The supposed ringleader of the cybercrime group responsible for hacking Twilio, LastPass, and Mailchimp has been arrested in Spain.
The UK citizen was allegedly the head of the ‘Scattered Spider’ group, a group of hackers linked to cyber-attacks at almost 130 organizations over the past two years.
Reports close to the investigation have revealed that Tyler Buchanan, 22, from Dundee, Scotland, is the accused.
As seen in the video below, Buchanan was arrested in Palma de Mallorca, Spain, where he was attempting to board a flight to Italy.
Detenido en #PalmadeMallorca
un joven #ciberestafador
responsable del ataque informático a 45 empresas de #EEUU➡️Era el líder de un grupo organizado dedicado al robo de información de empresas y de #criptomonedas
y llegó a hacerse con el control de 391 #bitcoins
por valor de… pic.twitter.com/cHzlsC2JZ4—
Policía Nacional (@policia) June
14, 2024
Local Spanish daily Murcia Today reported that “he [Buchanan] stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds.
“According to Palma police, at one point, he controlled Bitcoins worth $27 million.”
The 2022 Twilio Attack
The accused hacker, who went by aliases such as ‘Tyler’ and ‘tylerb,’ led the group that specialized in SIM-swapping attacks.
In these attacks, fraudsters would transfer the victim’s phone number to a device they control, allowing them to intercept text messages and phone calls intended for the victim.
One of the major companies affected by the Scattered Spider spree was Twilio, which suffered a data breach in the summer of 2022.
Hackers deceived Twilio employees into sharing their login credentials, compromising customer data, and enabling access to some internal systems.
It is estimated that the attack affected approximately 125 Twilio customers.
The attack started when employees received text messages claiming to be from Twilio’s IT department. The messages instructed them to log in to a fake URL to update expired passwords, which gave the attackers their new credentials.
In response, Twilio’s security team revoked access to the compromised accounts, provided additional security training, and implemented further measures to prevent future attacks.
However, a few months later, it was revealed that the company had actually suffered an additional cyber-attack a few days prior, when a Twilio employee fell victim to a voice phishing (or “vishing”) scam, allowing the hacker to access the contact information of a “limited number of customers.”
In a statement released by Twilio, the company played down the extent of the hack:
The threat actor’s access was identified and eradicated within 12 hours. Customers whose information was impacted by the June Incident were notified on July 2, 2022.
However, some may wonder why Twilio did not immediately disclose this incident, unlike the data breach on August 4, which was addressed transparently with clear information and next steps.
Instead, Twilio mentioned this “brief security incident” at the end of the report for another attack, which seems less transparent.
With the alleged mastermind behind the attacks now in custody, it will be interesting to see whether any additional information regarding the attacks comes to light.
For more on the 2022 breaches, read our article: Twilio Confirms a Second Phishing Attack