Alleged Leader of Scattered Spider Hacking Group Arrested in Spain

Spanish authorities, in collaboration with the FBI, have arrested a 22-year-old British national in Palma de Mallorca. This individual, identified as Tyler Buchanan from Dundee, Scotland, is believed to be the ringleader of the notorious Scattered Spider hacking group, also known as 0ktapus or UNC3944.

A Prolific Cybercrime Group

Scattered Spider has gained notoriety over the past two years for its audacious and highly effective cyber-attacks against a wide range of high-profile targets. The group has been linked to breaches at major organizations, including Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other companies. The hacking group is known for its sophisticated use of social engineering techniques, particularly phishing and SIM-swapping, to gain access to sensitive information and cryptocurrency wallets.

The Arrest

The Spanish daily Murcia Today reported that Buchanan was apprehended at Palma airport as he attempted to board a flight to Italy. A video released by the Spanish national police shows Buchanan in custody, marking the culmination of a coordinated effort by law enforcement agencies. According to investigators, Buchanan and his associates used stolen corporate credentials to access critical information and execute multi-million-dollar cryptocurrency thefts.

The cybercrime-focused Twitter account vx-underground identified Buchanan as a SIM-swapper known by the alias “Tyler.” SIM-swapping is a technique where attackers transfer a victim’s phone number to a device they control, allowing them to intercept text messages and phone calls, including one-time passcodes for authentication. This method has proven effective in bypassing security measures and gaining unauthorized access to accounts.

The Scope of the Investigation

The investigation into Scattered Spider’s activities has been extensive. In January 2024, U.S. authorities arrested another alleged member of the group, 19-year-old Noah Michael Urban from Palm Coast, Florida. Urban, who went by the nicknames “Sosa” and “King Bob,” was charged with stealing at least $800,000 from five victims over several months. Both Urban and Buchanan are believed to be part of a larger, loosely affiliated cybercriminal community known as “The Com,” where hackers frequently boast about their exploits and share techniques.

Modus Operandi

Scattered Spider’s operations are characterized by their reliance on social engineering and phishing tactics. The group often targets employees of major corporations with SMS-based phishing attacks, tricking them into providing credentials on fake login pages that mimic their employer’s authentication systems. These phishing sites are designed to capture login details and multi-factor authentication codes, which are then used to gain access to corporate networks.

One notable incident involved the encrypted messaging app Signal, which reported that attackers had re-registered the phone numbers of about 1,900 users. Another significant breach occurred at Mailchimp, where the attackers accessed data from 214 customers involved in cryptocurrency and finance. The password manager service LastPass also fell victim, with attackers stealing source code and technical information, eventually leading to the theft of encrypted password vaults.

Physical Reprisals and Turf Wars

The cybercriminal underworld is not without its dangers. Both Buchanan and Urban have reportedly been targets of physical attacks by rival SIM-swapping gangs. In one incident, Urban’s family home in Florida was vandalized, and in another, a junior member of his crew was kidnapped and held for ransom. Buchanan himself was assaulted in a home invasion in February 2023, during which his mother was injured, and he was threatened with severe violence if he did not surrender the keys to his cryptocurrency wallets. Following this attack, Buchanan fled the United Kingdom.

The Arrest and Ongoing Investigation

Buchanan’s arrest was the result of a tip-off from the FBI, leading to an international arrest warrant and a coordinated operation by Spanish police. His laptop and mobile phone were confiscated for forensic examination, which is expected to yield further insights into the activities of Scattered Spider.

While the connection between Buchanan and Scattered Spider has yet to be officially confirmed by authorities, the details of his arrest and the tactics described by the Spanish police strongly align with the group’s known activities. Buchanan’s arrest is a significant blow to the group, which has caused substantial financial and reputational damage to numerous organizations.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.