Scattered Spider's $27M Hacker Got Caught Reusing His Username | 2 Minute Drill With Drex DeFord

Hey, everyone, I'm Drex, and this is the Two Minute Drill. It's great to see you today. Here's some stuff you might wanna know about. There's a city on the east coast of Scotland. It's called Dundee. It's industrial, post-manufacturing, working class, not where you'd expect a major cyber crime story to start, but it's where Tyler Buchanan grew up. By his early twenties, Tyler had become one of the more consequential cyber criminals operating in the English-speaking world. His method was almost insultingly simple. He sent text messages. He'd send texts to employees at target companies like Twilio and LastPass and Mailchimp and DoorDash and dozens of others. And the message looked like it came from the IT help desk or from a contracted services provider. You know, "Your account's about to be locked. Your credentials need to be updated immediately. Click here." The link went to a phishing page that looked indistinguishable from the real login. The employee, not realizing they were being scammed, entered their username, password, and two-factor authentication code, and Tyler was able to use their credentials in real time with a tool he had running on the other end, allowing him to use the 2FA token before it expired. That's the method, a text message and a convincing webpage. It worked against some of the most recognizable names in technology. Tyler did his work as part of Scattered Spider, a loose-knit cyber criminal group he was a senior member of. I've talked about this pack of cyber thugs on the show several times over the past few years. By the time it was over, Tyler personally admitted to taking at least eight million dollars. When Spanish authorities arrested him in June of twenty twenty-four trying to board a flight out of Madrid, they seized twenty-seven million dollars on the spot. He fled the UK the year before, but he wasn't running from law enforcement. He was running from rival criminals who had threatened him. Here's how the investigation found him. Domain registrations. He'd used the same username and the same email address across multiple online accounts, including infrastructure he built for his criminal operations. Investigators pulled on that thread, and it led back to UK... a, a UK internet address at the same handle over and over and over. The hacker who slipped past the security teams at Fortune five hundred companies got caught because he reused his username. He pled guilty. Sentencing is scheduled for August of this year. He faces up to twenty-two years in prison. And here's kind of the healthcare piece. Your employees get texts like this one, the ones that Tyler sent. They get those constantly, and they're getting harder to distinguish from the real ones. The messages look right. The links look right. The login pages look exactly right. The people clicking on them aren't careless. They're busy. They're moving fast. They're on personal and work devices, and they've got a message just now that popped in that said that their account's about ready to be locked up. Healthcare is particularly exposed to this because urgency is a normal operating condition. A message that says act now doesn't feel unusual to a nurse manager between shifts or a department leader who's getting that message at six PM. Tyler's campaign targeted the human side of security and trust. It's the same target that exists in every healthcare system in the country. So keep coaching your teams and share this story with them. I hope it helps. And drop me a note. Let me know what you're thinking. Let me know what you're working on. I'm always happy to hear from you. I'm drex@229project.com. Thanks for being here. Stay a little paranoid, and I will see you around campus