Law enforcement authorities have reportedly apprehended a crucial member of the infamous cybercrime group known as Scattered Spider.
The suspect, a 22-year-old individual from the UK, was apprehended in the Spanish city of Palma de Mallorca while trying to board a flight to Italy. The arrest is said to be a collaborative effort between the U.S. FBI and the Spanish Police.
The news of the arrest was initially brought to light by Murcia Today on June 14, 2024, with vx-underground subsequently disclosing that the detained individual is linked to various high-profile ransomware attacks conducted by Scattered Spider.
The arrested party was identified by the malware research group as a SIM swapper operating under the alias “Tyler.” SIM-swapping attacks involve transferring a target’s phone number to a SIM card controlled by the attacker to intercept messages, including one-time passwords (OTPs), and gain control of their online accounts.
According to security journalist Brian Krebs, “Tyler” is believed to be a 22-year-old from Scotland named Tyler Buchanan, known as “tylerb” in Telegram channels related to SIM-swapping.
Tyler is the second member of Scattered Spider to be apprehended after Noah Michael Urban, who was charged by the U.S. Justice Department in February with wire fraud and aggravated identity theft.
Scattered Spider, also operating under aliases such as 0ktapus, Octo Tempest, and UNC3944, is a financially motivated threat group notorious for using sophisticated social engineering attacks to infiltrate organizations. The group is suspected to be a part of a larger cybercriminal gang called The Com.
The group initially focused on credential harvesting and SIM swapping but later shifted to ransomware and data theft extortion, eventually moving to encryptionless extortion attacks targeting data from SaaS applications.
According to Google-owned Mandiant, members of Scattered Spider have used fear tactics to gain access to victim credentials, including threats of doxxing and physical harm.
UNC3944, associated with Scattered Spider, exhibits similarities to another cybercriminal cluster known as Muddled Libra, targeting SaaS applications for data theft. However, Mandiant clarified that they should not be considered the same group.
The group has leveraged phishing kits to steal Okta sign-in credentials and expanded their intrusion by self-assigning compromised accounts on Okta to access Cloud and SaaS applications.
Attack chains involve the use of legitimate cloud synchronization tools to export data to attacker-controlled storage, reconnaissance, persistence creation, and evading defenses.
Scattered Spider has also been observed using EDR solutions to run commands and access environments, targeting applications like Azure, CyberArk, Salesforce, and Workday for further reconnaissance.
The FBI is reportedly preparing to charge members of Scattered Spider linked to over 100 attacks targeting organizations since May 2022.