Senior 'Scattered Spider' Hacker Admits Role in Massive Crypto Theft and Phishing Spree
Introduction
A 24-year-old British national and senior member of the notorious cybercrime group Scattered Spider has pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, known online by the handle "Tylerb", admitted his involvement in a series of text-message phishing attacks during the summer of 2022. These attacks enabled the group to breach at least a dozen major technology companies and steal tens of millions of dollars in cryptocurrency from investors.
Buchanan's alias once appeared on a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the native of Dundee, Scotland, faces the possibility of more than 20 years in prison.
The Phishing Campaign
As part of his guilty plea, Buchanan confessed to conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022. These attacks targeted employees of several technology companies, including Twilio, LastPass, DoorDash, and Mailchimp. The group used social engineering tactics—often impersonating employees or contractors to deceive IT help desks—to gain unauthorized access to corporate networks.
The SIM-Swap Scheme
Once inside the companies, the group extracted sensitive data that they later used to carry out SIM-swapping attacks. In these attacks, criminals transfer a victim's phone number to a device they control, intercepting text messages and phone calls—including one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States.
How SIM-Swapping Works
SIM-swapping is a form of identity theft where attackers convince a mobile carrier to port a victim's phone number to a SIM card in their possession. This allows them to bypass two-factor authentication and gain access to the victim's accounts, including cryptocurrency wallets and financial services.
Law Enforcement Investigation
FBI investigators linked Buchanan to the 2022 SMS phishing attacks after discovering that the same username and email address were used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the United Kingdom. FBI investigators said Scottish police confirmed that address was leased to Buchanan throughout 2022.
As reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. Later that year, U.K. investigators found a device at Buchanan's residence that contained evidence linking him to the phishing infrastructure and stolen funds.
The Guilty Plea and Sentencing
Buchanan pleaded guilty in a U.S. federal court to wire fraud conspiracy and aggravated identity theft. Each charge carries severe penalties, and he could face over 20 years in prison. Two photos published in a Daily Mail story from May 3, 2025, show Buchanan as a child and as an adult being detained by airport authorities in Spain. The notation "M&S" in one screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year attributed to Scattered Spider.
Background on Scattered Spider
Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom. The group often impersonates employees or contractors to deceive IT help desks into granting access to sensitive systems. Their methods have led to high-profile breaches across multiple industries, including technology, retail, and finance.
The plea by Buchanan marks a significant step in dismantling this threat group, but cybersecurity experts warn that many members remain at large. Law enforcement agencies continue to collaborate internationally to track down other individuals involved in the 2022 phishing campaign and subsequent cryptocurrency thefts.
Related Articles
- Python Releases Expedited Updates: 3.14.2 and 3.13.11 Address Regressions and Security Issues
- Critical Linux Flaw 'CopyFail' Poses Widespread Risk to Servers and Devices
- German Police Unveil Real Name and Face of Notorious Russian Ransomware Kingpin 'UNKN'
- Meta Advances End-to-End Encrypted Backup Security with New Fleet Features
- Supply Chain Attack: Popular Open-Source ML Tool Element-Data Compromises Credentials
- Critical Dell Zero-Day Under Active Exploitation by Chinese-Linked Hackers; New Malware GRIMBOLT Emerges
- Python 3.14.2 and 3.13.11: Quick-Fix Releases Address Regressions and Security Gaps
- How Russian State Hackers Exploit Aging Routers to Hijack Microsoft Authentication Tokens