Alleged Scattered Spider ringleader taken down in Spain after law enforcement crackdown

Scattered Spider concept image showing robotic spider with blue lights for eyes on its web
(Image credit: Getty Images)

Authorities in Spain have arrested a 22-year-old thought to be a prominent figure behind the notorious Scattered Spider hacking group, which has attacked hundreds organizations over the last two years.

The group is suspected to be responsible for the attack that brought MGM Resorts to its knees in 2023, as well as high-profile breaches affecting Twilio, LastPass, Gitlab, Apple, Walmart, and more.

On 15 June, Spanish media reported a hacker was arrested by local authorities, with assistance from the FBI, in Palma de Mallorca while trying to board a flight to Italy. 

Murcia Today reported that, according to Palma police, the suspect controlled $27 million worth of bitcoin at the time of the arrest.

Sources familiar with the investigation told KrebsOnSecurity the suspect was a 22-year-old from Dundee, Scotland, named Tyler Buchanan. Something of a notorious hacker, Buchanan is listed as number 64 of the 100 most accomplished SIM swappers according to a telegram channel dedicated to the fraud technique.

According to dark web monitor vx-underground, Buchanan is thought to have been a “key component’ in the MGM Resorts ransomware attack, and associated with several more of the group’s highest profile attacks.

This marks the second major arrest targeting the Scattered Spider group in 2024 after another prominent member, Michael Noah Urban, was arrested in January and charged with stealing over $800,000 in cryptocurrency from at least five different victims between August 2022 and March 2023.

Both Buchanan and Urban fit in the 19-22 age range typically associated with affiliates of the Scattered Spider group, thought to be a component of a larger global hacking network known as ‘the Community’ or ‘the Com’.

The Com is well known for hosting hackers from various organizations, who then boast about the various attacks they have carried out and the social engineering techniques they employed while doing so.

Redoubled efforts to squash Scattered Spider showing results

The FBI announced it was cracking down on the organization in May 2024, with researchers reporting the group was behind a campaign of attacks targeting insurance companies since April. 

Since then, the two high profile arrests of Urban and now Buchanan indicate it is achieving some success in its endeavors. But experts don’t think this will spell the end of the group’s malicious activities, with new leaders waiting in the wings to fill the void.

Speaking to ITPro, Javvad Malik, lead security awareness advocate at KnowBe4 said he expects the collective to continue operating despite losing two key figureheads in a short space of time.

“The arrest of a prominent figure, while certainly a win for law enforcement and a blow to the group’s operations, is unlikely to mark the end of Scattered Spider's malicious activities. Cybercriminal organizations, much like the mythical Hydra, tend to sprout new heads when one is cut off.” he explained.

RELATED WHITEPAPER

“Cyber criminals are often characterized by a diffuse and decentralized structure. The arrest of Buchanan will undoubtedly disrupt operations, but the absence of a single ringleader often means someone else is primed to step into the void. This makes such groups resilient to disruptions.

Malik also noted that members of groups like Scattered Spider will typically have long reaching ties across the wider cyber crime community, and will be able to pool knowledge and resources to continue perpetrating attacks.

“The techniques and tools used by these gangs, such as SIM swapping, are often widely shared within the cyber criminal community. This knowledge doesn't vanish with the arrest of a few individuals. Tutorials, forums, and dark web marketplaces ensure that these methods can be perpetuated and refined by others,” he said.

“Members of groups like Scattered Spider are often part of broader cyber communities. Even with key arrests, the collective knowledge and resources available to other members mean that operations can persist.”

As such, Malik predicted that although we can expect the group to return after a period of reduced activity while they reorganize their operation.

“In the short term, we can expect a degree of disruption. The arrests will force Scattered Spider to regroup and reorganize. There may be a temporary reduction in their activities as new leadership takes the helm and reassesses their strategies.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.