close
close

Suspected boss of hacker group “Scattered Spider” arrested – Krebs on Security

A 22-year-old man from the UK who was arrested in Spain this week is believed to be the leader of Scattered Spidera cybercrime group suspected of Twilio, LastPass, DoorDash, Mailchimpand nearly 130 other organizations over the past two years.

The Spanish daily newspaper Murcia today The suspect was reportedly wanted by the FBI and arrested in Palma de Mallorca while attempting to board a flight to Italy.

A still from a video released by the Spanish National Police shows Tylerb in custody at the airport.

“He is accused of breaking into company accounts and stealing important information, which allegedly gave the group access to millions of dollars in funds,” wrote Murcia Today. “At one point, he controlled $27 million worth of bitcoins, according to Palma police.”

The Twitter/X account focused on cybercrime vx-underground said the arrested Briton was a SIM changer who writes under the pseudonym “Tyler.” In a SIM swapping attack, fraudsters transfer the victim’s phone number to a device they control and intercept all text messages or phone calls sent to the victim – including one-time passwords for authentication or password reset links sent via SMS.

“He is a known SIM swapper and is believed to be associated with the notorious Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang involved in costly data ransom attacks on the MGM and Caesars casinos in Las Vegas last year.

Sources familiar with the investigation told KrebsOnSecurity that the accused is a 22-year-old from Dundee, Scotland. Tyler Buchananallegedly also known as “Subscribe to“ on Telegram chat channels about SIM swapping.

In January 2024, US authorities arrested another suspected member of Scattered Spider – a 19-year-old Noah Michael Urban of Palm Coast, Florida – and accused him of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly went by the nicknames “Sosa” And “King Bob,“ and is said to be part of the same gang that hacked Twilio and a number of other companies in 2022.

Investigators say Scattered Spider members are part of a more diffuse online community of cybercriminals known as “The Com”, in which hackers from various cliques loudly boast about spectacular cyber thefts that almost always begin with social engineering – tricking people by phone, email or text message into revealing credentials that allow them remote access to internal corporate networks.

One of the most popular SIM swapping channels on Telegram maintains a frequently updated leaderboard of the most successful SIM swappers, sorted by their alleged success in stealing cryptocurrency. This leaderboard currently ranks Sosa at number 24 (out of 100) and Tylerb at number 65.

0KTAPUS

In August 2022, KrebsOnSecurity wrote about a look into the data collected in a months-long cybercrime campaign by Scattered Spider that included countless SMS-based phishing attacks on employees of large companies. The security company Group-IB gave the gang a different name — 0ktapusa clue as to how the criminal group stole employee credentials.

The letters asked users to click on a link and log in to a phishing page that imitated their employer’s page. Octa Authentication page. Those who submitted credentials were then prompted to enter the one-time password required for multi-factor authentication.

These phishing attacks used newly registered domains, often containing the name of the target company, and sent employees a text message urging them to click on links to these domains to view information about an upcoming change to their work schedule. The phishing sites also contained a hidden Telegram instant messaging bot that relayed any submitted credentials in real time. This allowed the attackers to log into the employer’s real website as that employee using the phished username, password, and one-time code.

One of Scattered Spider’s first major victims on its 2022 SMS phishing spree was Twilio, a company that provides services for sending and receiving text messages and phone calls. The group then changed its modus operandi and used its access to Twilio to attack at least 163 of its customers.

A Scattered Spider phishing lure sent to Twilio employees.

Among them was the encrypted messaging app signalwhich said the breach could have allowed attackers to re-register the phone number of about 1,900 users on another device.

Also in August 2022, several employees of email delivery company Mailchimp shared their remote credentials with this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employees’ accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, password manager service LastPass announced a security breach in which attackers stole source code and proprietary technical information from LastPass. Weeks later, LastPass announced that an investigation had shown that neither customer data nor password vaults had been accessed.

However, on November 30, 2022, LastPass announced a far more serious breach in which the company said it used data from the August breach. According to LastPass, criminal hackers stole encrypted copies of some password vaults as well as other personal information.

In February 2023, LastPass announced that the breach was a highly sophisticated, targeted attack on an engineer who was one of only four LastPass employees with access to the company’s vault. In this incident, the attackers exploited a vulnerability in a Plex media server that the employee ran on his home network and successfully installed malware that stole passwords and other authentication credentials. The vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex software.

Plex announced its own data breach a day before LastPass disclosed the first breach in August. On August 24, 2022, Plex’s security team asked users to reset their passwords because an intruder had accessed customer emails, usernames, and encrypted passwords.

TRENCH WARS

Sosa and Tylerb were both victims of physical attacks by rival SIM-swapping gangs. These communities are known to settle scores by resorting to so-called “violence-as-a-service” offerings on cybercrime channels, where people can be hired to perform a variety of geographically specific “real-life” tasks, such as breaking windows, slashing tires, or even breaking into private homes.

In 2022, a video surfaced on a popular cybercrime channel purporting to show attackers throwing a brick through a window at an address that matches Urban’s parents’ spacious and upscale home in Sanford, Florida.

The January story on Sosa mentioned that a young member of his crew named “Foreshadow” was kidnapped, beaten, and held for ransom in September 2022. Foreshadow’s captors held guns to his bloody head and forced him to record a video message begging his crew to pay a $200,000 ransom if he wanted to stay alive (Foreshadow escaped further harm in this incident).

According to several SIM-swapping channels on Telegram that Tylerb frequented, rival SIM swappers hired thugs to break into his home in February 2023. According to these reports, the intruders attacked Tylerb’s mother during the break-in and threatened to burn him with a blowtorch if he did not hand over the keys to his cryptocurrency wallets. Tylerb reportedly fled the UK after this robbery.

KrebsOnSecurity has reached out to Mr. Buchanan for comment and will update this story if he responds.