FBI Arrests Alleged Leader of ‘Scattered Spider’ Hacking Group

Written by Lore Apostol
Published on June 17, 2024

A 22-year-old individual from the United Kingdom believed to be the mastermind behind the global cybercrime group Scattered Spider, was apprehended in Spain by the FBI this week. The local Spanish press reports that the suspect was arrested in Palma de Mallorca when he tried to board a flight to Italy.

A source says the man is a SIM swapper who operated under the alias ‘Tyler,’ believed to be a key component of Scattered Spider’s MGM and other high-profile ransomware attacks. According to the Palma Police Department, the individual controlled Bitcoin worth $27 million at one point.

Apparently, the accused is Tyler Buchanan from Dundee, Scotland, also allegedly known as “tylerb” on Telegram chat channels related to SIM-swapping, as reported by KrebsOnSecurity.

Another alleged Scattered Spider member was arrested by U.S. authorities in January, as 19-year-old Noah Michael Urban of Palm Coast, Florida, who reportedly went by the nicknames “Sosa” and “King Bob,” charged with stealing at least $800,000 from five victims between August 2022 and March 2023 and connected to the 2022 Twilio hack and more.

Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is a cyber-criminal group founded in May 2022 that engages in data extortion and other criminal activities. The FBI believes the group’s members mainly come from the US and the UK. 

They use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).

Their campaigns use tools such as Fleetdeck, Level, Mimikatz, Ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, and Teamviewer and malware Raccoon Stealer, VIDAR Stealer, and AveMaria (also known as WarZone). The group has also been known to utilize BlackCat/ALPHV ransomware. 

It targets large companies and their contracted information technology (IT) help desks. Over the past two years, it has been suspected of infiltrating Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations worldwide.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: