Ringleader of Scattered Spider Allegedly Arrested in Spain

Ringleader of Scattered Spider Allegedly Arrested in Spain

Empire Market operators charged, Identities of MuddyWater and Darkbit leaders allegedly exposed, Hacker claims Snowflake accounts were accessed through third-party, LA county public health attack exposed personal data for more than 200K, Thousands of UK train riders were subject to Amazon facial recognition, Amazon planned to circumvent GitHub's scraping policies, Meta's AI models on a privacy hold in Europe, Proton moving to non-profit model, much more

Image by Hans from Pixabay
Image by Hans from Pixabay

A UK man arrested in Spain last week is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years.

The Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to Italy. “He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point, he controlled Bitcoins worth $27 million.”

According to vx-underground, the man was a SIM swapper who went by the alias “Tyler.” Sources say the accused is a 22-year-old from Dundee, Scotland named Tyler Buchanan, also allegedly known as “tylerb” on Telegram chat channels centered around SIM-swapping.

In January 2024, US authorities arrested another alleged Scattered Spider member, 19-year-old Noah Michael Urban of Palm Coast, FL, and charged him with stealing at least $800,000 from five victims between August 2022 and March 2023. Urban allegedly went by the nicknames “Sosa” and “King Bob” and is believed to be part of the same crew that hacked Twilio and several other companies in 2022.

Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email, or SMS into giving away credentials that allow remote access to corporate internal networks.

One of Telegram's more popular SIM-swapping channels maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard lists Sosa as #24 (out of 100) and Tylerb at #65.

Sosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have been known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels, wherein people can be hired to perform a variety of geographically specific “in real life” jobs, such as bricking windows, slashing car tires, or even home invasions.

In 2022, a video surfaced on a popular cybercrime channel purporting to show attackers hurling a brick through a window at an address that matches the spacious and upscale home of Urban’s parents in Sanford, FL.

According to several SIM-swapping channels on Telegram, where Tylerb was known to frequent, rival SIM-swappers hired thugs to invade his home in February 2023. Those accounts state that the intruders assaulted Tylerb’s mother in the home invasion and that they threatened to burn him with a blowtorch if he didn’t give up the keys to his cryptocurrency wallets. Tylerb was reputed to have fled the United Kingdom after that assault. (Brian Krebs / Krebs on Security)

Related: Murcia Today, Silicon Angle, Databreaches.net

US prosecutors have charged two men, Thomas Pavey and Raheim Hamilton, with operating a dark web market called Empire Market, where people around the world anonymously bought and sold more than $430 million worth of drugs, stolen information, counterfeit currency, and malicious computer programs.

US prosecutors charged the pair with conspiring together and with others to engage in drug trafficking, computer fraud, money laundering, and other crimes during their years running Empire Market.

The pair are being held in federal custody and were already facing charges for allegedly selling counterfeit currency on another dark web market, AlphaBay.

After “AlphaBay” was shut down in 2017, prosecutors say Pavey and Hamilton began running “Empire Market” and facilitated more than 4 million cryptocurrency transactions between 2018 and 2020.

The dark web bazaar allegedly advertised illicit goods and services, including heroin, stolen credit card information, and counterfeit currency. It allowed buyers to rate their shopping experience by “stealth,” according to court records.

Prosecutors said investigators seized cash, precious metals, and more than $75 million worth of cryptocurrency from the pair. (Jake Bleiberg / Bloomberg)

Related: US Department of Justice, The Crypto Times, FOX 32 Chicago, CoinDesk, CBS News, PC Mag, Hoodline

Iranian opposition news outlet Iran International purportedly obtained information that exposes the identities of those behind MuddyWater and Darkbit hacker groups affiliated with Iran's Intelligence Ministry and their cyberattacks against targets in Israel, Turkey, Egypt, Azerbaijan, the UAE, Iraq, Italy, Russia, Algeria and Saudi Arabia, among others.

