Suspected Scattered Spider Head Extradited From Spain

Spanish authorities extradited on Wednesday the suspected head of the Scattered Spider cybercrime group to the United States, where he is being held without bail in a downtown Los Angeles federal prison.

See Also: OnDemand | North Korea’s Secret IT Army and How to Combat It

Tyler Buchanan, a 23-year-old from Dundee, Scotland, faces charges for wire fraud, aggravated identity theft and conspiracy. His initial court appearance was in the U.S. District for the Central District of California, also on Wednesday.

Spanish police detained Buchanan last year at the request of the FBI’s Los Angeles unit in Palma de Mallorca, when he was about to leave the country for Naples on a chartered flight (see: Spanish Police Bust Alleged Leader of Scattered Spider).

Spanish authorities say Buchanan, who operated under the alias “Tyler,” is the suspected head of Scattered Spider, a prolific cybercrime group that allegedly hacked 130 companies, including 45 in the United States.

Alleged victims of the group include MGM Resorts, Clorox and cryptocurrency trading platform Coinbase Global. The group is estimated to have stolen 391 bitcoins, valued over $27 million from its victims, Spanish police said. The group is known for tricking help desks using their native English-speaking skills, running SIM-swap and phishing attacks, overwhelming targets with multifactor authentication push requests and demanding massive ransoms from victims (see: Will Arrests Squash Scattered Spider’s Cybercrime Assault?).

An FBI affidavit says an IP address leased by Buchanan during 2022 logged onto a NameCheap domain name registrar account used to create domains designed to mimic telecommunications, cryptocurrency exchange and tech companies. The IP address led Police Scotland to search Buchanan’s address, where officers seized approximately 20 devices.

Forensic copies of the devices showed that Buchanan apparently used a phishing kit to transmit stolen credentials to other members of Scattered Spider over a Telegram channel. Investigators also found that Buchanan registered at least one phishing domain and controlled a Gmail address used to register other phishing domains, including one impersonating single sign on provider Okta.

Scattered Spider, also tracked as UNC3944, Scatter Swine, and Muddled Libra, first emerged in late 2022 and consists of members from the United States and the United Kingdom. Noah Urban, a leading member the hacking group and known as “King Bob,” pleaded guilty earlier this month to federal charges tied to a string of cyberattacks on major U.S. companies.

Federal prosecutors indicated three other suspected members of Scattered Spider in addition to Urban and Buchanan in a grand jury indictment unsealed late last year (see: Feds Indict 5 Suspects Tied to Scattered Spider Cybercrime).

The group stayed active throughout 2024, regularly targeting cloud infrastructure for credential theft, a recent Google Mandiant report said in a recent report.