Noah Michael Urban, 20, faces decades in federal prison and has agreed to make restitution of more than $13 million. He has yet to be sentenced.
A Palm Coast man who called himself “King Bob” has pleaded guilty to charges in Florida and California for his role in a cryptocurrency heist and hacking cases; he faces decades in prison and owes more than $13 million in restitution, according to court records.
Noah Michael Urban, 20, pleaded guilty Friday to conspiracy to commit wire fraud, wire fraud and aggravated identity theft in federal court in the Middle District of Florida, as part of a plea agreement.
Urban also pleaded guilty to conspiracy to commit wire fraud in a federal case in central California which will be transferred to the Middle District of Florida, according to the agreement.
A sentencing date has not been set, but Urban faces a minimum of two years and up to 60 years in federal prison. He also faces a fine of up to $1 million or twice the gain or loss from the offense, whichever is greater. He can also receive a term of supervised release of up to three years.
As part of the plea agreement, Urban agreed to pay $13.4 million in restitution to at least 31 victims in Florida and California listed in the agreement.
Urban also agreed to forfeit cryptocurrency investigators had seized from his cryptocurrency wallet. The cryptocurrency included Bitcoin, Monero and Ethereum.
He also agreed to forfeit $27,702 in cash seized from a home on Edge Lane in Palm Coast, as well as six watches.
Urban admitted to thefts
In March 2023, investigators seized a total of $2.89 million worth of cryptocurrency from Urban’s desktop computer in the home he was living in at the time in Palm Coast, court records state.
In a May 2023 interview with investigators, Urban estimated that he had made several million dollars between January 2021 and March 2023 by stealing cryptocurrency, according to federal court records. He also admitted he had participated in the theft of several million more, the records state.
Urban said he had lost most of the money on various online gambling sites, but still had “a few million” on his desktop computer, the records show.
In the California case, Urban, along with at least four others, targeted interactive entertainment companies, telecommunications companies, technology companies, cloud communications providers and other companies and individuals.
Urban and the others hacked and defrauded companies and individuals throughout the United States through “phishing attacks.” They would gain access to the companies’ computer systems, copy confidential databases and attempt to sell the information, the records state.
After one intrusion, Urban sent a message writing in part “I have one of the rarest … account in all of history” and ” … I just hacked htis (sic) one off (Victim Company 1),” according to court records which did not identify any of the companies or individuals.
Urban faces numerous felonies
Urban, who used aliases including “Sosa,” “Elijah,” and “Gustavo Fring” in addition to “King Bob,” faces a lengthy prison sentence, according to court records.
The maximum penalty for conspiracy to commit wire fraud and wire fraud are each up to 20 years in prison with a fine of up to $250,000 or twice the gross gain or gross loss from the offense, whichever is greater.
Aggravated identify theft calls for a mandatory minimum of two years in prison which must run consecutive to any other prison sentence. It also carries a fine of $250,000.
The agreement calls for all the other charges against Urban to be dropped.
Phishing attacks and computer hacks
Urban and other conspirators unlawfully obtained victims’ personal identifying information and used it to fraudulently access their virtual currency addresses.
Using a SIM swap, the conspirators reset the victims’ passwords and verified ownership of the victims’ cellphone numbers by one-time passwords. A SIM swap is a type of fraud in which conspirators take over a person’s cellphone account so that the victim’s incoming messages and texts are sent to a different phone. Once the SIM is swapped, the person can access the victim’s accounts, including those that use two-factor authentication.
The FBI also found that the conspirators targeted at least 45 companies in the United States, Canada, India, the United Kingdom and other nations in “phishing attacks” between September 2021 and April 2023, according to the government. They sent mass text messages to cellphones of numerous employees, according to federal prosecutors. The text messages claimed to be from the company or a business service provider of the company.
The conspirators then used the stolen credentials to gain access to the employees’ accounts and the computer systems belonging to the companies. Once in the systems, they stole confidential information, including personal identifying information and account access credentials.
