The suspected ringleader of the hacking collective known as Scattered Spider, blamed for a series of high-profile incidents, has reportedly been arrested in Spain.
Spanish newspaper Murcia Today reported that a 22-year-old British man was detained at Palma Airport as he prepared to board a flight to Italy as part of a joint operation between the Spanish police and the FBI.
The man’s name has not officially been released by Spanish authorities and no charging documents have been unsealed in the United States.
Scattered Spider poses a unique challenge for law enforcement, structured more as a collective than in the style of other financially motivated threat groups such as the cybercrime organizations based in Russia.
“Law enforcement has made another major move with this arrest,” said Rafe Pilling, the director of threat intelligence at Secureworks Counter Threat Unit. “There’s still a long way to go but the blows keep coming for the cyber criminal gangs right now.”
The hackers have been blamed for a paralyzing cyberattack in 2023 on the casino giant MGM Resorts which, in addition to its namesake, operates several properties in Las Vegas including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria.
For days, everything from slot machines to restaurant management systems and even key cards for rooms were shut off due to the attack. The attack cost the company about $100 million, it told the Securities and Exchange Commission.
The hackers notoriously deployed social engineering in order to gain access to their target networks, including by SIM swapping and sending SMS phishing texts — a technique that allegedly helped the collective access the computer networks of Coinbase, Twilio, Mailchimp and LastPass.
It follows another suspected hacker affiliated with the group, Noah Urban, 19, being arrested in Florida in January.
“These groups have long felt untouchable, obfuscated by the complexities of the internet and the anonymity it offers, but the tables are turning,” added Pilling. “The interesting piece here is that the alleged perpetrators are operating from the UK and US where, unlike with Russian-speaking groups, law enforcement can reach them.”
Recorded Future
Intelligence Cloud.
