Reported Chief of ‘Scattered Spider’ Hacking Crew Apprehended – Krebs on Security
An individual aged 22 from the United Kingdom detained this week in Spain is said to be the leader of Scattered Spider, a cybercrime faction suspected of breaching into Twilio, LastPass, DoorDash, Mailchimp, and roughly 130 other entities during the last couple of years.
The Spanish newspaper Murcia Today mentioned that the suspect was a fugitive sought by the FBI and was apprehended in Palma de Mallorca as he attempted to embark on a flight to Italy.
A screenshot from a video issued by the Spanish national police displaying Tylerb in custody at the airport.
“He is accused of infiltrating corporate accounts and looting pivotal data, which apparently facilitated the crew in gaining access to funds amounting to several million dollars,” Murcia Today stated. “Per Palma police, there was a time when he had control over Bitcoins valued at $27 million.”
The Twitter/X account focused on cybercrime vx-underground mentioned that the British man detained was a SIM-swapper utilizing the alias “Tyler.” By utilizing SIM-swapping, criminals move the target’s phone number to a device under their control and intercept any text messages or calls sent to the victim – including one-time passcodes for validation or password reset links sent through SMS.
“He has a known history of SIM-swapping and is purportedly linked with the well-known Scattered Spider circle,” vx-underground stated on June 15, referring to an active gang accused of costly data ransom breaches at MGM and Caesars casinos in Las Vegas last year.
Insiders with knowledge about the probe informed KrebsOnSecurity that the charged party is a 22-year-old person from Dundee, Scotland named Tyler Buchanan, also known as “tylerb” in Telegram chat groups revolving around SIM-swapping.
In January 2024, U.S. authorities detained another alleged Scattered Spider associate — 19-year-old Noah Michael Urban from Palm Coast, Fla. — and accused him of stealing at least $800,000 from five victims between August 2022 and March 2023. Urban operated under the aliases “Sosa” and “King Bob,” and is believed to be part of the same crew involved in hacking Twilio and numerous other firms in 2022.
Investigators indicate that Scattered Spider members are associated with a larger cybercriminal faction online known as “The Com,” where hackers from distinct groups boast about major cyber thefts that often start with social manipulation — deceiving individuals over the phone, email, or SMS into giving away credentials granting remote entry to corporate internal networks.
One of the widely recognized SIM-swapping channels on Telegram maintains an actively updated ranking of the most successful SIM-swappers, arranged by their purported exploits in swindling cryptocurrency. In the latest update, Sosa ranks #24 among 100, with Tylerb at #65.
0KTAPUS
In August 2022, KrebsOnSecurity explored the details of an extended cybercrime effort by Scattered Spider involving numerous SMS-based phishing attempts aimed at employees within major corporations. The cybersecurity company Group-IB referred to the group as 0ktapus, a reflection of how the malevolent group tricked employees for their login details.
The messages urged recipients to click on a link and sign in at a bogus page that resembled their company’s Okta authentication site. Those who submitted their details were then asked for the one-time password essential for multi-factor authentication.
These phishing operations utilized freshly registered domains that often featured the targeted company’s name, sending SMS messages encouraging workers to follow the links to these domains to view details about an upcoming change in their work timetable. The phishing sites were also equipped with a hidden Telegram chatbot to instantaneously forward any submitted credentials, allowing the attackers to leverage the captured username, password, and one-time code to access the victim’s account on the actual employer’s site.
One of the initial significant victims of Scattered Spider in their 2022 SMS phishing spree was Twilio, a firm providing text messaging and call services. Subsequently, they utilized their access to Twilio to target at least 163 of its clients.
A deceptive lure sent by Scattered Spider to Twilio employees.
Among them was the encrypted messaging application Signal, which disclosed that the breach could have enabled attackers to re-register the phone number on another device for nearly 1,900 users.
Similarly, in August 2022, multiple employees at email delivery service Mailchimp shared their remote access credentials with this phishing ring. As per Mailchimp’s statement, the attackers used the compromised Mailchimp employee accounts to extract data from 214 customers involved in cryptocurrency and finance sectors.
On August 25, 2022, the password management service LastPass revealed a breach where attackers pilfered some source code and proprietary LastPass technical details. Later, LastPass clarified that no customer data or password vaults were compromised following an inquiry.
Nonetheless, on November 30, 2022 LastPass disclosed a more severe breach where criminals accessed encrypted copies of certain password vaults, along with other personal data, using information obtained during the August breach. LastPass noted that the breach was a highly sophisticated and targeted assault on an engineer who was among only four LastPass employees with access to the corporate vault. The attackers exploited a security flaw in a Plex media server operated by the personnel on their home network, installing malicious software that filched passwords and other authentication credentials. This vulnerability was fixed by the company in 2020, but the employee never updated the Plex software.
Plex itself announced a data breach just a day before LastPass disclosed its initial breach. On August 24, 2022, Plex’s security team urged users to change their passwords after discovering unauthorized access to customer emails, usernames, and encrypted passwords.
TURF WARS
Both Sosa and Tylerb encountered physical assaults from competing SIM-swapping gang members. These factions have a history of resolving disputes by utilizing “violence-as-a-service” services offered on cybercrime platforms, where individuals can be hired for various physically-oriented tasks like breaking windows, deflating car tires, or even engaging in home invasions.
In 2022, a video surfaced on a prominent cybercrime channel supposedly depicting assailants throwing a brick through a window at an address suspected to be the luxurious residence of Urban’s parents in Sanford, Fl.
Back in January, it was reported that a lesser-known member of Sosa’s group named “Foreshadow” was abducted, assaulted, and held for ransom in September 2022. Foreshadow was coerced by captors who brandished firearms towards him while forcing him to create a video message pleading with his associates to pay a $200,000 ransom for his release (Foreshadow narrowly survived that ordeal).
According to several SIM-swapping channels on Telegram where Tylerb was active, rival SIM-swappers hired individuals to trespass into his residence in February 2023. Reports suggest that during the intrusion, the trespassers physically assaulted Tylerb’s mother and threatened to harm him with a blowtorch if he didn’t surrender access to his cryptocurrency wallets. Subsequently, Tylerb was said to have fled the United Kingdom after that incident.
KrebsOnSecurity reached out to Mr. Buchanan for comment and will provide updates to this account in the event of a response.
About Author
