A 22-year-old U.K. man believed to be a key member of the Scattered Spider cybercrime group was arrested by police in Spain during the week as part of an ongoing investigation by the U.S. Federal Bureau of Investigation.

The arrest was first reported Friday by Murcia Today, who said that the man was arrested on suspicion of “being the ringleader of a hacking group which targeted 45 companies and people in the U.S.” The man stands accused of hacking into corporate accounts and stealing information which allowed his group to access millions in funds, including $27 million in bitcoin.

Murcia Today did not name the man, but other than noting that he was wanted on an arrest warrant issued by a judge in Los Angeles, then it gets more interesting. Krebs on Security reported Saturday that the man arrested is named Tyler Buchanan and that he’s allegedly the ringleader of Scattered Spider.

In another report, vx-underground claims that “Tyler” is a sim swapper and was involved with Scattered Spider. Most notably, it’s claimed that he was involved in the Scattered Spider attack on MGM Resorts International Inc. and other high-profile ransomware attacks undertaken by the group.

Scattered Spider, also known as “Octo Tempest” and UNC3944, first became active in early 2022, using extensive social engineering methods to target organizations worldwide and aiming for financial extortion. The group first targeted mobile telecommunications and business process outsourcing organizations, mainly for phone number-porting SIM swaps. By late 2022 and into early 2023, the group began to extort organizations using data stolen from them, sometimes even using physical threats as leverage.

By mid-2023, Scattered Spider/Octo Tempest reportedly joined forces with the better-known ALPHV/BlackCat ransomware as a service operation and began extorting victims using the ALPHV Collections leak site without deploying ransomware. The relationship later included the group deploying ALPHV/BlackCat ransomware, primarily targeting VMWare ESXi servers.

Scattered Spider targets technical administrators using social engineering. The group impersonates victims, often mimicking their speech patterns or pretending to be newly hired employees.

Its main methods for initial access include social engineering calls, purchasing employee credentials on the black market, SMS phishing and initiating SIM swaps, or setting up call forwarding on an employee’s phone. In some cases, it uses intimidation by sending threats to specific individuals.

Image: Policia Nacional/X