The Voice of Scattered Spider: How a Teen “Caller” Caused Millions in Damages
The story of Noah Urban is one of the clearest illustrations of how teenage socializing and a simple phone call can transform into an instrument of cybercrime. According to an investigation drawing on Discord and Telegram chats, court documents, and countless interviews with sources, Urban served as a “caller” within the Scattered Spider group (also known as 0ktapus, UNC3944).
Urban possessed few technical skills — his weapon was his voice, his manner, and his confident improvisation. The caller’s task was to talk people into opening doors to their companies’ internal systems, paving the way for data theft, account takeovers, and extortion. Investigators and analysts emphasize that this role provided the group with the access it needed to strike telecom and tech firms, and eventually far larger targets.
Born in Florida in 2004, Urban did not write exploits or perform reverse engineering — instead, he quickly mastered SIM swapping and social engineering. Following scripts gleaned from Minecraft chats and underground channels, he would call mobile carriers, pose as support staff, and secure accounts and remote access to internal tools. Within weeks he was making thousands of dollars. The thrill grew, along with his network of peers in the so-called “Com” — teenage Discord and Telegram communities trading in “rare” usernames, crypto assets, and stolen recovery codes.
By 2022, Urban and his partners had moved from small-scale takeovers to supplier-level attacks. That summer, the group deployed a phishing clone of Okta’s login page and sent it to Twilio employees. One compromised account was enough to slip into Slack and coax a higher-level colleague into handing over client verification codes. In total, data from 209 organizations leaked from Twilio — from SMS verification codes to corporate accounts. The campaign became known as 0ktapus. Later, the same tactics were used against Riot Games: attackers stole the source code of League of Legends and its anti-cheat tools, demanding payment for their “return.” Riot refused.
As the schemes matured, Scattered Spider was increasingly tied to severe incidents in the U.S. and the U.K. In 2023, MGM Resorts estimated $100 million in losses from downtime and recovery; retailer Marks & Spencer reported potential damages of around $400 million. Investigators also noted collaboration with foreign extortionists, escalating pressure on victims, and even intimidation of employees’ families. CISA labeled the group a “serious and persistent threat,” while Mandiant described it as among the most aggressive.
The FBI had been monitoring Urban since at least 2021. In March 2023, federal agents raided his Florida home, seizing roughly $4 million in cryptocurrency, $100,000 in cash, luxury watches, and electronics. Urban himself estimated that tens of millions had been funneled through exchanges and gambling sites. In spring 2024, he was arrested and charged in connection with incidents affecting 13 companies, including telecom and tech firms. By April he pled guilty to fraud and identity theft, and on August 20, 2025, he was sentenced to 10 years in prison and ordered to pay $13.4 million in restitution.
The Urban case demonstrates that a convincing voice, a polished script, and relentless persistence can be enough to breach defenses. A trusted intermediary platform serving thousands becomes a launchpad, and a teenager’s “game of calls” escalates into a chain of attacks causing multimillion-dollar damages. Today, law enforcement bulletins list extortion alongside kidnappings and arson sparked by feuds within online youth gangs. And as long as soft skills outweigh code, and recruitment flows through gaming and music communities, this threat will persist — from a casual “hello” on the phone to disabled systems on the Las Vegas Strip.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
