Scattered Spider: Update on Arrests

June 27, 2024

As DarkOwl have previously reported, a group known as Scattered Spider have been attributed to several high-profile attacks including against MGM casinos and Caesars Palace. They are known to use social engineering techniques to target call center staff in order to gain access to systems. Active since early 2022, Scattered Spider is also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra and is largely financially motivated. 

Although many cyber security researchers hypothesized that the actors were Western-based, due to the times that they operated and the language used, little is known about the individuals behind the attacks. Although the group has been named Scattered Spider by researchers, it is thought that there are many different groups of individuals who have been involved in this and other nefarious activity.  

The FBI had announced in May that they were seeking to charge members of the Scattered Spider group. However, the first individual purported to be a member of Scattered Spider was arrested in January 2024 in Florida. Noah Michael Urban who is 19 years old was charged with stealing $800,000 from 5 victims. He is awaiting trial.  

On June 14th, the VX Underground reported via X (formerly Twitter) that a 22-year-old British man was arrested in Palma de Mallorca Spain. The arrest was reported to be part of a multi-agency operation between the FBI and Spanish authorities.  

An official statement stated that the individual was alleged to be behind a series of large enterprise “hacks” which resulted in the theft of corporate information. 

Further reporting indicated that the individual arrested used the alias “Tyler” and that he was a sim swapper allegedly involved in the Scattered Spider group. VX Underground reported: “Most notably he is believed to be a key component of the MGM ransomware attack, and is believed to be associated with several other high profile ransomware attacks performed by Scattered Spider.

A video was circulated online which purported to be this individual being arrested by Spanish authorities, which happened as he attempted to board a flight to Italy.  

Scattered Spider are also reported to be behind the Oktapus campaign which used SMS phishing campaign to target several high profile organizations. The arrested individual was reported to be active in sim swapping.  

Brian Krebs later reported that the individual arrested was Tyler Buchanan from Dundee, Scotland who used the alias “tylerb” on sim swapping channels. 

Searching for further information relating to Tyler Buchanan in DarkOwl Vision, highlights that individual was doxed in January of this year. Details were shared on the Doxbin site which included his full name, address, telephone numbers, email addresses, IP addresses, usernames and social media accounts.  

The post seems to have been made by a rival who appears to share the information in retaliation for Buchanan speaking about his and states that he has made money off him whereas Buchanan doesn’t have money.  

But this was not the first time this individual was victim of a dox, with other posts identified in 2023 which includes financial information and information about his family members. Another post was found as early as 2019. 

A review of the usernames listed highlights that Buchanan was also active on several dark web markets selling financial information.  

Further reporting from Krebs indicated that Buchanan had been subject to an attack from a rival trying to access his cryptocurrency keys. In that event his mother was assaulted highlighting the real-world risks that are posed by these criminal groups and sharing their information online. 

We will await further information from law enforcement on what Buchanan is charged with.  


Don’t miss any updates. Follow us on LinkedIn.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.