UK authorities have arrested a 17-year-old in connection to last year’s cyberattacks on Caesars and MGM Resorts International. The teenager from Walsall in central England is accused of belonging to the hacking group Scattered Spider and has been charged with blackmail and violations of the Computer Misuse Act.
On July 18, the Regional Organised Crime Unit for the West Midlands in Walsall took the suspect into custody and released him on bail. Walsall authorities collaborated with the UK’s National Crime Agency, the FBI, and MGM Resorts on the investigation. They executed a search warrant at the suspect’s home, seizing digital devices for forensic examination.
The law enforcement agency did not disclose the suspect’s identity due to his age. Authorities also didn’t specify his alleged role or degree of involvement with Scattered Spider. The hacker group claimed responsibility for the MGM and Caesars attacks alongside ransomware provider ALPHV.
However, according to Bloomberg, the suspect has been on law enforcement agencies’ radar for “years.”
Sources told the news agency that he is a core member of the Starfraud Telegram channel. According to the US Cybersecurity and Infrastructure Security Agency, Starfraud is another name for Scattered Spider.
MGM Has Helped The Investigation
As part of the police announcement, MGM said it was proud to have supported the arrest and added,
By voluntarily shutting down our systems, refusing to pay a ransom, and working with law enforcement on their investigation and response, the message to criminals was clear: it’s not worth it.
In a statement, Bryan Vorndran, assistant director of FBI’s cyber division, said that the arrest attests to the agency’s strong domestic and international partnerships. He added,
The FBI, in coordination with its partners, will continue to relentlessly pursue malicious actors who target American companies, no matter where they may be located or how sophisticated their techniques are.
Bloomberg sources say the FBI has been working with MGM’s lawyers and IT team since the September attack.
However, despite working with and helping FBI agents, the MGM has been less cooperative with the Federal Trade Commission (FTC), which is conducting an investigation of its own. MGM sued the FTC in April for violating the company’s Fifth Amendment. In June, the federal agency hit back and petitioned the Nevada District Court to force MGM to answer a civil investigation demand.
Spanish Police Arrested Another Scattered Spider Member
The British teen is the second suspect to have been arrested in relation to the attacks on MGM and Caesars. On May 31, Spanish police arrested a 22-year-old British man whom they believe to be one of the group’s ringleaders. The arrest resulted from a joint investigation between Spanish authorities and the FBI.
That suspect’s name has also not been officially disclosed. However, security-focused investigative journalist Brian Krebs believes it to be Tyler Buchanan, known as “tylerb” on Telegram SIM-swapping channels. Spanish law enforcement says it has connected the suspect to attacks on at least 45 US companies. He allegedly amassed 391 Bitcoin from the attacks, worth over $46 million at today’s trading price.
A third suspected Scattered Spider operative was arrested this year, though he may not have been involved in the casino attacks. In January, US authorities detained 19-year-old Noah Michael Urban in Florida. Prosecutors believe Urban, allegedly operating under the hacker nicknames “Sosa” and “King Bob,” stole at least $800,000 from five victims.
Scattered Spider Still a Threat Despite Arrests
While the arrests are a big step forward for authorities, Scattered Spider remains a significant threat. The group’s membership is widespread, and tracking its activities is difficult. Compounding the confusion are the group’s many aliases, including UNC3944, Oktapus, Roasted Oktapus, Scatter Swine, Octo Tempest, and Muddled Libra. Some cybersecurity vendors regard these as different but overlapping groups based on their tactics, making it hard to compile their data sets to construct a coherent picture of the situation.
Scattered Spider has been very active in the last few years and is responsible for over 100 cyber attacks. They include hacks targeting Coinbase, Reddit, DoorDash, HubSpot, and Riot Games. While not confirmed, Scattered Spider is also reputed to have targeted financial companies like Visa and PNC Financial.
The group’s constant shift in target industries and techniques complicates tracking efforts. In the MGM and Caesars attacks, Scattered Spider partnered with ALPHV, the leading group in ransomware at the time. Recently, Microsoft said the hackers added RansomHub and Qilin, newer and more powerful ransomware variants.