Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

Spanish police arrested a person they allege to be the leader of the notorious cybercrime gang Scattered Spider as he boarded a private flight to Naples.

It's the fruit of an investigation that began in May 2023 after the Los Angeles branch of the FBI requested information on the man, who hasn't yet been named, on becoming aware that he was spending time in Spain.

The suspect is described as a 22-year-old British national who first entered Spain through Barcelona's El Prat airport in May last year. The alleged ringleader is claimed to be linked to attacks on 45 companies in the US.

Scattered Spider's greatest hits include the massive SIM-swapping attack against Okta and the digital Ocean's Eleven targeting Las Vegas casinos last year.

The casino heists proved to be the final straw for the FBI, which soon announced that it would be funneling "significant" resources into ensnaring Scattered Spider members, before recently teasing that the bureau was getting closer to achieving its goal.

The unnamed Brit was arrested and detained at Palma airport on May 31 following the issue of an international arrest warrant in California. Police seized a laptop and a mobile phone, but it's not clear what, if anything, has come from this.

The man is, however, thought to have amassed a fortune through cybercrime, earning him an estimated 391 Bitcoins – a touch under $26 million at Monday's exchange rate.

Noah Michael Urban is the only other suspect alleged to be a Scattered Spider member to be cuffed by authorities. The 19-year-old was arrested on January 9 this year and faces multiple wire fraud and aggravated identity theft charges.

Law enforcement alleges Urban is known in certain underground circles by many different aliases, including Sosa, King Bob, Elijah, and Anthony Ramirez, and is thought to have earned around $800,000 from cybercrime between 2022 and 2023.

Scattered Spider is widely thought to be comprised of young adults roughly in the 19-22 age range and located across the US and UK.

Being native English speakers is perhaps why the group started off as a SIM-swapping gang, able to convincingly assume victims' identities and manipulate mobile network support staff into transferring the control of devices to the criminals.

From there, the group switched to ransomware, as evidenced by the attack on MGM Resorts and Caesars Entertainment last summer. Contrary to the Spanish police's description, Mandiant previously estimated the number of Scattered Spider victims to exceed 100 as of September 2023.

Nowadays, the group is focusing more on pure extortion – data theft and ransom demands without the deployment of a ransomware locker. It's a move that's thought to have supported the gang's efforts to attack a more diverse pool of organizations.

FBI logo on a billowing flag

Casino cyberattacks put a bullseye on Scattered Spider – and the FBI is closing in


Despite the arrests, the gang continues to work and just last week another of its tradecraft evolutions was reported. It's now targeting vSphere and Azure to establish persistence through legitimate virtual machines. 

SaaS apps also seem to have been targeted more often for data theft over the past ten months. The most valuable data is identified and lifted out into attacker-controlled cloud storage such as S3 buckets – a technique that offers efficiency and cost benefits for the baddies.

Unlike criminals residing in Russia and other areas without extradition treaties, if Scattered Spider is comprised of young people in the US and UK, they won't benefit from the same protections as their overseas counterparts. Both countries have stepped up efforts to stamp out cybercrime in recent years and are more than willing to make a public example of those who cause the most damage.

Criminals in the West, especially those who attract too much heat like Scattered Spider, are often dragged to the courts. Career cybercriminals in Russia, for example, are largely left alone unless they start targeting organizations in their own country, essentially enjoying a safe haven as long as the West is getting a tough time. ®

More about


Send us news

Other stories you might like