Expect only a short-term reduction in attacks on enterprises from the group, warns former FBI agent. Credit: Pira25 / Shutterstock Threat intel experts predict that the activities of the infamous Scattered Spider cybercrime group will likely continue even after the arrest of an alleged ringleader in Spain. A 22-year-old British man believed to be the ringleader of Scattered Spider was arrested in Palma de Mallorca, Spain, as he tried to board a flight on a private plane to Naples, Italy. Spanish authorities have yet to name the man but said the suspect is linked to attacks on 45 companies in the US. Police seized a laptop and a mobile phone from the suspect, who is alleged to have amassed a fortune of 391 bitcoins ($27 million) from the proceeds of cybercrime. Neither the Policía Nacional, Spain’s national police force, nor the Spanish Interior Ministry returned requests for comment from CSOonline.com on the arrest, which was made on 31 May in response to a request from US authorities. The suspect, a person of interest in an FBI-led investigation since May 2023, faces potential extradition proceedings. Another suspected member of Scattered Spider, 19-year-old Noah Michael Urban, was arrested in Florida in January. Urban faces multiple wire fraud and aggravated identity theft charges. His alleged crimes resulted in the theft of at least $800,000 from five different victims, US prosecutors allege. Arachnophobia Scattered Spider is a loose collective of predominantly English-speaking cybercriminals thought to be from the US, Canada and the UK. The group initially gained notoriety two years ago after a series of SMS phishing attacks and data breaches at major companies like Twilio, LastPass and DoorDash in 2022. They later expanded into ransomware attacks, including a debilitating attack on MGM Resorts in Las Vegas last year that caused more than $100 million in losses. Despite recent arrests, Scattered Spider remains an active cybercrime threat due to its diffuse structure and continual evolution of tactics. Some members of the group have also reportedly aligned their activities with the RansomHub ransomware group, which is a spinoff of the ALPHV/BlackCat group. “There is no doubt the [latest] arrest will sow distrust and uncertainty throughout the group’s operations in the short-term,” Michael McPherson, senior vice president of security operations at ReliaQuest, a former FBI special agent told CSOonline.com. “Although the group undoubtedly maintained some level of operational security by not revealing their true identities to one another, it is likely that intelligence obtained from the latest arrest will lead to the identification of more group members,” he said. Law enforcers know that they are unlikely to be able to arrest every member of Scattered Spider but they can sow the seeds of distrust and paranoia. “While this uncertainty persists, the group’s activities will likely result in a short-term reduction in their output,” McPherson said. “However, if the international law enforcement is unable to sustain this pressure on the group by conducting follow-on arrests it is likely that the group will view the arrest merely as a speed bump and either move forward under new leadership or restart their operations.” Robert McArdle, director of forward threat research at Trend Micro, was less confident that the arrests will necessarily result in Scattered Spider going to ground. Criminal groups tend not to be tightly organised like a company or sports team but more like a collection of individuals that come together to collaborate for a period of time. “They can and will take on additional roles in the structure where gaps for positions like a current leader, recruiters, PR or others may appear,” McArdle explained. “If one person is removed from that setup due to arrest or falling out, the group adapts quite easily to redistribute roles.” It’s only when a group’s reputation or setup is massively affected by infighting, or their model is no longer profitable that they will look to spin off or re-brand, according to McArdle. “Scattered Spider is likely to go undisrupted for the time being and continue to pose a threat to the same channels they have previously targeted,” he concluded. Related content news Ransomware attack paralyzes milking robots — cow dead After an attacker paralyzed his computer, a farmer from Switzerland was no longer able to read his cows’ vital data, resulting in the death of one of his herd. By Martin Bayer 07 Aug 2024 2 mins Ransomware Agriculture Industry Cybercrime news analysis North Korean group infiltrated 100-plus companies with imposter IT pros: CrowdStrike report The DPRK group’s attempts to exfiltrate data and install RMM tools by posing as US IT workers is one of several examples that show cross-domain analysis is needed to tackle rising identity-based attacks, according to CrowdStrike’s counter By Cynthia Brumfield 06 Aug 2024 8 mins Cyberattacks Threat and Vulnerability Management Cybercrime news Who are the two Russian convicts released in the US-Russia prisoner swap? The US had to let go of two notorious Russian cybercriminals charged with high-profile hacking operations in its territory. By Shweta Sharma 02 Aug 2024 3 mins Cybercrime feature How cybercriminals recruit insiders for malicious acts Criminal attackers view your employees as potential accomplices to transform into insider threats. Here’s who they target, how they recruit them, and what they want malicious insiders to do to help compromise IT systems. By Dov Lerner 16 Jul 2024 17 mins Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe