What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Actor-Profile

0 sources verified·10 min read

By lyrie-threat-intelligence·4/27/2026

The Phone Call That Cost £300 Million: ScatteredSpider, DragonForce, and the Anatomy of 2026's Most Consequential Threat Actor Network

TL;DR: ScatteredSpider member Tyler Buchanan ("Tylerb") pleaded guilty April 21, 2026 to wire fraud and identity theft — the second criminal conviction in the most consequential English-language cybercrime network of the decade. Their most notable operation: a single vishing call against M&S's TCS helpdesk that triggered 46 days of operational disruption and £300 million in losses. DragonForce, the ransomware they deployed, remains independently active — posting 7+ new manufacturing and energy victims this week alone. Neither prosecution nor headline is slowing the underlying method: helpdesk social engineering that bypasses every technical control your organization has ever built.

Background: Who Is ScatteredSpider?

ScatteredSpider is not a traditional APT. There is no state sponsor. No Kremlin handler. No strategic geopolitical objective disguised as financially motivated ransomware. What ScatteredSpider represents is something arguably more dangerous: a diffuse, English-speaking, socially fluent criminal collective that has discovered the cheapest, most reliable attack vector in enterprise security — the human on the other end of a helpdesk phone.

The group operates under a half-dozen tracking names across the threat intelligence community. Mandiant calls them UNC3944. Microsoft uses Octo Tempest. The original phishing campaign that brought them to public attention in 2022 earned them the name 0ktapus — a reference to their systematic targeting of Okta identity infrastructure. CISA documented their standard playbook in advisory AA23-320A. The FBI has had active cases since at least 2023.

Their spiritual home is "The Com" — a sprawling, loosely organized community of English-speaking young hackers who congregate on Telegram, Discord, and darknet forums, compete publicly on leaderboards for the most impressive intrusions, and share tradecraft in a way that would make any threat intelligence analyst simultaneously impressed and alarmed. The Com is not an organization. It is a culture — and cultures are far harder to disrupt than organizations.

Members skew young. Tyler Buchanan was 22 when he was arrested. Noah Urban was 19 when charges were filed. Owen Flowers is 18 and awaiting trial in the UK. These are not seasoned intelligence operatives. They are teenagers and young adults who learned that social engineering at scale is more profitable than any other enterprise available to them — and who were correct.

The Tylerb Guilty Plea: What It Tells Us

On April 21, 2026, Tyler Robert Buchanan — known online as "Tylerb" — pleaded guilty in U.S. federal court to wire fraud conspiracy and aggravated identity theft. The 24-year-old Scottish national admitted to orchestrating tens of thousands of SMS phishing attacks in the summer of 2022 that breached at least a dozen major technology companies including Twilio, LastPass, DoorDash, and Mailchimp. From those breaches, the group harvested credentials that fueled SIM-swapping attacks draining over $8 million in cryptocurrency from individual investors.

Buchanan's timeline is instructive:

February 2023: Fled the UK after a rival gang violently assaulted his mother at his Scotland residence and threatened him with a blowtorch over cryptocurrency wallet keys
June 2024: Arrested by Spanish authorities in Palma de Mallorca attempting to board a flight to Italy
April 2025: Extradited to U.S. federal custody
April 21, 2026: Guilty plea; sentencing set for August 21, 2026, with a statutory maximum of 22 years

This is the second Scattered Spider guilty plea. Noah Michael Urban was sentenced to 10 years and ordered to pay $13 million in restitution. Three more alleged conspirators — Ahmed Elbadawy, Evans Osiebo, and Joel Evans — still face charges in U.S. courts. Two UK suspects, Owen Flowers and Thalha Jubair, face trial in June 2026 related to attacks on UK retailers, London transit, and U.S. healthcare providers.

The guilty plea is operationally significant for one reason: the prosecution timeline proves the group remained active long after initial indictments. Buchanan was under investigation since at least 2023. The M&S breach happened in April 2025. The behavioral loop — identify, phish, vish, dwell, exfiltrate, detonate — continued uninterrupted through every law enforcement action until physical arrest created the only real disruption.

Technical Analysis: The M&S Kill Chain

The Marks & Spencer attack is ScatteredSpider's most thoroughly documented operation and the cleanest case study of their matured tradecraft. The full picture, pieced together from M&S disclosures, BleepingComputer reporting, Reuters, the Financial Times, and NCA/NCSC statements:

Stage 1 — Initial Access via Helpdesk Vishing (February 2025)

A ScatteredSpider operative called M&S's IT service desk, operated by Tata Consultancy Services (TCS). They impersonated an M&S employee and requested a password reset and MFA bypass on a targeted account. The TCS agent followed the verification protocol. The protocol was satisfied because the information required to satisfy it — name, employee ID, department, role — is aggregated from LinkedIn, data broker records, and prior breach datasets in minutes.

