Crypto.com Suffered An Unreported Data Breach From Scattered Spider Hackers, Bloomberg Reports

What Happened

Crypto.com suffered a previously unreported data breach by the notorious Scattered Spider hacking group that exposed personal information of users, according to a Bloomberg investigation.

The attack was carried out by teenage hackers, including Noah Urban, an 18-year-old from Florida who became a key figure in one of the world’s most dangerous cybercriminal organizations responsible for high-profile attacks on MGM Resorts and other major corporations.

ZachXBT, a prominent blockchain investigator, publicly called out Crypto.com for covering up the breach after Bloomberg’s report revealed the incident.

The revelation comes as Crypto.com CEO Kris Marszalek predicts a strong fourth-quarter performance and explores potential IPO options while expanding partnerships with Trump Media & Technology Group.

How Teenage Hackers Cracked Crypto.com’s Defenses

Noah Urban and his Scattered Spider accomplices targeted Crypto.com by exploiting employee credentials through their signature social engineering tactics.

The attack followed the hackers’ successful infiltration of Twilio, which provided them with customer verification codes and access credentials for 209 companies using the communications platform.

Market Context

He purchased luxury items, including a $35,000 diamond-encrusted Rolex and $80,000 Minecraft username, while maintaining the facade of cryptocurrency trading success to his family.

Why It Matters

The exchange confirmed the attack affected “a very small number of individuals” but maintained that no customer funds were accessed.

However, the company never publicly disclosed the breach to users whose personal information was compromised.

Details

The exchange generated $1.5 billion in revenue last year with $1 billion in gross profit, positioning itself as one of the most profitable crypto platforms despite the undisclosed security incident.

When Minecraft Players Became Million-Dollar Cybercriminals

According to the Bloomberg report, Noah Urban’s criminal journey began innocuously through Minecraft gaming communities at age 15, where he learned about SIM-swapping techniques that didn’t require coding skills.

His natural talent for social engineering, combined with a deep voice that belied his teenage years, made him exceptionally effective at deceiving telecommunications employees into transferring phone numbers.

The scheme involved calling company representatives while pretending to be IT security personnel, using scripts like “Hey, my name is Kevin, and I’m calling from the T-Mobile internal security management.”

Urban earned $50 per successful call initially, clearing $3,000 in his first week while other group members listened on Discord during gaming sessions.

Urban’s operation expanded rapidly during the COVID-19 school closures, employing his own network of callers whom he paid between $60 and $4,000, depending on the security levels breached.

The Scattered Spider group evolved from simple SIM-swapping to sophisticated corporate infiltration.

In August 2022, Urban and accomplices created fake Okta login pages to target Twilio employees, ultimately accessing customer data from 209 companies.

The breach earned them the nickname “0ktapus” and made them feel “like gods,” according to Urban’s jail interviews.

Following the Twilio success, the group targeted Universal Music Group and Warner Music Group to steal unreleased tracks, with Urban operating a Twitter account called “King Bob” that gained 11,000 followers overnight after posting leaked Playboi Carti music.

The music theft operation expanded its criminal portfolio beyond financial fraud into intellectual property theft.

The group gained unauthorized access to the exchange’s systems, compromising personal information belonging to what the company described as “a very small number of individuals.”

Urban’s crew leveraged this data trove to identify and target Crypto.com employees, using their established methods of impersonating IT security personnel.