Inside the Scattered Spider Cybercrime Operation: A Q&A on the Guilty Plea of 'Tylerb'

In a major development against cybercrime, a senior member of the notorious English-speaking hacking group known as 'Scattered Spider' has admitted guilt. Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, who operated under the online alias 'Tylerb', pleaded guilty in a U.S. court to charges of wire fraud conspiracy and aggravated identity theft. His actions, part of a coordinated SMS phishing campaign in the summer of 2022, compromised major technology companies and led to the theft of millions of dollars in cryptocurrency from individual investors. This Q&A breaks down the key details of the case, the group's methods, and the consequences for Buchanan.

Who is 'Tylerb' and what role did he play in Scattered Spider?

'Tylerb' is the online nickname of Tyler Robert Buchanan, a British national from Dundee, Scotland. At just 24 years old, he was identified as a senior member of the cybercrime group Scattered Spider. Buchanan worked closely with other members to plan and execute large-scale hacking campaigns. His specialty was social engineering, specifically using text-message phishing to trick employees of major tech companies. He managed to bypass security systems by pretending to be a legitimate contractor or employee, a tactic that gave him high status within the group. In fact, his handle once appeared on a leaderboard that tracked the most successful cyber thieves in the English-speaking hacking underworld.

Inside the Scattered Spider Cybercrime Operation: A Q&A on the Guilty Plea of 'Tylerb' — Source: krebsonsecurity.com

What is Scattered Spider and how does it operate?

Scattered Spider is a loose-knit, English-speaking cybercrime group known for its sophisticated social engineering techniques. Unlike many hacking groups that rely on malware or technical exploits, Scattered Spider specializes in impersonating employees or contractors. They call or message company help desks, claiming to have forgotten passwords or needing access, and often succeed in tricking staff into granting them entry. Once inside a company's network, they steal sensitive data—such as customer information or internal tools—which they then use for further attacks, like ransomware demands or cryptocurrency theft. The group has been active since at least 2022 and has targeted firms including Twilio, LastPass, DoorDash, and Mailchimp.

How did the SMS phishing attacks work?

Buchanan admitted to orchestrating tens of thousands of SMS-based phishing attacks during the summer of 2022. The group sent text messages that appeared to come from legitimate sources, such as IT help desks or security alerts, tricking employees at technology companies into clicking malicious links. Once clicked, the links either stole their login credentials or installed backdoors. For example, Twilio and LastPass were breached this way. After gaining access, the group then used the stolen data to carry out SIM-swapping attacks—a technique where a victim's phone number is fraudulently transferred to a device controlled by the hacker. This allowed them to intercept two-factor authentication codes and password reset links to drain cryptocurrency wallets.

What is SIM-swapping and why is it dangerous?

SIM-swapping is a type of identity theft that targets mobile phone accounts. Scattered Spider would use information obtained from phishing attacks to contact mobile carriers, impersonate the victim, and request that the victim's phone number be transferred to a new SIM card in their possession. Once activated, the hackers receive all the victim's calls and text messages. This is extremely dangerous because many online accounts—including email, banking, and cryptocurrency exchanges—use SMS-based two-factor authentication. With control of the phone number, the attacker can reset passwords and gain access to accounts, often stealing large sums of money. Buchanan admitted to stealing at least $8 million through this method from individual victims across the United States.

How did authorities catch Buchanan?

The investigation began when FBI agents analyzed the phishing domains used in the 2022 campaign. They discovered that the same username and email address had been used to register numerous domains. The domain registrar NameCheap provided logs showing that, less than a month before the phishing spree, the account logged in from an IP address in the United Kingdom. British police confirmed that the address was leased to Tyler Buchanan throughout 2022. This digital trail, combined with financial records and witness statements, directly tied Buchanan to the attacks. He was eventually arrested by Spanish authorities while attempting to travel, and later extradited to the United States where he faced the charges.

What happened after his arrest? Did he flee?

Yes, Buchanan fled the United Kingdom in February 2023 after a violent incident. According to reports by KrebsOnSecurity, a rival cybercrime gang hired thugs to invade his home. The attackers assaulted his mother and threatened to burn Buchanan with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. Terrified for his safety, he left the country and was later detained at an airport in Spain. Photos published by the Daily Mail in May 2025 show him as a child and as an adult being held by authorities. His flight from justice ultimately did not prevent his extradition and guilty plea.

What sentence does Buchanan face?

Now in U.S. custody awaiting sentencing, Tyler Buchanan faces a potential prison term of more than 20 years. His guilty plea to wire fraud conspiracy and aggravated identity theft carries severe penalties under federal law. The U.S. Justice Department has emphasized the impact on victims, noting that Buchanan personally stole at least $8 million in virtual currency. The case also highlights the international nature of cybercrime, as a Scottish citizen was prosecuted in the United States for crimes committed remotely. Sentencing is expected later this year, and could serve as a deterrent to other members of groups like Scattered Spider.