According to the news website’s report (which is not easily accessible online), the Darkbit hacker group operates under the command of Amir-Hossein Fard Siahpoush, also known as Parsa Sarrafian, who runs the Ravin Academy, a US-sanctioned school that trains individuals in cyber security and hacking, and recruits from among these trainees for Iran's Intelligence Ministry.

The Darkbit group reportedly includes Seyyed Ali Emami, Pouria Kazemabadi Farahani, Ahmadreza Irani, Amin Dadashi, and Seyyed Hossein Siadat.

According to the information obtained by Iran International, three members of the MuddyWater hacker group, including Mohammad Khoshlahn, Younes Valiaei, and Mohammad-Reza Khoroush, serve as liaisons between the group and the Intelligence Ministry.

According to the report, the Darkbit group works under MuddyWater and operates from the same office building in Tehran. According to Iran International, Darkbit is the team in the MuddyWater array that operates against Israeli targets.

At the start of 2023, the hackers from this group carried out a cyber attack against the Technion in Haifa. At the beginning of 2024, they claimed to have attacked the systems of the Tel Aviv Municipality, the National Cyber ​​System, and the Department of Mental Health at the Ministry of Health. They never presented evidence of these attacks. (Israel National News)

Related: Ynet, Matzav

Source: Reportedly Iran International.
Source: Reportedly Iran International.

Cloud storage firm Snowflake has not revealed details about how the hackers accessed the estimated 165 corporate accounts affected by a recent breach, saying only that the intruders did not directly breach Snowflake’s network, but one of the Snowflake hackers claims they gained access to some of the accounts via EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion.

The hacker says his group, ShinyHunters, used data found on an EPAM employee system to access some of the Snowflake accounts.

EPAM told WIRED that it does not believe it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then involving stealing large troves of data and leaking or selling it online.

The hacker says a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts, including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

An independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account and a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account. (Kim Zetter / Wired)

The Los Angeles County Department of Public Health announced that a phishing attack in February allowed a hacker to gain log-in credentials of 53 employees, compromising the personal information of more than 200,000 people.

The attack through phishing emails took place between Feb. 19 and 20. After discovering the breach, the health department disabled the impacted email accounts, reset and re-imaged the users’ devices, blocked websites identified as part of the phishing campaign, and quarantined all suspicious incoming emails.

Additionally, notifications were distributed to all workforce members to remind them to be vigilant when reviewing emails, especially those including links or attachments. According to DPH, law enforcement was notified and investigated the incident.

The information identified in the potentially compromised email accounts may have included DPH clients/employees/other individuals’ first and last names, dates of birth, diagnosis, prescriptions, medical record numbers/patient IDs, Medicare/Med-Cal numbers, health insurance information, Social Security Number and other financial information.

The health department is notifying impacted individuals by mail. For individuals where a mailing address is not available, the department is also posting a notice on its website to provide information and resources. (City News Service)

Related: LA County Public Health, KCAL News, Databreaches.net

A cache of new documents obtained in response to a freedom of information request by civil liberties group Big Brother Watch reveals that thousands of people catching trains in the United Kingdom likely had their faces scanned by Amazon software as part of widespread artificial intelligence trials.

The image recognition system was used to predict travelers’ age, gender, and potential emotions, suggesting that the data could be used in future advertising systems.

During the past two years, eight train stations around the UK, including large stations such as London’s Euston and Waterloo, Manchester Piccadilly, and other smaller stations, have tested AI surveillance technology with CCTV cameras to alert staff to safety incidents and potentially reduce certain types of crime.

The extensive trials, overseen by rail infrastructure body Network Rail, have used object recognition, a type of machine learning that can identify items in video feeds, to detect people trespassing on tracks, monitor and predict platform overcrowding, identify antisocial behavior (“running, shouting, skateboarding, smoking”), and spot potential bike thieves. Separate trials have used wireless sensors to detect slippery floors, full bins, and drains that may overflow.

