He is alleged to have been behind the September 2023 hack of Las Vegas casino operators Caesar’s Entertainment and MGM Resorts International, causing widespread disruption at some of the city’s most high-profile venues.
Buchanan, a Scot who is understood to have been remanded in custody after being detained while trying to take a charter flight between Spain and Italy, was charged this month alongside four American men, all of whom are below the age of 25.
Hacks continue
Last year, a 17-year-old from Walsall was also arrested in the UK in connection with the same Las Vegas hacks. West Midlands Police did not respond to a request for an update on his case.
Nonetheless, the arrests have not stopped the gang’s ongoing activities.
Scattered Spider is thought to have most recently targeted Marks & Spencer, forcing the multinational retailer to halt its online sales for the past five days.
The attack has wiped millions of pounds from the London Stock Exchange-listed company’s market value, even emptying shelves at some of its shops.
Aiden Sinnott, a senior threat researcher with cyber security company Sophos’ Secureworks unit, said that Scattered Spider is a “nihilistic” part of a much deeper online subculture that engages in “depraved and outrageous things”.
Murky scene
Known for attracting “English-speaking” teenagers and young men to its ranks, the gang first emerged on the murky cyber crime scene around June 2022.
“They’re not like a traditional [organised crime] group in that there’s no kind of structured hierarchy,” Sinnott said.
“In terms of personas and who’s behind them, it’s quite difficult to pin down, because it is kind of an online collective that operates behind usernames.”
The hack that affected M&S meant that the retailer was forced to stop accepting online orders.
The cyber security expert added that Scattered Spider is believed to be an offshoot of a much darker online community called The Com.
This group is known for its kudos-beats-all ethos, where its members attempt to one-up each other in the most horrible ways possible to gain online status and prestige.
Depraved acts
In this warped subculture, nothing is off limits – be it renting Russian ransomware to target a high-street retailer or even child abuse.
The Com’s members have been linked to claims that they would egg each other on to coerce children into performing depraved acts on webcam, up to and including self harm.
Using their advanced hacking skills, The Com’s members threatened to expose their victims to friends and family unless their demands were met.
“It just seems to be almost nihilistic – there’s no real financial motivation,” Sinnott said.
“It seems to be about gaining kudos within the group. And that kudos comes from doing increasingly depraved and outrageous things.”
Scattered Spider’s members, while closely linked to The Com, are thought to be more motivated by money and prestige for pulling off heists against high-profile companies.
Their British and American origins mean that, unlike when Russian cyber-criminals target the West, “they are within reach of law enforcement”, Sinnott said.
Cut of a ransom
Cyber-security experts believe that Scattered Spider has rented a piece of Russian-made hacking software – ransomware – called DragonForce.
In a ransomware attack, the attackers encrypt – forcibly scramble – business-critical computer files and then demand a hefty ransom to unscramble them again. DragonForce’s creators would expect a cut of the ransom as their fee for renting out the software to Scattered Spider.
Royal Mail, which was targeted by Russian hackers in 2021 amid similar circumstances, faced a £67 million ($151m) demand. It chose not to pay.
Most businesses choose not to pay the ransom in similar circumstances, although for some it is a less painful option than rebuilding entire corporate systems and processes from scratch.
Marks & Spencer has declined to comment on the cyber-attack to date.
