Senior Scattered Spider Hacker Pleads Guilty in Major Cyber Fraud Case

Introduction

A 24-year-old British national who played a key role in the notorious cybercrime group Scattered Spider has admitted to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, known online by the handle "Tylerb", was a senior member of the English-speaking hacking collective that specialized in social engineering attacks. His guilty plea marks a significant step in holding accountable one of the group's most prolific actors.

Senior Scattered Spider Hacker Pleads Guilty in Major Cyber Fraud Case — Source: krebsonsecurity.com

The Guilty Plea

Buchanan entered his plea in a U.S. federal court, acknowledging his involvement in a series of text-message phishing campaigns launched in the summer of 2022. These attacks targeted at least a dozen major technology companies, leading to data breaches and the theft of tens of millions of dollars in cryptocurrency from investors. Now in U.S. custody and awaiting sentencing, Buchanan faces the possibility of more than 20 years in prison.

As part of the plea, the Dundee, Scotland native admitted to conspiring with other Scattered Spider members to send tens of thousands of SMS-based phishing messages. These messages tricked employees into revealing credentials, which the group then used to infiltrate corporate networks. The breaches affected well-known firms such as Twilio, LastPass, DoorDash, and Mailchimp.

The Phishing Campaign

How the Attacks Worked

Scattered Spider's hallmark was social engineering—impersonating employees or contractors to deceive IT help desks into granting access. In the 2022 campaign, Buchanan and his co-conspirators used bulk SMS messages that appeared legitimate, luring recipients to fake login pages. Once credentials were harvested, the group moved laterally within target networks to steal sensitive data.

Companies Targeted

The list of compromised organizations reads like a who's who of the tech industry. Beyond Twilio and LastPass, the hackers also breached DoorDash, Mailchimp, and others. The stolen data included customer lists, internal communications, and authentication tokens, which later facilitated even more damaging attacks.

SIM Swapping and Crypto Theft

After gaining access to corporate systems, the group used the stolen data to execute SIM-swapping attacks against individual cryptocurrency investors. In a SIM swap, criminals transfer a victim's phone number to a device they control, intercepting SMS-based one-time passcodes and password reset links. This allowed them to drain digital wallets.

The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States. The total financial impact, including the corporate breaches, likely exceeds tens of millions of dollars.

Tracking the Hacker

Digital Footprint Leads to Scotland

FBI investigators connected Buchanan to the 2022 phishing spree by tracing the registration of numerous phishing domains. The domain registrar NameCheap revealed that an account using Buchanan's username and email address logged in from a UK internet address less than a month before the campaign began. Local police confirmed that address was leased to Buchanan throughout 2022.

Notoriety in the Underground

Before his downfall, Buchanan's handle "Tylerb" appeared on a leaderboard tracking the most accomplished cyber thieves in the English-speaking criminal hacking scene. His reputation as a skilled operator made him a target within the underground, leading to dangerous rivalries.

Violent Rivalry and Arrest

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang hired thugs to invade his home. The attackers assaulted his mother and threatened to burn him with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. Soon after, he was arrested by Spanish authorities while in transit, as captured in photos published by the Daily Mail on May 3, 2025. One photo shows Buchanan as a child, another shows him being detained at an airport. The images also reference "M&S" (Marks & Spencer), a UK retail chain that suffered a Scattered Spider ransomware attack.

After extradition to the United States, Buchanan now awaits sentencing, with prosecutors seeking a lengthy prison term.

Conclusion

The guilty plea of Tyler Buchanan represents a major win for law enforcement in the fight against sophisticated cybercrime groups. Scattered Spider, known for blending technical skill with audacious social engineering, caused millions in losses across multiple industries. Buchanan's case serves as a warning to hackers who believe they can operate with impunity—and a reminder of the violent consequences that sometimes arise in the criminal underworld.

Tags: