A 22-year-old man from the United Kingdom who was arrested this week in Spain is suspected of being the leader of Scattered spidercyber crime group suspected of hacking Twilio, LastPass, DoorDash, Mailchimpand about 130 other organizations in the last two years.
Spanish every day Murcia Today reports that the suspect was wanted by the FBI and was arrested in Palma de Mallorca while trying to board a flight to Italy.
A still frame from a video released by Spanish national police shows Tylerb in custody at the airport.
“He is accused of hacking corporate accounts and stealing sensitive information, which allegedly enabled the group to receive millions of dollars,” wrote Murcia Today. “According to Palma police, at one point he controlled $27 million worth of Bitcoins.”
A Twitter/X account that focuses on cybercrime vx-under said the UK man who was arrested i SIM-swapper who went by the name “Tyler.” In a SIM swap attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for verification, or password reset links sent via SMS.
“He is a known SIM-swapper and is suspected of being involved with the famous Scattered Spider gang,” vx-underground wrote on June 15, referring to the gang involved in the costly data attacks at the MGM and Caesars casinos in Las Vegas last year.
Sources familiar with the investigation told KrebsOnSecurity that the suspect is a 22-year-old from Dundee, Scotland. Tyler Buchananallegedly also known as “tylerb” on Telegram chat channels dedicated to SIM switching.
In January 2024, US authorities arrested another Scattered Spider member – a 19-year-old. Noah Michael Urban from Palm Coast, Fla. — and charged him with stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly used the aliases “Sauce” and “King Bob,” and is believed to be part of the group that hacked Twilio and dozens of other companies in 2022.
Investigators say Scattered Spider members are part of a widespread cybercriminal community known as “Com,” where criminals from different genres brag about sophisticated cybercrime that almost always starts with social engineering — tricking people by phone, email or SMS into providing credentials that allow remote access to corporate internal networks.
One of the most popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, ranked by their perceived victory in stealing cryptocurrency. That leaderboard currently ranks Sosa at #24 (out of 100), and Tylerb at #65.
0KTAPUS
In August 2022, KrebsOnSecurity wrote about a peek inside the data collected in the months-long Scattered Spider cybercrime campaign that involved a number of SMS-based phishing attacks on employees at large companies. A security firm Group-IB he called this group by another name – 0 kita nod to how the gang used to steal from workers for guarantees.
Criminals ask users to click on a link and enter a phishing page impersonating their employer’s Okta confirmation page. Those who submitted information were then instructed to provide a one-time password required for multiple authentications.
These phishing attacks used newly registered domains that often included the target company’s name, and sent messages urging employees to click on links to these domains to view information about a pending change in their work schedule. Phishing sites also include a Telegram instant messaging bot to forward any credentials sent in real-time, allowing attackers to use a phishing username, password and one-time code to log in as that employee on the real employer’s website.
One of the first major victims of Scattered Spider in its 2022 phishing spree was Twilio, a company that provides services for making and receiving text messages and phone calls. The group then voted, using its access to Twilio to attack at least 163 of its customers.
The Scattered Spider phishing lure was sent to Twilio employees.
Among those was an encrypted messaging app The signalsaid the breach could have allowed attackers to re-register a phone number on another device for about 1,900 users.
And in August 2022, several employees at the emailing company Mailchimp provided their remote access credentials to this phishing group. According to Mailchimp, attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and finance.
On August 25, 2022, password manager service LastPass disclosed a breach in which attackers had access to source code and LastPass’ proprietary technical information, and a few weeks later LastPass said that an investigation revealed that no customer data or passwords were accessed.
However, on November 30, 2022 LastPass disclosed a more serious breach that the company said sensitive data was stolen in the August breach. LastPass said hackers stole encrypted copies of some password vaults, as well as other personal information.
In February 2023, LastPass disclosed that the attack involved a more sophisticated attack, targeting an engineer who was one of four LastPass employees who had access to the business room. In that incident, attackers exploited a security vulnerability in a Plex media server that an employee was using on their home network, and successfully installed malicious software that stole passwords and other authentication credentials. The vulnerability exploited by the attackers was patched in 2020, but the employee did not update his Plex software.
Plex announced its data breach one day before LastPass disclosed its first August breach. On August 24, 2022, Plex’s security team urged users to reset their passwords, saying a hacker had accessed customer emails, usernames and encrypted passwords.
TURF WARS
Sosa and Tylerb were both physically attacked by SIM-swapping gangs. These communities are known to settle scores by resorting to so-called “violence-as-a-job” cybercrime channels, where people can be hired to perform various “real-life” jobs specific to the location, such as laying bricks. windows, slashing car tires, or home invasions.
In 2022, a video surfaced on a popular cybercrime channel purportedly showing attackers throwing a brick through a window at an address that resembled an open-plan, upscale home for Urban’s parents in Sanford, Fl.
A January story on Sosa noted that a young member of his gang called “Foreshadow” was kidnapped, beaten and held for ransom in September 2022. Foreshadow’s captors held guns to his bloody head while forcing him to record a video message imploring his crew to fork over. in addition to a ransom of 200,000 dollars in lieu of his life (Dignity survived the additional risk in that incident).
According to SIM-swapping channels on Telegram that Tylerb is known to frequent, rival SIM-swappers hired thugs to attack his home in February 2023. Those accounts said the attackers attacked Tylerb’s mother during the home invasion, and threatened to burn it down. him with a blowtorch if he didn’t throw away the keys to his cryptocurrency wallet. Tylerb is said to have fled the United Kingdom after the attack.
KrebsOnSecurity sought comment from Mr. Buchanan, and will update this story if he responds.
Source link