Inside the Guilty Plea of 'Tylerb': Scattered Spider's Senior Member Admits Role in Major Crypto Thefts

In a landmark case that highlights the evolving tactics of cybercrime, a senior member of the notorious Scattered Spider group has admitted his guilt. Tyler Robert Buchanan, known online as “Tylerb,” pleaded guilty to wire fraud conspiracy and aggravated identity theft, revealing a sophisticated scheme that siphoned millions in cryptocurrency from investors. This Q&A explores the details of his crimes, the group's methods, and the path to justice.

• Who is Tyler Robert Buchanan and what crime did he plead guilty to?
• What was the nature of the Scattered Spider group's operations?
• How did the SMS phishing attacks work and which companies were targeted?
• What is SIM-swapping and how did the group steal cryptocurrency?
• How did investigators trace the attacks back to Buchanan?
• What led to Buchanan's arrest and what is his current legal situation?

Who is Tyler Robert Buchanan and what crime did he plead guilty to?

Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, was a senior member of the cybercrime group Scattered Spider. Operating under the hacker handle “Tylerb,” he once topped leaderboards in the English-language criminal hacking scene that tracked the most successful cyber thieves. In a U.S. federal court, Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft. These charges stem from a series of SMS-based phishing attacks in the summer of 2022, which enabled the group to breach at least a dozen major technology companies and steal tens of millions of dollars in cryptocurrency from individual investors. Buchanan now faces the possibility of more than 20 years in prison. His guilty plea represents a significant victory for law enforcement in dismantling a prolific English-speaking cybercrime network that relied heavily on social engineering techniques.

What was the nature of the Scattered Spider group's operations?

Scattered Spider is a prolific, English-speaking cybercrime group known for its expertise in social engineering. Rather than exploiting technical vulnerabilities, they often impersonate employees or contractors to deceive IT help desks into granting unauthorized access. This approach allowed them to infiltrate high-profile companies and steal data for ransom. Buchanan admitted conspiring with other members to launch tens of thousands of SMS phishing attacks in 2022. These attacks targeted technology firms like Twilio, LastPass, DoorDash, and Mailchimp. Once inside company systems, the group harvested credentials and other sensitive information, which they later used to perpetrate SIM-swapping attacks. The group's operations were highly coordinated and financially motivated, ultimately siphoning millions of dollars in virtual currency from victims across the United States.

How did the SMS phishing attacks work and which companies were targeted?

Buchanan and his co-conspirators carried out a widespread SMS phishing campaign in 2022. They sent tens of thousands of fraudulent text messages designed to trick recipients into revealing login credentials or other sensitive data. These messages often appeared to come from legitimate sources, such as IT support or internal security teams, and urged victims to click malicious links leading to fake login pages. The primary targets included major technology companies: Twilio, a cloud communications platform; LastPass, a popular password manager; DoorDash, the food delivery service; and Mailchimp, an email marketing platform. By compromising employees of these firms, Buchanan’s group gained initial footholds that allowed them to move laterally within networks and extract valuable data. The stolen information—like employee credentials and multi-factor authentication tokens—became the foundation for subsequent cryptocurrency heists.

What is SIM-swapping and how did the group steal cryptocurrency?

SIM-swapping is a technique where attackers transfer a victim’s phone number to a device they control. This allows them to intercept text messages and phone calls, including one-time passcodes and password reset links sent via SMS. Buchanan’s group used the data stolen from corporate breaches to identify high-value cryptocurrency investors. They then initiated SIM-swaps against those individuals, gaining control of their accounts by resetting passwords through SMS verification. Once inside, they drained the victims’ crypto wallets. The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the country. This method exploits a common weakness: reliance on SMS-based two-factor authentication, which is vulnerable to phone number portability. The group’s success highlights the importance of using app-based or hardware authenticators instead.

How did investigators trace the attacks back to Buchanan?

FBI investigators linked Buchanan to the 2022 SMS phishing attacks through digital forensic analysis. They discovered that the same username and email address were used to register numerous phishing domains involved in the campaign. The domain registrar NameCheap identified that, less than a month before the phishing spree began, the account responsible for those domain registrations logged in from an internet address in the United Kingdom. Coordination with Scottish police revealed that the address had been leased to Buchanan throughout 2022. This evidence, combined with other digital clues, allowed law enforcement to build a solid case against him. The careful tracking of IP leases and domain registration records proved crucial in identifying a cybercriminal who otherwise operated anonymously online, showcasing how collaboration across international borders can crack even sophisticated hacking rings.

What led to Buchanan's arrest and what is his current legal situation?

Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang violently confronted him. They invaded his home, assaulted his mother, and threatened to burn him with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. He was later detained by airport authorities in Spain. Photos from a May 2025 Daily Mail article show Buchanan as a child and as an adult being arrested. Now in U.S. custody, he has pleaded guilty and awaits sentencing. He faces a potential prison term exceeding 20 years for the wire fraud conspiracy and aggravated identity theft charges. The case also involves Marks & Spencer, the U.K. retail giant that suffered a ransomware attack linked to Scattered Spider. Buchanan’s guilty plea marks a critical step in holding senior cybercriminals accountable, but it also underscores the violent, high-stakes underworld that drives modern digital theft.