Senior Scattered Spider Hacker Admits Guilt in Major Phishing and Crypto Theft Scheme

Introduction

A 24-year-old British national and prominent member of the cybercriminal group known as Scattered Spider has entered a guilty plea on charges of wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, who operated under the hacker alias “Tylerb”, admitted his involvement in a widespread text-message phishing campaign during the summer of 2022. This operation enabled the group to breach at least a dozen major technology firms and siphon tens of millions of dollars in cryptocurrency from individual investors.

Buchanan’s Background and Rise in Cybercrime

Buchanan, a native of Dundee, Scotland, once boasted a spot on a leaderboard in the English-language criminal hacking community that tracked the most prolific cyber thieves. His handle, “Tylerb,” was a mark of status among peers. Now in U.S. custody and awaiting sentencing, Buchanan faces the possibility of more than 20 years in prison. Photos published by the Daily Mail show him as a child and as an adult being detained by airport authorities in Spain, highlighting the stark contrast between his past and present.

The Scattered Spider Group

Scattered Spider is a prolific, English-speaking cybercrime syndicate notorious for employing social engineering tactics to infiltrate organizations. Members often impersonate employees or contractors to deceive IT help desks into granting unauthorized access. The group’s modus operandi includes stealing data for ransom, and they have been linked to several high-profile attacks, including a ransomware incident at the U.K. retail chain Marks & Spencer (M&S).

The SMS Phishing Campaign

As part of his guilty plea, Buchanan admitted conspiring with fellow Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022. These messages targeted employees of major technology companies, leading to intrusions at firms such as Twilio, LastPass, DoorDash, and Mailchimp. The stolen data from these breaches was then used to facilitate SIM-swapping attacks that drained funds from cryptocurrency wallets.

SIM-Swapping Methodology

In a SIM-swap, cybercriminals transfer the victim’s phone number to a device under their control. This allows them to intercept text messages and phone calls, including one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States.

Investigation and Evidence

FBI investigators connected Buchanan to the 2022 phishing attacks by tracing the same username and email address used to register numerous phishing domains involved in the campaign. The domain registrar NameCheap revealed that, less than a month before the phishing spree, the account registering those domains logged in from an IP address in the United Kingdom. Scottish police confirmed that this address was leased to Buchanan throughout 2022, solidifying the link.

Details from Media Reports

According to a Daily Mail story dated May 3, 2025, photos of Buchanan as a child and as an adult detained in Spain were published. The report also noted that “M&S” in a screenshot referred to Marks & Spencer, which suffered a ransomware attack last year attributed to Scattered Spider.

Flight and Aftermath

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten him with a blowtorch unless he relinquished the keys to his cryptocurrency wallet. Later that year, U.K. investigators discovered a device at Buchanan’s residence that contained further evidence of his criminal activities.

Conclusion

Buchanan’s guilty plea marks a significant development in the fight against cybercrime, particularly targeted at social engineering and phishing schemes. His cooperation may shed light on the inner workings of Scattered Spider and help dismantle the group. As sentencing approaches, the case serves as a warning to those who engage in similar illicit activities.