Cybercrime , Finance & Banking , Fraud Management & Cybercrime

Spanish Police Bust Alleged Leader of Scattered Spider

US International Arrest Warrant Accuses Suspect of Cryptocurrency-Theft Campaigns
Spanish Police Bust Alleged Leader of Scattered Spider
Footage released by authorities of the suspect's arrest on May 31, 2024 (Image: Spanish National Police)

Spanish National Police have arrested a British national on cybercrime charges.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Authorities did not name the 22-year-old suspect but described him as "the leader of an organized group dedicated to the theft of information from companies and of cryptocurrencies," Spanish police said in a Spanish-language press release on Friday.

Unofficial reports suggest the suspect was part of the cybercrime group Scattered Spider, which has attacked more than 130 organizations, including MGM Resorts, Clorox and potentially the cryptocurrency trading platform Coinbase Global. The group is known for tricking help desks and overwhelming employees with multifactor authentication requests to bypass MFA defenses.

Intelligence shared by the FBI suggests the suspect at one time gained control of at least 391 bitcoins worth over $27 million by helping to execute a series of phishing attacks against cryptocurrency wallet owners, stealing their credentials and then their digital coins, Spanish police said.

They arrested the suspect on May 31 at the airport in the resort city of Palma on Mallorca, a Spanish island in the western Mediterranean, as he was preparing to board a charter flight to Naples, Italy. They also seized a laptop and mobile phone he was carrying.

The FBI declined to comment.

On Saturday, vx-underground, a cybercrime-focused research account on the social platform X, reported that "the individual arrested operated under the alias 'Tyler'" and was a SIM swapper who was allegedly part of the Scattered Spider cybercrime group.

SIM swapping refers to attackers seizing control of a target's mobile phone number for account takeover purposes.

"Most notably, he is believed to be a key component of the MGM ransomware attack and is believed to be associated with several other high-profile ransomware attacks performed by Scattered Spider," vx-underground said of Tyler.

Likewise, citing "sources familiar with the investigation," cybersecurity blogger Brian Krebs on Saturday reported that the suspect is a native of Dundee, Scotland, "named Tyler Buchanan, also allegedly known as 'tylerb' on Telegram chat channels centered around SIM-swapping."

Buchanan remains detained in Spain. Authorities there said the Los Angeles branch of the FBI in late May queried them about the whereabouts of a British citizen that the bureau suspected of being involved in online attacks against numerous U.S. firms. Spanish police found that the suspect had entered the country at the end of May via Barcelona's El Prat airport. The FBI then obtained an International Arrest Warrant from a U.S. district court judge in central California.

Buchanan's arrest follows the January bust of an alleged Scattered Spider member named Noah Michael Urban, a 19-year-old Florida resident. He faces 14 charges, including wire fraud and aggravated identity theft (see: Florida Teen Faces Federal Charges in $800,000 Crypto Theft).

Scattered Spider is CrowdStrike's codename for the cybercrime group Buchanan allegedly fronted, which emerged in late 2022. Members of the group refer to the operation as Star Fraud and are largely comprised of U.S. and British natives. The group is called UNC3944 by Google Cloud's Mandiant, 0ktapus by Group-IB, Octo Tempest by Microsoft, Scatter Swine by Okta and Muddled Libra by Palo Alto's Unit 42 threat intelligence group.

Security researchers say the group is largely comprised of teenagers or early twentysomethings from the U.S. and U.K. who are members of a cybercrime community known as the Com (see: Rising Ransomware Issue: English-Speaking Western Affiliates).

"Initially, UNC3944 focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion," Mandiant said in a Thursday report. More recently, it said, the group "has shifted to primarily data theft extortion, without the use of ransomware. This change in objectives has precipitated an expansion of targeted industries and organizations."

The group has also used stolen credentials to gain unauthorized access to SaaS applications from Amazon Web Services, CrowdStrike, CyberArk, Google Cloud Platform, Microsoft Azure, SalesForce and VMware vCenter, Mandiant said.

"SaaS applications pose an interesting dilemma for organizations as there is a gray area of where and who should conduct monitoring to identify issues," Mandiant said. For any SaaS apps that handle "proprietary or guarded information," the firm recommends that organizations ensure they have "a robust logging capability that their security teams can review for signs of malicious intent."

Last month, Resilience Cyber Insurance Solutions, a cybersecurity risk company, said that the crime group has been shifting its "focus to the financial sector and large insurance companies" and that by "utilizing phishing tactics, including the creation of fake login pages, the group has been successful in obtaining sensitive credentials from unsuspecting employees at their target companies."

A researcher at Resilience told Bloomberg that Scattered Spider created look-alike login pages that it used to target employees of such firms as PNC Financial Services Group, New York Life Insurance Co., Synchrony Financial, Transamerica and Visa.

Whether or not the group succeeded in those attacks wasn't clear, Resilience said.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.