{ "id": "58d6777f-8583-46ce-9887-21300dde08af", "created_at": "2026-04-06T00:09:42.171306Z", "updated_at": "2026-04-10T03:31:50.045496Z", "deleted_at": null, "sha1_hash": "450c0e747a57faf99bac203566b0093b61dc75fa", "title": "Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 399378, "plain_text": "Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested\r\nPublished: 2024-06-16 · Archived: 2026-04-05 17:28:29 UTC\r\nA 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered\r\nSpider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130\r\nother organizations over the past two years.\r\nThe Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as\r\nhe tried to board a flight to Italy.\r\nA still frame from a video released by the Spanish national police shows Tylerb in custody at the airport.\r\n“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled\r\nthe group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he\r\ncontrolled Bitcoins worth $27 million.”\r\nThe cybercrime-focused Twitter/X account vx-underground said the U.K. man arrested was a SIM-swapper who\r\nwent by the alias “Tyler.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they\r\ncontrol and intercept any text messages or phone calls sent to the victim — including one-time passcodes for\r\nauthentication, or password reset links sent via SMS.\r\n“He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang implicated in costly data ransom attacks at MGM and\r\nCaesars casinos in Las Vegas last year.\r\nSources familiar with the investigation told KrebsOnSecurity the accused is a 22-year-old from Dundee, Scotland\r\nnamed Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.\r\nhttps://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/\r\nPage 1 of 4\n\nIn January 2024, U.S. authorities arrested another alleged Scattered Spider member — 19-year-old Noah Michael\r\nUrban of Palm Coast, Fla. — and charged him with stealing at least $800,000 from five victims between August\r\n2022 and March 2023. Urban allegedly went by the nicknames “Sosa” and “King Bob,” and is believed to be part\r\nof the same crew that hacked Twilio and a slew of other companies in 2022.\r\nInvestigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as\r\n“The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost\r\ninvariably begin with social engineering — tricking people over the phone, email or SMS into giving away\r\ncredentials that allow remote access to corporate internal networks.\r\nOne of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the\r\nmost accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That\r\nleaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.\r\n0KTAPUS\r\nIn August 2022, KrebsOnSecurity wrote about peering inside the data harvested in a months-long cybercrime\r\ncampaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major\r\ncorporations. The security firm Group-IB called the gang by a different name — 0ktapus, a nod to how the\r\ncriminal group phished employees for credentials.\r\nThe missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta\r\nauthentication page. Those who submitted credentials were then prompted to provide the one-time password\r\nneeded for multi-factor authentication.\r\nThese phishing attacks used newly-registered domains that often included the name of the targeted company, and\r\nsent text messages urging employees to click on links to these domains to view information about a pending\r\nchange in their work schedule. The phishing sites also featured a hidden Telegram instant message bot to forward\r\nany submitted credentials in real-time, allowing the attackers to use the phished username, password and one-time\r\ncode to log in as that employee at the real employer website.\r\nOne of Scattered Spider’s first big victims in its 2022 SMS phishing spree was Twilio, a company that provides\r\nservices for making and receiving text messages and phone calls. The group then pivoted, using their access to\r\nTwilio to attack at least 163 of its customers.\r\nhttps://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/\r\nPage 2 of 4\n\nA Scattered Spider phishing lure sent to Twilio employees.\r\nAmong those was the encrypted messaging app Signal, which said the breach could have let attackers re-register\r\nthe phone number on another device for about 1,900 users.\r\nAlso in August 2022, several employees at email delivery firm Mailchimp provided their remote access\r\ncredentials to this phishing group. According to Mailchimp, the attackers used their access to Mailchimp\r\nemployee accounts to steal data from 214 customers involved in cryptocurrency and finance.\r\nOn August 25, 2022, the password manager service LastPass disclosed a breach in which attackers stole some\r\nsource code and proprietary LastPass technical information, and weeks later LastPass said an investigation\r\nrevealed no customer data or password vaults were accessed.\r\nHowever, on November 30, 2022 LastPass disclosed a far more serious breach that the company said leveraged\r\ndata stolen in the August breach. LastPass said criminal hackers had stolen encrypted copies of some password\r\nvaults, as well as other personal information.\r\nIn February 2023, LastPass disclosed that the intrusion involved a highly complex, targeted attack against an\r\nengineer who was one of only four LastPass employees with access to the corporate vault. In that incident, the\r\nattackers exploited a security vulnerability in a Plex media server that the employee was running on his home\r\nnetwork, and succeeded in installing malicious software that stole passwords and other authentication credentials.\r\nhttps://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/\r\nPage 3 of 4\n\nThe vulnerability exploited by the intruders was patched back in 2020, but the employee never updated his Plex\r\nsoftware.\r\nPlex announced its own data breach one day before LastPass disclosed its initial August intrusion. On August 24,\r\n2022, Plex’s security team urged users to reset their passwords, saying an intruder had accessed customer emails,\r\nusernames and encrypted passwords.\r\nTURF WARS\r\nSosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have\r\nbeen known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels,\r\nwherein people can be hired to perform a variety geographically-specific “in real life” jobs, such as bricking\r\nwindows, slashing car tires, or even home invasions.\r\nIn 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a\r\nwindow at an address that matches the spacious and upscale home of Urban’s parents in Sanford, Fl.\r\nJanuary’s story on Sosa noted that a junior member of his crew named “Foreshadow” was kidnapped, beaten and\r\nheld for ransom in September 2022. Foreshadow’s captors held guns to his bloodied head while forcing him to\r\nrecord a video message pleading with his crew to fork over a $200,000 ransom in exchange for his life\r\n(Foreshadow escaped further harm in that incident).\r\nAccording to several SIM-swapping channels on Telegram where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted\r\nTylerb’s mother in the home invasion, and that they threatened to burn him with a blowtorch if he didn’t give up\r\nthe keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault.\r\nKrebsOnSecurity sought comment from Mr. Buchanan, and will update this story in the event he responds.\r\nSource: https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/\r\nhttps://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/" ], "report_names": [ "alleged-boss-of-scattered-spider-hacking-group-arrested" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434182, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/450c0e747a57faf99bac203566b0093b61dc75fa.pdf", "text": "https://archive.orkl.eu/450c0e747a57faf99bac203566b0093b61dc75fa.txt", "img": "https://archive.orkl.eu/450c0e747a57faf99bac203566b0093b61dc75fa.jpg" } }