FBI probe leads to arrest in Spain of alleged BetMGM hacker

BetMGM MGM Resorts Arrest Cyberattack
Image: Shutterstock

An arrest warrant issued by the FBI has led to the apprehension of a British man allegedly tied to a cyberattack on BetMGM.

Spanish police have arrested an unnamed UK resident in Palma de Mallorca for his alleged involvement in a cyberattack scheme that saw fraudulent accounts created on BetMGM. The accounts, many using the personal information of pro poker players, executed unauthorized bank account withdrawals of up to $10,000 per transaction.

The British suspect is accused of SIM-swapping, a type of account fraud that exploits two-factor authentication systems through the seizure of one-time passwords. The suspect’s SIM-swapping allegedly provided access or the ability to create new BetMGM accounts.

The investigation by Spanish police found that the British suspect made his way to Spain in May by first making a stop in Barcelona before the probe led to his location in Mallorca.

Authorities were able to apprehend the suspect as he boarded a flight to Italy. Spanish police confiscated the suspect’s laptop and cell phone. The British suspect, who committed fraud under the alias “Tyler,” had reportedly controlled roughly $27 million of Bitcoin.

Details of alleged BetMGM fraud

According to an ESPN report, pro poker player Todd Witteles became a victim of the alleged fraud in 2022 when a BetMGM account in West Virginia was created under his name. The unauthorized BetMGM account deposited $10,000 from Witteles’ bank account. The person behind the fraud illegally withdrew the entire amount to a Venmo debit card.

Before the fraud, Witteles had never created a BetMGM account or been to West Virginia.

The alleged fraud led to an arrest warrant issued by the FBI’s Los Angeles division. The 22-year-old suspect is alleged to have been a member of Scattered Spider, a hacker group tied to last year’s cyberattacks on MGM Resorts and Caesars. The group is comprised of mostly hackers between the ages of 17-22, according to CrowdStrike SVP Adam Meyers.

Scattered Spider’s 10-day hack of MGM Resorts in 2023 cost the hospitality and entertainment giant more than $100 million, according to an SEC regulatory filing.

The hack impacted operations from MGM’s website to its electronic key systems.