Suspected Scattered Spider Leader Extradited from Spain

On Wednesday, Spanish officials extradited Tyler Buchanan, the suspected leader of the Scattered Spider cybercrime organization, to the United States. He is currently being held without bail at a federal facility in downtown Los Angeles.

Buchanan, a 23-year-old from Dundee, Scotland, faces serious charges that include wire fraud, aggravated identity theft, and conspiracy. He made his first court appearance in the U.S. District Court for the Central District of California on the same day as his extradition.

Authorities apprehended Buchanan last year in Palma de Mallorca, acting on a request from the FBI’s Los Angeles division. He was arrested as he prepared to board a flight to Naples.

According to reports from Spanish law enforcement, Buchanan operated under the alias “Tyler” and is linked to a prolific cybercrime group known to have compromised 130 companies globally, with 45 situated in the United States.

Victims attributed to the group include well-known brands such as MGM Resorts, Clorox, and Coinbase Global. Spanish authorities estimated that the group has stolen 391 bitcoins, collectively worth over $27 million. Their tactics reportedly involve social engineering methods such as SIM-swapping, phishing attacks, and demanding hefty ransoms from their victims.

An FBI affidavit cites an IP address linked to Buchanan that was used to access a domain registrar to create fraudulent domains mimicking legitimate businesses in sectors like telecommunications and cryptocurrency. This investigation led to a search warrant executed at his residence, where authorities seized around 20 electronic devices.

Analysis of these devices revealed that Buchanan employed a phishing kit to relay stolen credentials to other group members via Telegram. Moreover, he registered various phishing domains, including one masquerading as the single sign-on service, Okta.

Scattered Spider, also known as UNC3944 and Scatter Swine, emerged in late 2022 and comprises members predominantly based in the U.S. and the U.K. One of its key members, Noah Urban, known as “King Bob,” recently pled guilty to federal charges linked to a series of high-profile cyberattacks against major corporations.

Federal prosecutors indicated that several additional suspected members of Scattered Spider, along with Buchanan and Urban, were cited in a grand jury indictment unsealed late last year.

Continuing its operations into 2024, the group has consistently targeted cloud infrastructure for credential theft, as highlighted in a recent report by Google Mandiant. This emphasizes the importance of understanding cybersecurity risks and the tactics employed, such as initial access and persistence from the MITRE ATT&CK framework, which are critical for strategizing effective defense mechanisms.