Suspected key member of cybercrime group Scattered Spider arrested in Spain

A 22-year-old British man believed to be a key member of the Scattered Spider cybercrime group was arrested by Spanish police this week as part of an ongoing investigation by the US FBI.

The arrest was first reported on Friday by Murcia Today, which said the man was arrested on suspicion of being “the leader of a hacking group targeting 45 companies and individuals in the United States.” The man is accused of hacking into company accounts and stealing information that gave his group access to millions of dollars in funds, including $27 million in bitcoins.

Murcia Today did not name the man, but aside from the fact that he was wanted on a warrant issued by a Los Angeles judge, things get more interesting. Krebs on Security reported Saturday that the arrested man’s name is Tyler Buchanan and he is allegedly the leader of Scattered Spider.

In another report, vx-underground claims that “Tyler” is a sim swapper and was involved in Scattered Spider. Specifically, it is alleged that he was involved in the Scattered Spider attack on MGM Resorts International Inc. and other high-profile ransomware attacks by the group.

Scattered Spider, also known as “Octo Tempest” and UNC3944, first became active in early 2022, using extensive social engineering methods to attack organizations worldwide and achieve financial extortion. The group initially targeted organizations in the mobile communications and business process outsourcing space, mainly for SIM swapping for number portability. In late 2022 and early 2023, the group began extorting organizations with stolen data, sometimes even using physical threats as leverage.

In mid-2023, Scattered Spider/Octo Tempest reportedly partnered with the more well-known ALPHV/BlackCat ransomware as a service operation and began extorting victims via the ALPHV Collections leak site without deploying ransomware. As part of this collaboration, the group later deployed ALPHV/BlackCat ransomware, primarily targeting VMWare ESXi servers.

Scattered Spider targets technical administrators using social engineering. The group poses as victims, often mimicking their speech patterns or posing as a newly hired employee.

The main methods used to gain access include social engineering calls, purchasing employee data on the black market, SMS phishing, and initiating SIM swaps or setting up call forwarding on an employee’s phone. In some cases, intimidation is used by sending threats to specific individuals.

Picture: National Police/X