UPDATED 18:39 EST / JUNE 16 2024

SECURITY

Suspected key member of Scattered Spider cybercrime group arrested in Spain

A 22-year-old U.K. man believed to be a key member of the Scattered Spider cybercrime group was arrested by police in Spain during the week as part of an ongoing investigation by the U.S. Federal Bureau of Investigation.

The arrest was first reported Friday by Murcia Today, who said that the man was arrested on suspicion of “being the ringleader of a hacking group which targeted 45 companies and people in the U.S.” The man stands accused of hacking into corporate accounts and stealing information which allowed his group to access millions in funds, including $27 million in bitcoin.

Murcia Today did not name the man, but other than noting that he was wanted on an arrest warrant issued by a judge in Los Angeles, then it gets more interesting. Krebs on Security reported Saturday that the man arrested is named Tyler Buchanan and that he’s allegedly the ringleader of Scattered Spider.

In another report, vx-underground claims that “Tyler” is a sim swapper and was involved with Scattered Spider. Most notably, it’s claimed that he was involved in the Scattered Spider attack on MGM Resorts International Inc. and other high-profile ransomware attacks undertaken by the group.

Scattered Spider, also known as “Octo Tempest” and UNC3944, first became active in early 2022, using extensive social engineering methods to target organizations worldwide and aiming for financial extortion. The group first targeted mobile telecommunications and business process outsourcing organizations, mainly for phone number-porting SIM swaps. By late 2022 and into early 2023, the group began to extort organizations using data stolen from them, sometimes even using physical threats as leverage.

By mid-2023, Scattered Spider/Octo Tempest reportedly joined forces with the better-known ALPHV/BlackCat ransomware as a service operation and began extorting victims using the ALPHV Collections leak site without deploying ransomware. The relationship later included the group deploying ALPHV/BlackCat ransomware, primarily targeting VMWare ESXi servers.

Scattered Spider targets technical administrators using social engineering. The group impersonates victims, often mimicking their speech patterns or pretending to be newly hired employees.

Its main methods for initial access include social engineering calls, purchasing employee credentials on the black market, SMS phishing and initiating SIM swaps, or setting up call forwarding on an employee’s phone. In some cases, it uses intimidation by sending threats to specific individuals.

Image: Policia Nacional/X

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU