Almost ten months after MGM Resorts and Caesars Entertainment suffered costly cyberattacks, Spanish authorities have arrested a 22-year-old British man believed to be the ringleader behind the hacking group Scattered Spider. Spanish police arrested the suspect on May 31 in Palma de Mallorca, Spain, as he attempted to board a private flight to Naples, Italy.
Scattered Spider and ransomware provider ALPHV (also known as BlackCat and Noberus) claimed joint responsibility for MGM’s and Caesars’ hacking-related troubles shortly after the attacks.
So far, the suspect remains officially unnamed. Spanish law enforcement has claimed that he’s linked to attacks on at least 45 companies in the United States. During the arrest, police also seized the suspect’s laptop and cell phone. He allegedly amassed 391 bitcoin through the many attacks, worth roughly $24 million at today’s trading price.
Notably, the arrest resulted from a joint investigation between the Spanish National Police and the US Federal Bureau of Investigation (FBI) that began last year.
Cyber Experts Uncover Suspects Possible Identity
Spanish news source Murcia Today (MT) first reported the international arrest on June 14. That report revealed that FBI officials in Los Angeles first became interested in the suspect after attacks on several US-based companies.
After contacting Spanish authorities, the latter confirmed that the suspect had entered Spain through Barcelona in May. Subsequent investigations pinpointed his presence in Mallorca. According to the MT, with his location verified, a Los Angeles judge issued a warrant, which police executed as he attempted to depart for Italy. Investigations reportedly have continued in Spain and California.
While the suspect has yet to be identified by police, security-focused investigative journalist Brian Krebs believes him to be Tyler Buchanan, known as “tylerb” on Telegram SIM-swapping channels.
Krebs bases his conclusion on claims by vx-underground, a cybercrime-focused Twitter/X account, which identified the suspect as a SIM-swapper using the alias “Tyler.” SIM-swapping involves transferring a target’s phone number to a device under their control. This control allows the swapper to intercept texts—including authentication passcodes and SMS password reset links—or phone calls received.
In an Xpost on June 15, vx-underground said “Tyler” is thought to be a “key” to the MGM attack, among other high-profile Scattered Spider hacks.
He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group.
Arrest Squashes Second Scattered Spider in 2024
In January, US officials arrested another suspected Scattered Spider operative, 19-year-old Noah Michael Urban, in Florida. In that case, Urban faces wire fraud and aggravated identity theft charges. Prosecutors allege Urban stole a minimum of $800,000 from five separate victims.
Per Kreb, authorities believe Urban is part of the Scattered Spider crew that hacked Twilio and others in 2022. Urban allegedly operated under the hacker nicknames “Sosa” and “King Bob.”
Kreb also noted another popular SIM-swapping Telegram channel that tracks the “most accomplished SIM-swappers” on a frequently updated leaderboard. The board ranks the top swappers by their “supposed conquests in stealing cryptocurrency.” At the time of writing, the board listed Sosa at #24 and tylerb at #65.
However, despite the recent arrests, Scattered Spider’s diffuse structure and tactical evolution allow the group to remain a cybercrime threat. According to a report from CSOonline.com, some members have joined forces with the RansomHub group, another ALPHV spinoff.
Take Downs May Have Little Long-Term Effect
Michael McPherson, a former FBI special agent and senior vice president of security operations at ReliaQuest, told CSO the arrests may “sow distrust and uncertainty.”
But while more arrests are still possible, McPhearson said they’ll ultimately be little more than a speed bump without long-term legal pressure.
Robert McArdle, director of forward threat research at Trend Micro, was less sure the arrests would have much effect on the hacker group.
McArdle told CSO that criminal groups tend to organize loosely into collectives that collaborate only briefly.
They can and will take on additional roles in the structure where gaps for positions like a current leader, recruiters, PR or others may appear. If one person is removed from that setup due to arrest or falling out, the group adapts quite easily to redistribute roles.
To that end, Reuters reported last month that the FBI is preparing to bring more charges against the group that first became prominent in 2022.