Before getting into the article, a quick clarification. Scattered Spider is part of a broader cybercriminal community known as “The Com.” You may see it misread or misheard as “calm,” but the correct term is “Com” (C-O-M). Think of it as short for “community,” and the terminology makes more sense.
Multiple outlets are reporting about a man in the UK who was arrested in Spain and transported to the U.S. to face charges.
All of the articles indicate that he could face up to between 20 and 22 years, but apparently, because he’s cooperating, he could get a lighter sentence.
The opening paragraph says:
A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.
Depending on the law, sentencing for millions of dollars can vary, I get it, but cybercrime has not really caught up to the times.
Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.
We don’t know how this will ultimately play out at sentencing, despite the ‘20-year’ headline. I bet he won’t even get close to 20 years. Based on recent cases, it’s unlikely he will come anywhere near that number. My hunch is that he’ll get somewhere between 5 and 10, including time served. If that’s the case, it’ll be 4-9 years if that. That’s what I’ve seen as of late, we’ll see what actually happens when sentencing in August happens.
This blog post titled You’ve got to be kidding me … we have a sentence … but wait till you see this goes in to detail about another suspect that is supposed to get at least 20 years for potentially similar crimes. The two cases may not be exactly the same, but both this article and the one I link to there, indicate that the possibility is there.
The article continues:
Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.
We’ve covered Scattered Spider through the years, and you’re welcome to search it out through this blog.
They’ve done a lot of damage, and I understand cooperation is key when it comes to investigations, but the sentencing being somewhere between 5 and 10 years for cases like this and the one I linked to is the outcome.
This is part of why these groups continue operating—the perceived risk versus outcome doesn’t always align with the scale of the crime. I understand that’s how the justice system works, but if you write 20 plus years, and the actor or suspect gets less, it makes the writing look good.
There have only been two cases that are known to have long sentencing guidelines. One is a Gentleman by the name of Roman Seleznev. He is serving a 27 year sentence because he did not cooperate with authorities and stole millions of credit and debit cards throughout his criminal career.
This was a 2017 article BTW that we linked to.
The second, goes all the way back to 2013. This gentleman’s name is Ross William Ulbricht, who was arrested in San Francisco.
blog post titled Feds Take Down Online Fraud Bazaar ‘Silk Road’, Arrest Alleged Mastermind
When you look at these two cases, this should be the standard, and I completely understand why in some cases it isn’t that way.
The problem I have is that all of these articles in recent times state that people can get a large amount of time, but the justice system then does something else.
Continuing breaking down this article, it continues:
FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.
This paragraph goes back to my rant in regards to why registrars and or the hosting providers don’t take responsibility for abuse. I get the fact that domains should be bought until otherwise proven, but While legitimate businesses may purchase domains in bulk, patterns like this—dozens of domains tied to a single campaign—raise questions about how abuse
Unless you’re a business, you and I would not be buying say 30-50 domains at one time to eventually be used for whatever they’re used for.
As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.
The seed phrase is the way in to the wallet, and of course we know that Crypto is now traceable if you know how.
Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.
Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.
Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.
You can also search for the com to see if any matches are out there on the blog too. But yes, we’ll see what each sentence is if at all possible.
Brian Krebs wrote the article we quoted from, and its titled ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty.
Other outlets have also written about this, and one of the outlets is Cyberscoop. Its article may go in to more detail in to what is going on. Each article you may find may also be covered in a different way.
Cyberscoop’s article is titled Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety.
I found another piece of coverage about this on Bleeping Computer.
I guess we’ll see how everything plays out over time.
Feel free to comment. The boards await you.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.