FBI Arrests Alleged Leader of ‘Scattered Spider’ Hacking Group

• The Federal Bureau of Investigation has announced the arrest of the Scattered Spider alleged leader in Spain.
• The man is said to be a SIM-swapper connected to many high-profile ransomware campaigns attributed to the cybercriminal group.
• Another alleged member of the hacker gang was arrested this year in January.

A 22-year-old individual from the United Kingdom believed to be the mastermind behind the global cybercrime group Scattered Spider, was apprehended in Spain by the FBI this week. The local Spanish press reports that the suspect was arrested in Palma de Mallorca when he tried to board a flight to Italy.

A source says the man is a SIM swapper who operated under the alias ‘Tyler,’ believed to be a key component of Scattered Spider’s MGM and other high-profile ransomware attacks. According to the Palma Police Department, the individual controlled Bitcoin worth $27 million at one point.

Apparently, the accused is Tyler Buchanan from Dundee, Scotland, also allegedly known as “tylerb” on Telegram chat channels related to SIM-swapping, as reported by KrebsOnSecurity.

Another alleged Scattered Spider member was arrested by U.S. authorities in January, as 19-year-old Noah Michael Urban of Palm Coast, Florida, who reportedly went by the nicknames “Sosa” and “King Bob,” charged with stealing at least $800,000 from five victims between August 2022 and March 2023 and connected to the 2022 Twilio hack and more.

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is a cyber-criminal group founded in May 2022 that engages in data extortion and other criminal activities. The FBI believes the group’s members mainly come from the US and the UK. 

They use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).

Their campaigns use tools such as Fleetdeck, Level, Mimikatz, Ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, and Teamviewer and malware Raccoon Stealer, VIDAR Stealer, and AveMaria (also known as WarZone). The group has also been known to utilize BlackCat/ALPHV ransomware. 

It targets large companies and their contracted information technology (IT) help desks. Over the past two years, it has been suspected of infiltrating Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations worldwide.