated with his father and other family members. 

Scattered Spider (aka Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is known for various types of profit-driven attacks, including ones involving the BlackCat ransomware. One of the best known victims is hospitality and entertainment giant MGM Resorts

The cybercrime group has also been tied to the 0ktapus campaign, which targeted at least 130 organizations, including Twilio and Cloudflare, as part of an SMS-based phishing campaign whose goal was the theft of Okta identity service credentials. 

Several alleged Scattered Spider members were arrested and charged in recent months, including in the UK and the US.   

Related: 50 Servers Linked to Cybercrime Marketplace and Phishing Sites Seized by Law Enforcement

Related: Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024

Related: Russian Hacker With $10 Million Bounty on His Head Reportedly Arrested

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.