Twilio Security Incident

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacking group blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022. A graphic depicting how 0ktapus leveraged one victim to attack another. Image credit: Amitai Cohen of Wiz. Prosecutors say Noah Michael Urban of Palm Coast, Fla., stole at least $800,000 from at least five victims between August 2022 and March 2023. In each attack, the victims saw their email and financial accounts compromised after suffering an unauthorized SIM-swap, wherein attackers transferred each victims mobile phone number to a new device that they controlled. The government says Urban went by the aliases Sosa and King Bob , among others. Multiple trusted sources told KrebsOnSecurity that Sosa/King Bob was a core member of a hacking group behind the 2022 breach at Twilio , a company that provides services for making and receiving text messages and phone calls. Twilio disclosed in Aug. 2022 that an intrusion had exposed a limited number of Twilio customer accounts through a sophisticated social engineering attack designed to steal employee credentials. Shortly after that disclosure, the security firm Group-IB published a report linking the attackers behind the Twilio intrusion to separate breaches at more than 130 organizations, including LastPass , DoorDash , Mailchimp , and Plex . Multiple security firms soon assigned the hacking group the nickname Scattered Spider . Group-IB dubbed the gang by a different name 0ktapus which was a nod to how the criminal group phished employees for credentials. The missives asked users to click a link and log in at a phishing page that mimicked their employers Okta authentication page. Those who submitted...

... (truncated for display)