The AI trials used a combination of “smart” CCTV cameras that can detect objects or movements from images they capture and older cameras that have their video feeds connected to cloud-based analysis. Between five and seven cameras or sensors were included at each station, note the documents, which are dated from April 2023. One spreadsheet lists 50 possible AI use cases, although not all appear to have been used in the tests. One station, London Euston, was due to trial a “suicide risk” detection system, but the documents say the camera failed, and staff did not see the need to replace it due to the station being a “terminus” station.

The images were captured when people crossed a “virtual tripwire” near ticket barriers and were sent to be analyzed by Amazon’s Rekognition system, which allows face and object analysis. It could allow passenger “satisfaction” to be measured, the documents say, noting that “this data could be utilized to maximum advertising and retail revenue.” (Matt Burgess / Wired)

Use case matrix cited for CCTV systems. Source: Big Brother Watch via Wired.
Use case matrix cited for CCTV systems. Source: Big Brother Watch via Wired.

According to an internal memo obtained by Business Insider, Amazon’s Artificial General Intelligence (AGI) Group outlined its need for “quantitative and qualitative metadata from GitHub” to advance its AI training efforts and called for circumventing GitHub’s scraping limits by encouraging its employees to create multiple GitHub accounts and share their access credentials.

GitHub’s data scraping limits allow only 5,000 requests per hour per account. Without Amazon’s proposed “workaround,” with over 150 million public repositories on GitHub, traditional methods would have taken years to accumulate sufficient data.

By leveraging a network of accounts simultaneously, Amazon aims to condense what would have been a multi-year endeavor into a matter of weeks. While Amazon’s actions may not legally constitute theft, they raise ethical concerns about data privacy, permission, and the appropriate use of platform resources. (Eray Eliaçık / Dataconomy)

Related: Business Insider

Security researcher Jeremiah Fowler reports that the UK health club and gym chain Total Fitness bungled its data protection responsibilities by failing to lock down a 47.7GB database containing members' personal data.

According to Fowler, more than 474,000 images of members and staff were stored in a database that was left unprotected and publicly accessible without a password.

The database also included a cache of images that revealed individuals' identity documents, bank and payment card information, phone numbers, and, in rare cases, immigration records.

The database, now locked down, was populated with various images, including shots of members' faces, submitted either by themselves while registering for memberships online or by staff registering members on-site.

Total Fitness said that members' images only comprised a "subset" of the total cache, whereas other files included shots of artifacts like merchandise and commercial imagery. Regarding the number of images in the database, the health club chain stressed that only a very small number of the images contained personally identifiable information (PII). (Connor Jones / The Register)

Related: VPN Mentor

The Victorian Racing Club in Australia, which has 30,000 members, confirmed that it was the victim of a “cyber incident,” a day after the Medusa ransomware operation claimed to be behind the attack.

While the VRC is investigating the data that may have been impacted, the Medusa gang claimed to have more than 100 gigabytes of data belonging to the club. After using the club’s own boilerplate to describe the victim, the gang said, “The total amount of data leakage is 128.1 GB”.

According to the Medusa gang’s darknet site, it is demanding a ransom of US$700,000 to delete the data. A countdown on the site currently lists a ransom deadline of approximately six days as of the time of writing.

Medusa is also offering to extend the deadline for a day for a payment of US$10,000. Additionally, anyone else can buy the data for US$700,000.

To prove the hack, Medusa shared several documents that appear to relate to gaming machines administered by Aristocrat Games and operated at the Headquarters Tavern, which is at Flemington Race Course. The data also includes financial details of gaming machines, prizes won by VRC members, customer invoices, marketing details, names, email addresses, and mobile phone numbers.

At least one of the email addresses belongs to an employee of SA Health, South Australia’s health department.

