Teenager Connected to the Scattered Spider Cybercrime Group Arrested in the UK

• A 17-year-old boy from Walsall was arrested in a joint West Midlands Police and FBI operation.
• The youngster is allegedly connected with the global cybercrime group Scattered Spider.
• The police decided to release the individual on bail while continuing their investigation.

A 17-year-old Walsall local was arrested by U.K. law enforcement for being an alleged member of the notorious Scattered Spider ransomware gang, which has targeted several major companies, including the U.S. MGM Resorts.

Coordinated with the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI), the arrest is “part of a global investigation into a large-scale cyber hacking community.” 

The suspect was taken into custody on suspicion of Blackmail and Computer Misuse Act offenses and released on bail. The investigation continues, as evidence at the suspect’s address was recovered, including digital devices that will undergo forensic examination.

In June, the Scattered Spider alleged leader was arrested in Spain. The man is said to be a SIM-swapper connected to many high-profile ransomware campaigns attributed to the cybercriminal group.

Another alleged member of the hacker gang was arrested this year in January. The FBI believes the group’s members mainly come from the US and the UK. 

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is an offshoot of a loose-knit group called The Com that appeared in May 2022, focusing on data extortion and other criminal activities, targeting large companies and their contracted IT help desks. 

Over the past two years, it has been suspected of infiltrating Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations worldwide. Scattered Spider has evolved into an initial access broker and affiliate, delivering ransomware families like BlackCat, Qilin, and RansomHub.

They use several social engineering techniques like phishing, push bombing, and subscriber identity module (SIM) swap attacks to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).

Their campaigns use tools such as Fleetdeck, Level, Mimikatz, Ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, and Teamviewer. They deploy the Raccoon Stealer, VIDAR Stealer, and AveMaria (also known as WarZone) malware and sometimes BlackCat/ALPHV ransomware.