Overview of the Case

A 24-year-old British national and senior figure in the cybercriminal group known as Scattered Spider has entered a guilty plea to charges of wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, operating under the hacker alias "Tylerb", admitted his involvement in a coordinated series of SMS-based phishing attacks during the summer of 2022. These attacks enabled the group to breach the security of at least a dozen prominent technology companies and subsequently steal tens of millions of dollars in cryptocurrency from investors.

Guilty Plea and Potential Sentence

Buchanan, originally from Dundee, Scotland, now awaits sentencing while in U.S. custody. His online handle once topped a leaderboard among English-speaking cybercriminals, highlighting his reputation as one of the most prolific digital thieves. If the court imposes the maximum penalty, he could face more than 20 years in federal prison.

Cyberattacks on Major Technology Companies

As part of his plea agreement, Buchanan acknowledged conspiring with other Scattered Spider members to launch tens of thousands of text-message phishing campaigns in 2022. These attacks targeted employees and customers of several large tech firms, including:

• Twilio
• LastPass
• DoorDash
• Mailchimp

The group exploited stolen credentials and other sensitive data from these breaches to carry out further theft from individual cryptocurrency investors.

SIM Swapping Attacks on Crypto Investors

Using information gathered from the phishing operations, Buchanan and his associates executed SIM-swapping attacks against specific victims. In a typical SIM swap, fraudsters transfer the target’s phone number to a device they control, intercepting all text messages and calls—including one-time passcodes and password reset links sent via SMS. The U.S. Department of Justice stated that Buchanan admitted to stealing at least $8 million in virtual currency from multiple victims across the United States.

How the FBI Traced Buchanan

Federal investigators linked Buchanan to the 2022 SMS phishing attacks after discovering that the same username and email address were used to register numerous phishing domains involved in the campaign. Domain registrar NameCheap reported that, less than a month before the phishing spree began, the account used to register those domains logged in from an internet address in the United Kingdom. FBI investigators confirmed that Scottish police identified the address as leased to Tyler Buchanan throughout 2022.

Flight After Rival Gang Attack

In February 2023, Buchanan fled the United Kingdom after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he surrendered access to his cryptocurrency wallet. Later that same year, UK investigators discovered a device at Buchanan’s residence that contained evidence linking him to the Scattered Spider operations.

Background on Scattered Spider

Scattered Spider is a notorious English-speaking cybercrime group known for its heavy reliance on social engineering tactics. Members frequently impersonate employees, contractors, or IT support personnel to trick help desks into granting unauthorized access to corporate networks. Once inside, they steal sensitive data and demand ransoms. The group also faces allegations of launching a ransomware attack against Marks & Spencer, a major UK retail chain, as noted in media coverage from May 2025 that included photos of Buchanan as a child and being detained by Spanish airport authorities.

Looking Ahead: Sentencing and Implications

Buchanan’s guilty plea marks a significant milestone in the prosecution of one of Scattered Spider’s most active members. Legal experts suggest the case could serve as a deterrent for other aspiring cybercriminals, particularly those in English-speaking countries who view hacking as a lucrative and low-risk endeavor. The investigation continues, with authorities pursuing other members of the group.

For more details on the original reporting, see the overview section or the coverage by KrebsOnSecurity.