This is the fundamental flaw the attack exploits: verification questions authenticate knowledge, not identity. Any attacker with access to the right datasets can answer your verification questions. The challenge is not social engineering skill. It is open-source intelligence collection, and the tools for that have never been cheaper.

Stage 2 — Credential Escalation and NTDS.dit Exfiltration (February–April 2025)

With a valid credential and MFA bypassed, the attackers spent roughly two months inside M&S's infrastructure before triggering any visible disruption. Their movement was deliberate: they located and exfiltrated NTDS.dit — the Active Directory database that contains password hashes for every domain user.

NTDS.dit is the crown jewel of Windows enterprise environments. With it offline, attackers can crack hashes at GPU speed, recovering plaintext passwords for privileged accounts without generating any authentication events on the target network. Once those secondary credentials are in hand, the attackers can move laterally using only valid credentials — behavior virtually indistinguishable from normal operations to EDR tools calibrated for anomalous process injection, not anomalous login patterns.

ScatteredSpider's tradecraft is fundamentally living-off-the-land (LOTL): they use the organization's own tools — RDP, PSExec, legitimate remote monitoring software — with legitimate credentials. This is not a novel evasion technique. It is the reason EDR alone cannot stop them.

Stage 3 — Easter Weekend Disruption (April 19, 2025)

The first visible symptoms appeared during the Easter bank holiday weekend. Contactless payments failed intermittently across M&S's 1,049 UK stores. Click-and-Collect orders could not be fulfilled. Gift card systems went offline. These symptoms are consistent with attackers testing blast radius on critical operational systems while maintaining a strategic posture — confirming access to payment and order infrastructure before detonating ransomware.

Stage 4 — DragonForce Ransomware Detonation (April 24, 2025)

On April 24, attackers deployed DragonForce ransomware across M&S's core infrastructure. The group used a classic double-extortion pattern: encrypt systems and demand payment, simultaneously threaten to publish stolen data.

The consequences were severe:

46 days of suspended online order fulfillment
£300 million in lost operating profit (M&S Annual Results 2025)
£500+ million in market cap destruction
Four subsequent arrests

M&S's Chairman Archie Norman publicly confirmed the attack vector: a help desk impersonation call to TCS. The organization had the right EDR tools. The right identity platform. The right network monitoring. None of it mattered because the attacker was authenticated as a legitimate user before they ever touched a technical control.

DragonForce: Independent Actor, Same Ecosystem

DragonForce's connection to ScatteredSpider is one of deployment relationship — the ransomware-as-a-service (RaaS) operator that provided the payload. But DragonForce has since matured into an independently significant threat actor.

Current Activity (April 2026):

Leading victim postings this week with seven entities primarily in manufacturing and energy across Switzerland and Germany
CISA KEV listing confirmed DragonForce ransomware was deployed in campaigns exploiting SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728)
Group operates what threat researchers at Cyble and CRIL describe as a full affiliate recruitment and training ecosystem, accelerating their operator throughput

DragonForce traces a trajectory common in the ransomware ecosystem: began as a pro-Palestinian hacktivist operation, pivoted to financially motivated ransomware with a growing affiliate base, and is now a top-five ransomware operator by victim volume for Q1 2026. The banner changed; the infrastructure and talent pipeline did not. This is the standard ransomware lifecycle — disruption rebrands, affiliates migrate, operations continue.

Key DragonForce TTPs (current):

Initial access via RMM software exploitation (SimpleHelp, ConnectWise)
Helpdesk social engineering for credential harvest (convergence with ScatteredSpider methods)
Double extortion with aggressive naming on leak site
Focus on manufacturing, energy, retail, and e-commerce targets
Active expansion in European markets (DE/CH concentration this week)

IOCs / Indicators of Compromise

Note: ScatteredSpider IOCs are inherently ephemeral given their reliance on living-off-the-land tradecraft and social engineering rather than persistent malware infrastructure. The following represent known indicators from attributed campaigns:

Infrastructure Patterns:

Phishing domains mimicking enterprise identity providers (Okta, Microsoft, Duo): typically registered via NameCheap, often using the target organization's name with minor variations (company-it-helpdesk[.]com, company-sso-portal[.]com)
SMS phishing (smishing) delivery via bulk SMS platforms to corporate mobile numbers
Use of Ngrok, Tailscale, and legitimate remote access tools for tunneled C2

Behavioral Indicators:

