Scattered Spider Ringleader Pleads Guilty in Major Crypto Heist

A 24-year-old British national and senior member of the cybercrime group Scattered Spider has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, known online as 'Tylerb,' admitted orchestrating a series of text-message phishing attacks in summer 2022 that compromised at least a dozen major technology companies and drained tens of millions of dollars from cryptocurrency investors.

Buchanan now faces up to 20 years in U.S. federal prison. He is currently in custody awaiting sentencing after being arrested in Spain and extradited to the United States.

'This plea sends a clear message that cybercriminals will be held accountable, no matter how sophisticated their schemes,' said a Justice Department official overseeing the case. 'Buchanan and his co-conspirators caused significant financial harm and disrupted the lives of victims across the country.'

Background

Scattered Spider is a prolific English-speaking cybercrime group known for its mastery of social engineering. Members impersonate employees or contractors to trick IT help desks into granting system access. The group has been linked to high-profile ransomware attacks, including a 2024 assault on U.K. retailer Marks & Spencer.

Buchanan's role was critical. He developed and launched thousands of SMS phishing messages that tricked employees at Twilio, LastPass, DoorDash, and Mailchimp into revealing credentials. Once inside, the group stole customer data and used it to perform SIM-swapping attacks against individual cryptocurrency investors.

In a SIM swap, criminals transfer a victim's phone number to a device they control, intercepting one-time passcodes and password reset links. The U.S. Department of Justice said Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States.

FBI investigators traced the phishing campaign after discovering that the same username and email address registered numerous phishing domains. Domain registrar NameCheap revealed that less than a month before the attacks, the account logged in from a U.K. internet address. Scottish police confirmed the address was leased to Buchanan throughout 2022.

According to KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang sent thugs to his home. They assaulted his mother and threatened to burn him with a blowtorch unless he surrendered his cryptocurrency wallet keys.

What This Means

Buchanan's guilty plea marks a major victory for law enforcement in the fight against sophisticated cybercrime organizations. However, experts warn that Scattered Spider remains active and continues to innovate its attacks.

'This is not the end of Scattered Spider—it's a high-profile takedown of one leader, but the group is still a threat,' said a cybersecurity analyst at a leading threat intelligence firm. 'The social engineering tactics they perfected are now being adopted by other criminal groups.'

Buchanan's sentencing is expected later this year. He faces a maximum of 20 years for wire fraud conspiracy and a mandatory two-year consecutive sentence for aggravated identity theft. The case highlights the growing reach of international cybercrime and the increasing willingness of nations to cooperate in pursuit of hackers.

For investors and companies, the lesson is clear: SMS-based authentication is no longer secure. Security experts recommend using app-based authenticators or hardware tokens instead.