Last week, as Marks & Spencer was grappling with the escalating chaos wreaked by hackers on its IT system, an outwardly unassuming young British man boarded a plane to the US. He wasn’t alone. Tyler Buchanan, 23, was in the company of American law enforcement officers, having spent the last ten months awaiting extradition on a catalogue of charges relating to his role as an alleged ringleader in a shadowy collective of international cyber criminals known as Scattered Spider. Scattered Spider is, of course, the very same group that is purported to be behind the devastating hack which has crippled the nation’s best-loved department store, wiping hundreds of millions off its market value and leading to the suspension of online sales for more than a week. While the M&S cyber attack is still being investigated, last night a group called DragonForce claimed it and its partners were behind this and similar attacks on Co-op and Harrods. There was no mention of Scattered Spider by name but experts told the Mail this is not surprising and does not rule out Scattered Spider’s involvement. Indeed from the start, the expert view has been that the network worked with Dragonforce to hold the retailer to ransom. To date six people are known to have been arrested and directly connected to previous activity of Scattered Spider in the last year. Five of them have been charged and Buchanan is the only Briton. A second British teenager remains under investigation. In the US, authorities claim the gang perpetrated attacks on dozens of companies in the US, Canada, the UK and India in 2022. Buchanan was arrested in Spain last summer, having travelled from London to Barcelona and then on to Palma, Mallorca. He was about to fly to Naples when he was arrested at the airport and found to be in control of a cryptocurrency wallet totalling more than $26 million (£20million) in Bitcoin. If there is such a thing as a stereotypical criminal operator, Buchanan’s appearance when he was escorted to a police car was not it. He wore low-slung jeans, a T-shirt, a pair of Nike trainers and carried a holdall. This week the Mail tracked down further pictures of the unlikely mastermind, who has yet to enter any pleas to the charges he faces. These show Buchanan as a chubby-faced schoolboy and, judging by the yellow badge on his uniform, someone considered responsible enough to be made a prefect at primary school. Yet he grew into a man suspected of wreaking lucrative global chaos, and all from a flat in the Scottish city of Dundee. Deemed a flight risk, Buchanan was denied bail when he appeared in court in California last Thursday. Assuming he has not been sitting on a laptop while awaiting extradition, he cannot, of course, be responsible for pushing the button on the M&S attack. But the reason Buchanan – this week described as more like a team captain, one of multiple ‘managers’ rather than a centralised boss – is so interesting, is that very little is known about the perpetrators of cyber raids, who are often young – even teenage – male hackers. This week, at his home on a housing estate on the outskirts of Dundee, Buchanan’s father Robert was adamant his child had nothing to do with Scattered Spider. But he agreed his son was a ‘computer whizz’. ‘[He’s been into that] since he was six years old, he has always been on his computers,’ Robert said. Computer whizz he may be, but Buchanan does not seem to have been slick at covering his tracks. He used the not terribly subtle handle ‘Tylerb’ across the numerous online channels he frequented. He had also, says the FBI, registered a phoney website as part of his endeavours, but he did so without hiding his home internet address. Detectives followed the cyber breadcrumbs straight to Dundee and Buchanan’s flat, where in April, 2023, Scottish police seized a vast collection of desktop computers, laptops, external storage devices and phones that allegedly contained the usernames and passwords of employees at targeted companies. According to court documents the modus operandi of Buchanan and his co-conspirators – he was charged alongside four American men, all younger than 25 – was phishing. This term describes how criminals ‘fish’ for access by luring people to engage with fake accounts, which then enables them to harvest login credentials and steal secure information to hack into virtual currency accounts. The end game? Not just the theft of millions of dollars in cryptocurrency but a kudos which is like a currency of its own among rival hacking groups. Another technique these criminals employ is ‘SIM swapping’, where the hacker tricks – or occasionally bribes – the employee of a phone company to transfer a customer’s number to a new SIM card, so they can intercept one-time passcodes used for logging in to networks. It’s no coincidence that Scattered Spider’s protagonists are English speaking, as this allows hackers to convincingly take on the guise of someone calling from IT support to iron out a tech hiccup that never really existed, or write a realistic phishing email or text message. As one security insider tells the Mail, cyber security hinges on three components: people, process and technology. All it takes is a breach in one of those and the door opens, as is likely to have happened with M&S. In this case, it’s suspected that hackers may have used DragonForce ransomware to extort money from the company. This is a type of malicious software that encrypts a system until a ransom is paid. M&S has maintained a carefully guarded silence on how it was targeted and what demands have been made to release its paralysed systems. But similar hacks in the past have led to demands for millions. Little wonder that computer giant Microsoft has described Scattered Spider – also known as UNC3944, Octo Tempest and Muddled Libra, to give but a few of its monikers – ‘one of the most dangerous financial criminal groups’ operating today. It was a cyber heist on gaming giant MGM Resorts International, which