Alleged Boss of Scattered Spider Hacking Group Arrested Krebs on Security
pA 22yearold man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider a cybercrime group suspected of hacking into Twilio LastPass DoorDash Mailchimp and nearly 130 other organizations over the past two yearsppThe Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to ItalyppA still frame from a video released by the Spanish national police shows Tylerb in custody at the airportppHe stands accused of hacking into corporate accounts and stealing critical information which allegedly enabled the group to access multimilliondollar funds Murcia Today wrote According to Palma police at one point he controlled Bitcoins worth 27 millionppThe cybercrimefocused TwitterX account vxunderground said the UK man arrested was a SIMswapper who went by the alias Tyler In a SIMswapping attack crooks transfer the targets phone number to a device they control and intercept any text messages or phone calls sent to the victim including onetime passcodes for authentication or password reset links sent via SMSppHe is a known SIMswapper and is allegedly involved with the infamous Scattered Spider group vxunderground wrote on June 15 referring to a prolific gang implicated in costly data ransom attacks at MGM and Caesars casinos in Las Vegas last yearppSources familiar with the investigation told KrebsOnSecurity the accused is a 22yearold from Dundee Scotland named Tyler Buchanan also allegedly known as tylerb on Telegram chat channels centered around SIMswappingppIn January 2024 US authorities arrested another alleged Scattered Spider member 19yearold Noah Michael Urban of Palm Coast Fla and charged him with stealing at least 800000 from five victims between August 2022 and March 2023 Urban allegedly went by the nicknames Sosa and King Bob and is believed to be part of the same crew that hacked Twilio and a slew of other companies in 2022ppInvestigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as The Com wherein hackers from different cliques boast loudly about highprofile cyber thefts that almost invariably begin with social engineering tricking people over the phone email or SMS into giving away credentials that allow remote access to corporate internal networksppOne of the more popular SIMswapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIMswappers indexed by their supposed conquests in stealing cryptocurrency That leaderboard currently lists Sosa as 24 out of 100 and Tylerb at 65ppIn August 2022 KrebsOnSecurity wrote about peering inside the data harvested in a monthslong cybercrime campaign by Scattered Spider involving countless SMSbased phishing attacks against employees at major corporations The security firm GroupIB called the gang by a different name 0ktapus a nod to how the criminal group phished employees for credentialsppThe missives asked users to click a link and log in at a phishing page that mimicked their employers Okta authentication page Those who submitted credentials were then prompted to provide the onetime password needed for multifactor authenticationppThese phishing attacks used newlyregistered domains that often included the name of the targeted company and sent text messages urging employees to click on links to these domains to view information about a pending change in their work schedule The phishing sites also featured a hidden Telegram instant message bot to forward any submitted credentials in realtime allowing the attackers to use the phished username password and onetime code to log in as that employee at the real employer websiteppOne of Scattered Spiders first big victims in its 2022 SMS phishing spree was Twilio a company that provides services for making and receiving text messages and phone calls The group then pivoted using their access to Twilio to attack at least 163 of its customersppA Scattered Spider phishing lure sent to Twilio employeesppAmong those was the encrypted messaging app Signal which said the breach could have let attackers reregister the phone number on another device for about 1900 usersppAlso in August 2022 several employees at email delivery firm Mailchimp provided their remote access credentials to this phishing group According to Mailchimp the attackers used their access to Mailchimp employee accounts to steal data from 214 customers involved in cryptocurrency and financeppOn August 25 2022 the password manager service LastPass disclosed a breach in which attackers stole some source code and proprietary LastPass technical information and weeks later LastPass said an investigation revealed no customer data or password vaults were accessedppHowever on November 30 2022 LastPass disclosed a far more serious breach that the company said leveraged data stolen in the August breach LastPass said criminal hackers had stolen encrypted copies of some password vaults as well as other personal informationppIn February 2023 LastPass disclosed that the intrusion involved a highly complex targeted attack against an engineer who was one of only four LastPass employees with access to the corporate vault In that incident the attackers exploited a security vulnerability in a Plex media server that the employee was running on his home network and succeeded in installing malicious software that stole passwords and other authentication credentials The vulnerability exploited by the intruders was patched back in 2020 but the employee never updated his Plex softwareppPlex announced its own data breach one day before LastPass disclosed its initial August intrusion On August 24 2022 Plexs security team urged users to reset their passwords saying an intruder had accessed customer emails usernames and encrypted passwordsppSosa and Tylerb were both subjected to physical attacks from rival SIMswapping gangs These communities have been known to settle scores by turning to socalled violenceasaservice offerings on cybercrime channels wherein people can be hired to perform a variety geographicallyspecific in real life jobs such as bricking windows slashing car tires or even home invasionsppIn 2022 a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urbans parents in Sanford FlppJanuarys story on Sosa noted that a junior member of his crew named Foreshadow was kidnapped beaten and held for ransom in September 2022 Foreshadows captors held guns to his bloodied head while forcing him to record a video message pleading with his crew to fork over a 200000 ransom in exchange for his life Foreshadow escaped further harm in that incidentppAccording to several SIMswapping channels on Telegram where Tylerb was known to frequent rival SIMswappers hired thugs to invade his home in February 2023 Those accounts state that the intruders assaulted Tylerbs mother in the home invasion and that they threatened to burn him with a blowtorch if he didnt give up the keys to his cryptocurrency wallets Tylerb was reputed to have fled the United Kingdom after that assaultppKrebsOnSecurity sought comment from Mr Buchanan and will update this story in the event he respondspp
This entry was posted on Saturday 15th of June 2024 0740 PM
ppGreat reporting as usual BrianppThe security firm GroupIBpp went to pukeppDid you already open account in Sberbank ppSheesh We used to get on conference calls and swat one another in the early 2000s for AOLAIM hacker giggles but these teens and young adults are taking things to some new felony levelsppJerm something tells me you dont know that swatting is illegalppVictims to violence as a service attacks Perpetrators did a poor job covering their own tracksppThe instigators did a semi reasonable job but those doing it were easily found and convicted Doing it for hire means they would roll over because they otherwise face life in prison under racketeering chargesppI once spoke to Tyler two years ago in a discord call who knew this would catch up to him Great report krebsppasdmsnadsn on discord
simon on igppsimon works works with him theyre close buddies he simswapsppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Saturday 15th of June 2024 0740 PM
ppGreat reporting as usual BrianppThe security firm GroupIBpp went to pukeppDid you already open account in Sberbank ppSheesh We used to get on conference calls and swat one another in the early 2000s for AOLAIM hacker giggles but these teens and young adults are taking things to some new felony levelsppJerm something tells me you dont know that swatting is illegalppVictims to violence as a service attacks Perpetrators did a poor job covering their own tracksppThe instigators did a semi reasonable job but those doing it were easily found and convicted Doing it for hire means they would roll over because they otherwise face life in prison under racketeering chargesppI once spoke to Tyler two years ago in a discord call who knew this would catch up to him Great report krebsppasdmsnadsn on discord
simon on igppsimon works works with him theyre close buddies he simswapsppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
