Scattered Spider Hacker Tylerb Pleads Guilty: Key Q&A

In a significant development for cybersecurity, a 24-year-old British national and senior member of the notorious cybercrime group 'Scattered Spider' has admitted his role in a series of sophisticated phishing attacks. Tyler Robert Buchanan, known online as 'Tylerb', pleaded guilty to wire fraud conspiracy and aggravated identity theft in U.S. federal court. His actions in the summer of 2022 led to the compromise of major tech companies and the theft of tens of millions of dollars in cryptocurrency. This Q&A explores the details of his crimes, the group's methods, and the fallout from his arrest.

Who is Tyler Robert Buchanan (aka Tylerb) and what did he plead guilty to?

Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, was a senior member of the cybercrime group Scattered Spider, operating under the handle 'Tylerb'. In May 2025, he pleaded guilty to two counts: wire fraud conspiracy and aggravated identity theft. The charges stem from a coordinated phishing campaign in 2022 that targeted employees of major technology companies. By tricking them into revealing credentials, Buchanan and his co-conspirators gained unauthorized access to corporate networks, stole sensitive data, and eventually siphoned millions of dollars from individual cryptocurrency investors. His guilty plea marks a key victory for law enforcement in cracking down on financially motivated cybercrime, though he now faces a potential sentence of over 20 years in prison.

Scattered Spider Hacker Tylerb Pleads Guilty: Key Q&A — Source: krebsonsecurity.com

What was Scattered Spider and how did they operate?

Scattered Spider is an English-speaking cybercrime group known for its reliance on social engineering tactics to infiltrate organizations. Unlike many hacking groups that exploit technical vulnerabilities, Scattered Spider focused on manipulating people. They would impersonate employees or contractors over the phone or via text messages to deceive IT help desks into granting access to corporate systems. Once inside, they stole sensitive data and often demanded ransoms. Buchanan was a senior member whose name once appeared on a leaderboard of top cyber thieves in the English-language hacking underground. The group's methods were highly effective, leading to breaches at several well-known firms and causing significant financial damage.

How did Buchanan and his group carry out the 2022 SMS phishing attacks?

The 2022 attacks began with massive SMS phishing campaigns, where Buchanan and other Scattered Spider members sent tens of thousands of text messages to employees of target companies. These messages appeared to come from legitimate internal sources, asking recipients to click a link and enter their login credentials. The phishing domains were registered using Buchanan's username and email address. According to the FBI, the account registered these domains less than a month before the attacks, and login records from that account traced back to an IP address in the United Kingdom that was leased to Buchanan throughout 2022. This digital trail allowed investigators to link him directly to the scheme.

What companies were targeted and what was stolen?

The phishing attacks successfully compromised at least a dozen major technology companies, including Twilio, LastPass, DoorDash, and Mailchimp. Once inside the corporate networks, the group used the stolen credentials and access to further their criminal aims. The ultimate goal was to steal cryptocurrency from individual investors. By combining corporate breaches with SIM-swapping (see Q6), they could intercept one-time passwords and reset links sent via SMS, draining victims' crypto wallets. Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States, though the total losses from the group's operations run into tens of millions.

How did law enforcement track and catch Buchanan?

The FBI's investigation relied on a combination of digital forensics and international cooperation. The key break came when they discovered the same username and email address used to register numerous phishing domains were linked to Buchanan. The domain registrar NameCheap provided logs showing that account logged in from an IP address in the U.K. just before the phishing spree. Scottish police confirmed that internet address was leased to Buchanan throughout 2022. However, Buchanan had already fled the U.K. in February 2023 after a rival crime gang attacked his home, assaulted his mother, and threatened him with a blowtorch. He was eventually detained by authorities in Spain, as shown in photos published by the Daily Mail, and later extradited to the United States to face charges.

What is the potential sentence and what happened after his arrest?

Buchanan now awaits sentencing in U.S. custody, and he faces the possibility of more than 20 years in prison for the combined charges of wire fraud conspiracy and aggravated identity theft. His guilty plea likely ensures a conviction, but the exact term will be determined by a judge. After his arrest in Spain, Buchanan was extradited to the United States. Notably, Scattered Spider also carried out a ransomware attack on the U.K. retail chain Marks & Spencer (M&S) in 2024, but it remains unclear if Buchanan was directly involved in that incident. His case highlights the increasing international cooperation needed to combat cybercrime and the severe consequences for those who orchestrate such large-scale fraud.

How did the group use SIM-swapping to steal cryptocurrency?

SIM-swapping was the critical second stage of Scattered Spider's operation. After breaching technology companies and stealing employee data, the group targeted individual cryptocurrency investors. They performed unauthorized SIM swaps, transferring the victim's phone number to a device controlled by the criminals. This allowed them to intercept any text messages or phone calls intended for the victim, including one-time passcodes for authentication and password reset links sent via SMS. With access to these codes, the attackers could log into the victims' crypto exchange accounts and drain their funds. Buchanan admitted this method was used to steal at least $8 million in virtual currency from individuals across the U.S., demonstrating how a combination of corporate and personal data can be weaponized for financial theft.

Tags: