The U.S. Department of Justice (DoJ) dropped some serious news yesterday. They filed criminal charges against five people involved in the Scattered Spider cyber attacks, and among them is Tyler Robert Buchanan, a 22-year-old from Britain.
This group’s activities relied heavily on social engineering. They tricked their victims into handing over crucial IT credentials, hitting high-profile companies like Caesars Entertainment and MGM Resorts in Las Vegas. Buchanan got arrested back in June in Spain, and he’s up against charges like conspiracy to commit wire fraud, wire fraud, and aggravated identity theft. Authorities had been watching him since a raid on his home in Scotland last year turned up evidence linking him to the gang.
The other four charged are U.S. nationals: 23-year-old Ahmed Hossam Edin Elbadaway, known as AD; 20-year-olds Noah Michael Urban, aka Sosa and Elijah, and Evans Onyeaka Osiebo; and 25-year-old Joel Martin Evans, also known as joeleoli. Evans was picked up on November 19 in North Carolina, and Urban has been in custody since an earlier case.
These men face one count each of conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. U.S. attorney Martin Estrada emphasized how this group took part in a complex scheme that stole intellectual property worth millions and compromised the personal information of countless individuals. He pointed out that as phishing scams get more sophisticated, people need to be extra careful about suspicious emails or texts.
FBI’s Akil Davis highlighted the victims they targeted, saying the defendants exploited personal details to break into cryptocurrency accounts and steal millions. He praised the cyber agents for identifying the group and noted the threat they posed to everyday people and their finances.
If convicted, each defendant could face up to 27 years in prison, with Buchanan staring down an additional 20 years just for the wire fraud charges.
The unsealed documents show that Scattered Spider’s attacks started in late 2021 and carried on for years, adapting their tactics along the way. They sent out mass phishing SMS messages to employees, often pretending to be from their own companies or IT service providers like Okta, another favorite target. These texts warned employees about account lockouts and directed them to fake websites where they unwittingly entered their credentials, often using multifactor authentication.
With those credentials in hand, Scattered Spider accessed employee accounts, delving deeper into their IT systems to pilfer confidential data and personal information. They even deployed ransomware at times, partnering with the notorious ALPHV/BlackCat group.
The gang’s English fluency gave them an edge in the U.K. and U.S., making their communications more believable. They also used threats of real-world retaliation, scaring victims with consequences like job loss or even violence against them or their families.
William Wright, CEO of Closed Door Security, noted how these attackers blended their social engineering tactics with in-depth research about targeted employees. They even tracked someone on LinkedIn before reaching out to the IT helpdesk for password resets, following up with multi-factor authentication fatigue attacks to gain system access.
Charles Carmakal, CTO at Google Cloud-owned Mandiant, spoke about the broader impact, stressing how these criminals inflicted severe pain and financial damage on organizations. He framed the recent law enforcement actions as a significant blow to Scattered Spider and a warning to others involved in these schemes.