Much of the data appears to be historical – for instance, the email address of Bart Cummings, the deceased racing identity, is included in the sample data. However, some of the data appears to date to as recently as 2023. (David Hollingworth / Cyber Daily)

Related: Victoria Racing Club, IT Wire

Meta Platforms will not launch its Meta AI models in Europe after the Irish privacy regulator told it to delay its plan to harness data from Facebook and Instagram users.

Meta's move came after complaints and a call by advocacy group NOYB to data protection authorities in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain to act against the company.

At issue is Meta's plan to use personal data to train its artificial intelligence (AI) models without seeking consent, although the company has said it would use publicly available and licensed online information.

Meta said the Irish privacy watchdog had asked it to delay training its large language models (LLMs) using public content shared by Facebook and Instagram adult users.

"We're disappointed by the request from the Irish Data Protection Commission (DPC), our lead regulator, on behalf of the European DPAs ... particularly since we incorporated regulatory feedback and the European DPAs have been informed since March," the company said. (Foo Yun Chee / Reuters)

Related: Noyb, Meta, TechCrunch, Bloomberg, The Verge, Business Insider, PYMNTS, Tech Xplore, The Register, Euractiv, IT Pro, r/technology, Channelnews, Tech Monitor, Ars Technica

Twenty-six industry groups across Europe warned that a proposed EU cybersecurity certification scheme (EUCS) for cloud services should not discriminate against Amazon, Alphabet's Google, and Microsoft ahead of a meeting by the European Commission, the EU cybersecurity agency ENISA, and EU countries.

The EUCS aims to help governments and companies choose a secure and trusted vendor for their cloud computing businesses.

A March version scrapped so-called sovereignty requirements from a previous proposal, which required US tech giants to set up a joint venture or cooperate with an EU-based company to store and process customer data in the bloc to qualify for the highest level of the EU cybersecurity label.

"We believe that an inclusive and non-discriminatory EUCS that supports the free movement of cloud services in Europe will help our members prosper at home and abroad, contribute to Europe's digital ambitions, and strengthen its resilience and security," the groups said in a joint letter to EU countries.

"The removal of both ownership controls and Protection against Unlawful Access (PUA) / Immunity to Non-EU Law (INL) requirements ensures that cloud security improvements align with industry best practices and non-discriminatory principles," they said.

The groups said it was crucial that their members have access to a diverse range of resilient cloud technologies tailored to their specific needs to thrive in an increasingly competitive global market.

The letter's signatures include the American Chamber of Commerce to the EU in the Czech Republic, Estonia, Finland, Italy, Norway, Romania, and Spain, as well as the European Payment Institutions Federation. (Foo Yun Chee / Reuters)

Related: Tech Radar, Techzine

Proton, the Swiss company behind a suite of privacy-focused apps such as ProtonMail, is following in the footsteps of Signal and Mozilla by transitioning to a new non-profit foundation model.

The newly established Proton Foundation will serve as the main shareholder of the existing corporate entity, Proton AG, which will continue as a for-profit company under the Foundation's auspices. According to CEO Andy Yen, this is designed to make the organization self-sustainable without relying on donations, grants, or commercial tie-ups with corporations.

“This change in governance does not signal a shift in how our core businesses are run,” Yen wrote in a blog post announcing the change today. “Proton is not profit-driven, but we still must retain profitability as a core objective because a cornerstone of safeguarding Proton’s mission is independence through self-sustainability.” (Paul Sawers / TechCrunch)

Related: Proton

Best Thing of the Day: Sure, Your Personal Data Were Exposed, But Not Your Credit Card Numbers

Cybersecurity expert Matt Palmer explains why the standard statement of “no credit card data was exposed” in the aftermath of a data breach points to the fact that companies are motivated enough to protect data, the exposure of which might cost them big money, but not motivated enough to protect personal data.

Worst Thing of the Day: Alexa, Have You Been Red-Pilled?

Voice assistants and AI chatbots by Amazon, Microsoft, and Google still won’t answer who won the 2020 US presidential election, returning strange answers instead.

Closing Thought

Read more