operates more than 30 hotel and gaming venues around the world, in September 2023, that catapulted Scattered Spider into the public eye. Hackers brought MGM operations to a halt after they infiltrated the company’s management system and deployed ransomware. The company refused to pay and later reported total losses of around $100million (£75million). Casino operator Caesars Entertainment was also hacked, with the company paying out $15million (around £11million) to the hackers. No charges relating to those attacks have been brought. But it was in the wake of this controversy that the net started to close on Buchanan. What is perhaps even more alarming about the murky ecosystem that is Scattered Spider is its association with a wider, and darker, online community called The Com. But there has been no suggestion so far that Buchanan has any connection with these wider activities. Only two months ago, the National Crime Agency raised concerns about the network with government ministers, warning that children as young as 11 are being manipulated into carrying out vile tasks by figures lurking within The Com. In this warped subculture, nothing is off limits – including renting ransomware to target a high-street retailer, sextortion or child abuse. Zach Edwards, a senior analyst at cyber security firm Silent Push, which has closely monitored the threat posed by Scattered Spider, describes content that has been found within The Com as ‘really racist, misogynistic stuff.’ ‘[The Com] is not like one chat group, it’s a broad range of channels on private messaging apps,’ he says. ‘It has been around for around ten years, and it has been evolving. There are communities of young people who are in various chat rooms across the internet. It’s become so widespread that if you’re 13 to 25-years-old and have access to a computer but haven’t been told the appropriate way to navigate relationships online, you can get sucked into these communities. It’s toxic behaviour.’ Evidence suggests a more sinister element, although one couched in immature teen speak. In a report published by Microsoft last October, Scattered Spider-linked hackers were quoted threatening to kill employees of one organisation unless they revealed their passwords. ‘If we don’t get ur... login in the next 20 minutes were sending a shooter to your house [sic],’ one message read. Then there is inter-community warfare, too. Investigative journalist Brian Krebs, who writes for his own website, Krebs On Security, has seen screenshots of encrypted messages discussing rumours that Buchanan himself was targeted by SIM-swapping rivals who invaded his home, assaulted his mother and threatened to burn him with a blowtorch. Although the Mail has seen no evidence the threat was carried through, it is indicative of this competitive online world. Brian says of the turf wars: ‘I think it’s pretty common these days, especially when you have some person or a small group make a big heist of tens or hundreds of millions. That’s hard to keep a lid on, particularly when you are talking about young men who like to brag about their exploits as a way of boosting their standing in the community. ‘The criminals behind the heists are tracking the attention and envy of other cyber criminals.’ He, like the other experts we have spoken to, says the people behind attacks attributed to the likes of Scattered Spider are, despite the impression given, not technical wizards. As Zach Edwards, of Silent Push, says: ‘They’re scooping up lots of people with stupid schemes, but they’re making lots of mistakes. They’re kids. ‘It’s classic amateur stuff and they don’t understand how IP addresses are tracked.’ So just how many hackers lurk within these communities? Allison Nixon, chief research officer with the cybersecurity firm Unit 221B, says that while numbers in The Com are in the thousands, by contrast, Scattered Spider only has dozens in its network. Often they are repeat offenders who have been arrested before but once bailed return straight to their keyboards to strike again. ‘The people who are active now, I would bet a portion of them were among those arrested last year,’ she says. ‘They become more skilled and educated every time.’ In California, where Buchanan is locked up in a grim federal prison and due to appear in court later this month, his lawyer Sara Azari tells the Mail her client is entitled to the ‘presumption of innocence’ and that she does not believe he has anything to do with the M&S hack, describing him as ‘the sweetest kid’. Of the Scattered Spider affiliation, she says: ‘It’s not a criminal organisation like drug traffickers. There’s a reason it’s called Scattered Spider: this is primarily young kids rather than a criminal organisation with a leadership’. Until yesterday’s claim by DragonForce, the most revealing detail on the M&S hack had come from US-based tech website BleepingComputer, which said that sources had informed it of hackers stealing crucial company data as early as February. Once inside, all the hackers would have had to do was sit quietly, watch and wait, until unleashing ransomware last week. M&S is now working with cyber security experts from CrowdStrike, GCHQ’s National Cyber Security Centre, the Met Police and the National Crime Agency as it battles to deal with the IT disaster. Meanwhile, other retailers watch uneasily. Graeme Stewart, head of public sector at UK-based security company Check Point, says: ‘The nature of these gangs is to want to be seen doing the biggest attack, the highest profile attack, and so I believe it is extremely unlikely to be a joined up effort. ‘The question is, what comes next? I would be urging retailer security teams to be on high alert and battening down IT hatches, but also working with the companies that supply them. ‘The digital age and reliance we have on our smartphones and laptops for everyday life means that disruption of these systems has a cataclysmic effect on all of us.’ Additional reporting: Dan Barker