Alleged boss of hacking group ‘Scattered Spider’ arrested – Krebs on security

A 22-year-old man from Britain arrested in Spain this week is said to be the leader of Scattered spidera cybercrime group suspected of hacking Twilio, LastPass, DoorDash, Mailchimpand nearly 130 other organizations in the past two years.

The Spanish daily newspaper Murcia today reports that the suspect was wanted by the FBI and was arrested in Palma de Mallorca as he attempted to board a flight to Italy.

A still image from a video released by the Spanish National Police shows Tylerb in custody at the airport.

“He is accused of hacking into company accounts and stealing crucial information, which would give the group access to multi-million dollar funds,” wrote Murcia Today. “According to Palma police, at one point he was in control of Bitcoins worth $27 million.”

The cybercrime-focused Twitter/X account vx-underground said the arrested British man was a SIM swapper who went by the alias “Tyler.” In a SIM swap attack, criminals transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links which are sent via SMS.

“He is a known SIM swapper and is believed to be involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang involved in costly data ransom attacks at MGM and Caesars last year casinos in Las Vegas.

Sources familiar with the investigation told KrebsOnSecurity that the suspect is a 22-year-old from Dundee, Scotland, named Tyler Buchananalso reportedly known as “tylerb‘ on Telegram chat channels around SIM swapping.

In January 2024, US authorities arrested another alleged Scattered Spider member: a 19-year-old Noah Michael Urban from Palm Coast, Florida – and accused him of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly nicknamed “Sosa” And “King Bob,‘ and is believed to be part of the same crew that hacked Twilio and a slew of other companies in 2022.

Researchers say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The com”, in which hackers from various cliques loudly brag about high-profile cyber thefts that almost always start with social engineering – tricking people via phone, email or text message into giving away credentials that allow remote access to internal corporate networks.

One of the more popular SIM swap channels on Telegram maintains a regularly updated leaderboard of the most talented SIM swappers, indexed by their alleged conquests in cryptocurrency stealing. On that ranking, Sosa is currently at number 24 (out of 100) and Tylerb at number 65.

0KTAPUS

In August 2022, KrebsOnSecurity wrote about peering into the data collected during a months-long cybercrime campaign by Scattered Spider, which involved numerous SMS-based phishing attacks on employees of major companies. The security company Group IB called the gang by another name – 0ktapusa nod to the way the criminal group asked employees for login details.

The messages asked users to click a link and log into a phishing page that mimicked that of their employer. Okay authentication page. Those who submitted login credentials were then asked to provide the one-time password required for multi-factor authentication.

These phishing attacks took advantage of newly registered domains that often included the name of the targeted company, and sent text messages urging employees to click on links to these domains to view information about an upcoming change to their work schedule. The phishing sites also include a hidden Telegram chatbot that forwards all submitted credentials in real time, allowing the attackers to use the phishing username, password, and one-time code to log in as that employee to the real employer website.

One of the first major victims of Scattered Spider during the 2022 SMS phishing wave was Twilio, a company that provides services for creating and receiving text messages and phone calls. The group then turned around and used their access to Twilio to attack at least 163 of its customers.

A Scattered Spider phishing lure sent to Twilio employees.

Among them was the encrypted messaging app Signalwhich said the breach allowed attackers to re-register the phone numbers of approximately 1,900 users on another device.

Also in August 2022, several employees of email delivery company Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.

On August 25, 2022, password management service LastPass disclosed a breach in which attackers stole some of LastPass’ source code and proprietary technical information, and weeks later LastPass said an investigation found no access to customer data or password vaults.

However, on November 30, 2022, LastPass disclosed a much more serious breach, which the company said used data stolen during the August breach. LastPass said criminal hackers stole encrypted copies of some password vaults, as well as other personal information.

In February 2023, LastPass announced that the breach involved a highly complex, targeted attack against an engineer who was one of only four LastPass employees with access to the company vault. In that incident, the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network, and managed to install malicious software that stole passwords and other authentication information. The vulnerability that the intruders exploited was patched in 2020, but the employee never updated his Plex software.

Plex announced its own data breach a day before LastPass announced its first breach in August. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails, usernames, and encrypted passwords.

PEAT WARS

Sosa and Tylerb were both subjected to physical attacks by rival SIM-swapping gangs. These communities are known to settle scores by turning to so-called ‘violence-as-a-service’ offerings on cybercrime channels, where people can be hired to perform a variety of geographically specific ‘real life’ jobs such as bricking windows, cutting car tires or even home burglaries.

In 2022, a video surfaced on a popular cybercrime channel claiming that attackers hurled a rock through a window at an address corresponding to Urban’s parents’ spacious and luxurious home in Sanford, Florida.

The January story on Sosa noted that a junior member of his crew named “Foreshadow” was kidnapped, beaten and held for ransom in September 2022. Foreshadow’s captors held guns to his bloodied head as they forced him to record a video message pleading with his crew to stop. more than $200,000 ransom in exchange for his life (Foreshadow escaped further harm in that incident).

According to several SIM swapping channels on Telegram, which Tylerb was known for, rival SIM swappers hired thugs to raid his home in February 2023. Those accounts state that the intruders attacked Tylerb’s mother during the home invasion and threatened to set her on fire. him with a blowtorch if he didn’t hand over the keys to his cryptocurrency wallets. Tylerb is said to have fled the United Kingdom after that attack.

KrebsOnSecurity requested comment from Mr. Buchanan and will update this story if he responds.