Alleged boss of 'Scattered Spider' hacking group arrested – Krebs on Security

A 22-year-old British man arrested this week in Spain is believed to be the ringleader of Spider scattereda cybercrime group suspected of hacking Twilio, Last pass, PorteDash, MailChimpand nearly 130 other organizations over the past two years.

The Spanish daily Murcia today reports that the suspect was wanted by the FBI and arrested in Palma de Mallorca while trying to board a flight to Italy.

“He is accused of hacking into company accounts and stealing critical information, which allegedly gave the group access to millions of dollars in funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoin worth $27 million.”

The Twitter/X account focused on cybercrime vx-underground said the British man arrested was a SIM card exchanger which was called “Tyler.” In a SIM swap attack, scammers forward the target's phone number to a device they control and intercept any text messages or phone calls sent to the victim, including passcodes to One-time use for authentication or password reset links sent via SMS.

“He is a known SIM swapper and is believed to be involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang involved in costly data ransom attacks against MGM casinos and Caesars in Las Vegas last year.

Sources close to the investigation told KrebsOnSecurity that the accused is a 22-year-old man from Dundee, Scotland, named Tyler Buchananalso known as “tylerb” on Telegram chat channels focused on SIM swapping.

In January 2024, US authorities arrested another suspected Scattered Spider member, aged 19. Noah Michael Urban of Palm Coast, Florida – and accused him of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban was reportedly nicknamed “Sosa” And “King Bob,» and is believed to be part of the same crew that hacked Twilio and many other companies in 2022.

Investigators say Scattered Spider members are part of a more diffuse online cybercriminal community known as “The com“, in which hackers from different cliques loudly brag about high-profile cyberthefts that almost invariably begin with social engineering – tricking people by phone, email, or text message into divulging credentials allowing remote access to internal company networks.

One of the most popular SIM swapping channels on Telegram maintains a frequently updated ranking of the most accomplished SIM swappers, indexed by their supposed cryptocurrency theft conquests. This ranking currently ranks Sosa at 24th (out of 100) and Tylerb at 65th.

0KTAPUS

In August 2022, KrebsOnSecurity wrote about mining data harvested during a months-long cybercrime campaign by Scattered Spider, involving countless SMS phishing attacks against employees of large companies. The security company Group-IB dubbed the gang under a different name – 0ktapusa nod to how the criminal group phished employees for their credentials.

The missives asked users to click on a link and connect to a phishing page that imitated that of their employer. Okta authentication page. Those who submitted their credentials were then asked to provide the one-time password needed for multi-factor authentication.

These phishing attacks used newly registered domains that often included the name of the targeted company, and sent text messages directing employees to click on links to these domains to view information about a pending change in their work schedule . The phishing sites also featured a hidden Telegram chat bot to transmit all submitted credentials in real time, allowing attackers to use the phished username, password and one-time passcode to Log in as an employee to the employer's actual website.

One of Scattered Spider's first big victims during its 2022 SMS phishing spree was Twilio, a company that provides services for sending and receiving text messages and phone calls. The group then pivoted, using its access to Twilio to attack at least 163 of its customers.

Among these was the encrypted messaging application Signalwhich said the breach could have allowed attackers to re-register the phone number on another device for around 1,900 users.

Also in August 2022, several employees of the email company Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, password management service LastPass revealed a breach in which attackers stole source code and technical information proprietary to LastPass, and weeks later, LastPass said an investigation revealed that no customer data or password vaults had been accessed.

However, on November 30, 2022, LastPass revealed a much more serious breach that the company said exploited data stolen in the August breach. LastPass said criminal hackers stole encrypted copies of some password vaults, along with other personal information.

In February 2023, LastPass revealed that the intrusion involved a highly complex targeted attack against an engineer who was one of only four LastPass employees with access to the company's vault. In this incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network and successfully installed malware that stole passwords and other authentication information . The vulnerability exploited by the intruders was patched in 2020, but the employee never updated their Plex software.

Plex announced its own data breach a day before LastPass revealed its first intrusion in August. On August 24, 2022, Plex's security team urged users to reset their passwords, claiming that an intruder had accessed customers' emails, usernames, and encrypted passwords.

TERRITORIAL WARS

Both Sosa and Tylerb were subjected to physical attacks by rival gangs trading SIM cards. These communities are known to settle scores by turning to so-called “violence as a service” offerings on cybercrime channels, in which people can be hired to perform a variety of geographically specific tasks “in real life” , like that of a mason. windows, slashed car tires or even home invasions.

In 2022, a video surfaced on a popular cybercrime channel, purporting to show attackers throwing a brick through a window at an address that matches Urban's parents' spacious, upscale home in Sanford, Florida.

The January article on Sosa stated that a junior member of his crew named “Foreshadow” was kidnapped, beaten, and held for ransom in September 2022. Foreshadow's captors pointed guns at his bloodied head while forcing him to record a video message imploring his crew to fork. over $200,000 ransom in exchange for his life (Foreshadow escaped further damage during this incident).

According to several SIM swapping channels on Telegram that Tylerb was known to frequent, rival SIM swappers hired thugs to invade his house in February 2023. These accounts indicate that the intruders assaulted Tylerb's mother during home invasion and threatened to burn it down. him with a blowtorch if he did not return the keys to his cryptocurrency wallets. Tylerb is said to have fled the United Kingdom after this attack.

KrebsOnSecurity has reached out for comment from Mr. Buchanan and will update this story in case he responds.