Arrested hacker claims Scattered Spider gang breached Crypto.com, the incident was not reported
Learn More
The arrested hacker Noah Urban claims that Crypto.com, one of the world's largest cryptocurrency exchanges, was hit by a previously undisclosed data breach carried out by the Scattered Spider cybercriminal group.
Noah Urban, an 18-year-old from Florida apparently became a key figure in the Scattered Spider organization responsible for high-profile attacks on MGM Resorts and other major corporations.
According to a Bloomberg investigation the attack was orchestrated by teenage hackers, including Noah. The exchange never publicly disclosed the security compromise to affected users, only acknowledging the attack when contacted by Bloomberg for their investigative report.
The attack was carried out through social engineering tactics. Urban's crew used data from previous breaches to identify and target Crypto.com employees, impersonating IT security personnel.
Noah Urban's criminal journey began through Minecraft gaming communities at age 15, where he learned about SIM-swapping techniques that didn't require coding skills. His natural talent for social engineering, combined with a deep voice, made him exceptionally effective at deceiving telecommunications employees.
Urban's operation expanded rapidly during the COVID-19 school closures, employing his own network of callers whom he paid between $60 and $4,000, depending on the security levels breached.
The exact number of affected individuals has not been disclosed by Crypto.com. The exchange confirmed the attack affected "a very small number of individuals" but maintained that no customer funds were accessed during the incident/
ZachXBT, a prominent blockchain investigator, publicly called out Crypto.com for not reporting a breach.
Noah Urban was arrested in January 2024 and sentenced to 10 years in prison in August 2025, with restitution ordered of $13 million to 59 victims across multiple cases. Scattered Spider continues to pose a significant threat to organizations worldwide.
Update - The exchange denied keeping the incident secret, stating it filed regulatory reports and contained the breach within hours and that no customer funds were accessed during the attack.
