Crypto.com Breach: Teen Hacker Gets 10 Years

The security breach at Crypto.com, one of the world’s leading cryptocurrency platforms, was executed through sophisticated social engineering tactics rather than technical vulnerabilities. Noah Urban, a Florida teenager who served as a ‘caller’ within the Scattered Spider hacker collective, successfully persuaded Crypto.com employees to hand over credentials that unlocked internal systems. The attackers impersonated staff members and leveraged stolen personal data, including records obtained from a United Parcel Service database, to gain unauthorized access to the platform’s infrastructure.

According to court documents and company statements, the breach occurred in 2023 and was detected and contained within hours. Crypto.com CEO Kris Marszalek emphasized that the incident involved a ‘small, internally controllable issue’ that was ‘properly resolved a long time ago.’ The company’s chief information security officer at blockchain security firm Slowmist, Shān Zhang, which had audited Crypto.com’s smart contracts and modules in 2020, confirmed that the matter was handled effectively and promptly.

Despite the severity of the breach method, Crypto.com maintains that the actual impact was minimal. A company spokesperson stated that the incident ‘included exposure of limited PII (Personally Identifiable Information) data affecting a very small number of individuals,’ with no customer funds accessed or ever at risk. This containment likely prevented what could have been a catastrophic financial event for both the platform and its users.

The company faced scrutiny regarding its disclosure practices after a Bloomberg report suggested the incident was ‘previously unreported.’ Crypto.com CEO Kris Marszalek forcefully countered this claim on social media platform X, stating: ‘Any suggestion that we did not report or disclose a security incident is completely unfounded. We reported in a NMLS Notice of Data Security incident filing and in additional reports with the relevant jurisdictional regulators.’ The company detected what it described as ‘a phishing campaign that targeted one of our employees in 2023.’

The Crypto.com breach was not an isolated incident but part of Scattered Spider’s broader campaign that saw the collective infiltrate more than 200 companies across various sectors. Their tactics ranged from SIM-swapping to sophisticated phishing campaigns that compromised telecom providers, gaming studios, and retailers. This pattern demonstrates the evolving threat landscape facing financial institutions and technology companies worldwide.

Noah Urban, now 20, was indicted alongside four others in November 2023 and pleaded guilty in April 2024 to wire fraud and aggravated identity theft. The legal consequences were severe: authorities seized approximately $4.8 million in cryptocurrency from Urban’s devices, with estimated losses reaching up to $25 million across at least 59 victims in the United States. A U.S. District Judge sentenced Urban to 10 years in prison last month, with additional supervised release, and ordered $13 million in restitution to more than 30 victims.

The case highlights the increasing seriousness with which U.S. authorities are treating cybercrime, particularly when it targets financial infrastructure. The decade-long prison sentence for a young offender signals a strong deterrent message to other potential cybercriminals, especially those targeting the rapidly growing cryptocurrency sector where security concerns remain paramount for mainstream adoption.