Anomalous helpdesk tickets: password reset requests combined with MFA disable requests on the same account within short windows
New device enrollment immediately following password reset (identity provider logs)
NTDS.dit access via ntdsutil or VSS shadow copy enumeration
Large volume lateral movement using harvested domain admin credentials within 24-48h of first valid access
Deployment of legitimate RMM agents (AnyDesk, ScreenConnect) to maintain persistence

DragonForce-Specific Indicators:

Encrypted files with .dragonforce_encrypted extension
Ransom note: READTHIS.html dropped in encrypted directories
Use of SimpleHelp-exploited initial access vectors (patch CVE-2024-57726/57727/57728 immediately)

Lyrie Take

ScatteredSpider represents the adversarial proof-of-concept that your $10M security stack can be bypassed by a phone call. The M&S breach is not an outlier — it is the template. MGM Resorts. Caesars Entertainment. Twilio. Cloudflare (attempted). The pattern is identical because the root cause is identical: identity verification built on knowledge factors that are publicly available.

The DragonForce connection illustrates a second structural problem: ransomware operators are now ecosystems, not tools. The payload is interchangeable. What matters is the affiliate network, the access-as-a-service supply chain, and the social engineering pipeline that feeds initial access. You can ban a ransomware hash. You cannot ban a phone call.

Lyrie's autonomous threat detection layer addresses both dimensions. At the identity layer: behavioral biometrics and out-of-band verification that cannot be spoofed by someone who knows your employee's name. At the network layer: machine-speed detection of NTDS.dit enumeration, anomalous shadow copy operations, and mass credential harvest patterns — the dwell behaviors that give groups like ScatteredSpider their operating window. The window between initial access and ransomware detonation averages 46 days in the M&S case. Lyrie closes that window in minutes, not months.

Defender Playbook

Immediate (24-48h):

1. Audit your helpdesk verification protocol. Remove knowledge-based verification for any action that grants credential reset or MFA bypass. Replace with cryptographic verification (FIDO2 token, push to known device, manager approval chain).

2. Enable NTDS.dit access alerting. Monitor for ntdsutil, vssadmin, esentutl execution against domain controllers. Any shadow copy operation on a DC outside a backup window should be an immediate P1 alert.

3. Patch SimpleHelp RMM. CVE-2024-57726, -57727, -57728 are CISA KEV-listed and actively exploited by DragonForce affiliates. If you are running SimpleHelp, update now.

Short-term (1-2 weeks):

4. Deploy identity threat detection (ITDR). Enrich SIEM with identity telemetry from your IdP. Alert on: new device enrollment following password reset within the same session, MFA enrollment from a new device without prior authentication history, admin account access from geolocation anomalies.

5. Implement helpdesk call recording and review. Create a review queue for any ticket involving credential reset + MFA disable combinations. A 15-minute review cycle would have caught the M&S initial access vector.

6. Tabletop: "Attacker has valid credentials." Run a purple team exercise assuming the attacker already has domain user credentials. Your controls should still catch them. If they don't, you have the same gap M&S had.

Strategic:

7. Transition away from SMS-based MFA. ScatteredSpider's SIM-swapping capability makes SMS-based second factors a liability, not a control. FIDO2 passkeys are the floor.

8. Third-party helpdesk SLAs must include identity verification standards. TCS following "the protocol" was the failure point at M&S. Outsourced helpdesks require contractual verification standards with audit rights.

Sources

1. Krebs on Security — "'Scattered Spider' Member 'Tylerb' Pleads Guilty" (April 21, 2026): krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/

2. Trusona Blog — "A Phone Call, 46 Days, and £300 Million: Reconstructing the Breach That Brought Down M&S" (April 2026): trusona.com/blog/ms-scatteredspider-attack

3. BleepingComputer — "British Scattered Spider hacker pleads guilty to crypto theft charges" (April 2026): bleepingcomputer.com/news/security/british-scattered-spider-hacker-pleads-guilty-to-crypto-theft-charges/

4. The Register — "US gets second Scattered Spider-linked guilty plea" (April 20, 2026): theregister.com/2026/04/20/scattered_spider_linked_scot_plead_guilty/

5. PurpleOps — "Ransomware Activity Tracker 2026": purple-ops.io/blog/ransomware-tracker-2026

6. The Hacker News — "CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline" (April 2026): thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html

7. CISA Advisory AA23-320A — "Scattered Spider" (October 2023): cisa.gov/news-events/cybersecurity-advisories/aa23-320a

8. Swiss Cyber Institute — "10 of the most notorious ransomware groups in 2026": swisscyberinstitute.com/blog/10-most-notorious-ransomware-groups-2026/

Lyrie.ai Cyber Research Division — Senior Analyst Desk