British national with possible links to high-profile phishing campaigns arrested in Spain
The 22-year-old British man arrested by police in Spain last week is linked to an underground criminal group known as “the Com” and allegedly participated in harvesting nearly 10,000 login credentials related to more than 130 companies as part of high-profile 2022 phishing campaign, a researcher familiar with the matter told CyberScoop on Monday.
On Friday, Spanish police announced in a statement the arrest of an unidentified British national “responsible for the computer attack on 45 companies in the United States.”
The man was arrested at an airport in Palma — a resort city on the Spanish island of Mallorca — as he attempted to board a charter flight to Naples, police said.
Spanish authorities said the man “was the leader of an organized group dedicated to the theft of information from companies and cryptocurrencies and gained control of 391 bitcoins worth more than $27 million.”
VX-Underground, an online malware research and repository, said in a post Saturday on the social media platform X that the person arrested went by the name “Tyler” and that he was a known sim-swapper “allegedly involved with the infamous Scattered Spider group” and “believed to be a key component of the MGM ransomware attack,” referring to the September 2023 attack on MGM Resorts.
Cybersecurity journalist Brian Krebs subsequently reported that “Tyler” is Tyler Buchanan, a 22-year-old from Dundee, Scotland.
The FBI declined to comment Monday, and referred questions to the Department of Justice. Neither the National Crime Agency in London nor the British Consulate General in Madrid responded to questions about the arrest. A person who answered the phone in the press office of the National Police Corps in Spain referred questions about the matter to colleagues in Palma, who could not be reached for comment.
Speaking on condition of anonymity due to the threats facing researchers and others focused on the criminal ecosystem known as the Com, the researcher familiar with the matter cautioned that it’s not clear whether Buchanan was part of the group that attacked MGM.
Buchanan was allegedly part of the group that carried out a phishing campaign dubbed “0ktapus” by cybersecurity firm Group-IB, wherein nearly 10,000 username/password credentials associated with more than 130 companies were harvested as part of a massive 2022 phishing campaign, the researcher said.
Twilio, a cloud communications and marketing company, and Cloudflare, a content delivery network provider, were two prominent targets of that campaign.
In January, federal authorities arrested 19-year-old Noah Michael Urban in Florida for his alleged role in stealing at least $800,000 from at least five different victims as part of a cybercriminal operation in 2022 and 2023. Urban — who went by “Sosa,” “Elijah,” “King Bob,” and “Anthony Ramirez” online — was part of the group with Buchanan who carried out the 0ktapus campaign, the researcher told CyberScoop.
The use of the term “Scattered Spider” to refer to a group of aggressive criminal hackers was coined by the cybersecurity firm Crowdstrike, but that group is more of an ecosystem made up of primarily young and brash personas, some of whom participate in various financially motivated cybercrimes or other criminal activity. People within the community refer to it as the Com, and subgroups within it engage in various criminal conspiracies that include extortion, violence as a service and sim-swapping.
A senior FBI official told a cybersecurity conference last month that roughly 1,000 people compose the threat broadly defined as Scattered Spider, although it’s not clear how the bureau made that determination. The cybercriminals in that ecosystem present a top-three cybersecurity threat, said Bryan Vorndran, assistant director of the FBI’s cyber division, alongside the foreign intelligence agencies of China and Russia.
This story was updated June 17, 2024, to note that the FBI declined to comment.
