The Crypto.com platform was mentioned in a Bloomberg report as having been the target of an attack by the hacker group Scattered Spider. But the company says everything is under control and that Bloomberg’s information is inaccurate. We take stock.
Who are the hackers in the Scattered Spider group?
Let’s introduce ourselves first. Scattered Spider, also known as UNC3944, Octo Tempest, Muddled Libra, etc., is a cybercriminal group made up of young, mostly English-speaking hackers based in the United States and the United Kingdom.
The group specializes in social engineering: phishing, SMS phishing (smishing), identity theft, and bypassing multi-factor authentication methods. Since 2022, Scattered Spider has been targeting large companies in various sectors (technology, finance, retail, hospitality, etc.) to steal data, demand ransoms, or extort through public threats.
U.S. (FBI, CISA) and U.K. security authorities regularly issue detailed alerts on their tactics, techniques, and procedures (TTPs), as the group is constantly evolving to remain active while avoiding detection.
Among the identified members of Scattered Spider, Noah Michael Urban is one of the most notable: at around 20 years old, he was sentenced to ten years in prison in the United States for techniques such as SIM-swapping and phishing aimed at hijacking accounts, stealing cryptocurrency, and compromising businesses.
More recently, two British teenagers — Thalha Jubair, 19, and Owen Flowers, 18 — were arrested for their alleged role in an attack on Transport for London (TfL) in August 2024, as well as for breaking into health networks in the United States. Jubair is accused of having participated in at least 120 attacks internationally, including 47 in the United States, generating more than $115 million in ransoms.
Crypto.com was reportedly attacked by the hacker group Scattered Spider
Now that the introductions are made, let’s get back to the point. According to a Bloomberg report published on September 21, the Crypto.com platform was therefore the target of an attack by the hacker group Scattered Spider.
Bloomberg claims that the incident was “previously unreported” and that the hackers managed to gain access to users’ personal data by posing as Crypto.com employees.
They allegedly used stolen data, including records from a United Parcel Service database, to deceive employees and obtain sensitive information.
The report said that this attack would be part of a broader series of cyberattacks carried out by Scattered Spider, which reportedly targeted more than 200 companies around the world, including telecom providers, game studios, and retailers.
Crypto.com denies Bloomberg’s claims
Faced with these accusations, Crypto.com reacted quickly. In a statement posted on X (Twitter), Crypto.com CEO Kris Marszalek called Bloomberg’s claims “completely unfounded.”
Marszalek said the company detected a phishing campaign targeting one of its employees in 2023 and immediately took steps to contain the breach.
“I want to respond directly and clearly to some misinformation from uninformed sources… Any allegation that we have failed to report or disclose a security incident is completely unfounded.
As we reported in a data security incident notice filed with NMLS and other reports with relevant regulatory authorities, we detected a phishing campaign targeting one of our employees in 2023.
The incident was brought under control within hours, no customer funds were accessed or put at risk, and had an extremely limited impact on our users’ partial personal information.
Our systems are tested and constantly improved. We are proud of our safety culture and the highest number of safety certifications of any company in our industry.” »
A spokesperson for Crypto.com added that the incident was “contained within hours” and that no customer funds were accessed or put at risk. The company also stressed that it had strengthened its security measures to prevent future attacks.
Hacker Noah Urban, who is believed to be involved in the attack, was arrested and sentenced to 10 years in prison. Authorities seized about $4.8 million in crypto from Urban’s devices, with estimated losses of up to $25 million.
