In a major development for cybersecurity enforcement, a senior member of the infamous cybercrime group Scattered Spider has admitted guilt in a widespread phishing attack that targeted major technology companies and cryptocurrency investors. Tyler Robert Buchanan, known online as “Tylerb,” pleaded guilty to wire fraud conspiracy and aggravated identity theft in a case that highlights the growing sophistication of social engineering attacks and their real-world consequences. Below, we break down the key details of this case and its broader implications.
Who is Tyler Robert Buchanan, and what did he plead guilty to?
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, was a senior member of the cybercrime group Scattered Spider. Operating under the hacker handle “Tylerb,” he once appeared on leaderboards celebrating the most prolific English-speaking cyber thieves. In his guilty plea, Buchanan admitted to wire fraud conspiracy and aggravated identity theft. These charges stem from a series of SMS-based phishing attacks conducted in the summer of 2022. Buchanan now faces the possibility of more than 20 years in U.S. prison, with sentencing yet to be scheduled. His arrest and detention in Spain led to his extradition to the United States, where he awaits judgment.
What is Scattered Spider, and how does the group operate?
Scattered Spider is a prolific English-speaking cybercrime group notorious for its expertise in social engineering. Rather than relying on technical hacking, members impersonate employees or contractors to deceive IT help desks into granting access to corporate systems. Once inside, they steal sensitive data and demand ransoms. The group is known for its targeted SMS phishing attacks, often called “smishing,” which trick victims into clicking malicious links or providing credentials. Buchanan and his co-conspirators used this approach to breach multiple major companies, including Twilio, LastPass, DoorDash, and Mailchimp, before pivoting to cryptocurrency theft.
How did Buchanan and Scattered Spider hack into major tech companies?
In the summer of 2022, Buchanan conspired with other Scattered Spider members to launch tens of thousands of SMS-based phishing messages. These messages appeared to come from legitimate sources, tricking employees at companies like Twilio and LastPass into revealing login credentials. Once inside, the group harvested employee data and customer information. The stolen data was then used to carry out SIM-swapping attacks. In a SIM swap, criminals transfer a victim’s phone number to a device they control, intercepting text messages and calls—including one-time passwords and password reset links. This allowed them to drain cryptocurrency wallets. The attacks were sophisticated and well-coordinated, mixing phishing with manual social engineering calls to IT help desks.
What was the financial impact of the attacks?
The financial damage from Buchanan’s activities was substantial. The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States. However, the overall theft from cryptocurrency investors was much higher, with reports indicating tens of millions of dollars were siphoned. The group targeted high-value accounts, using stolen credentials and SIM swaps to bypass two-factor authentication. The victims included not only individual investors but also the companies themselves, which suffered data breaches and operational disruptions. The case underscores how cybercriminals can turn a single phishing campaign into a multimillion-dollar enterprise.
How did law enforcement catch Buchanan?
FBI investigators traced the phishing campaign back to Buchanan by analyzing the phishing domains used in the attacks. The registrar NameCheap discovered that less than a month before the spree, the account registering those domains logged in from a U.K. internet address. Scottish police confirmed that address was leased to Buchanan throughout 2022. The same username and email address appeared across multiple domains, creating a digital fingerprint. This classic investigative work—linking domain registrations to real-world identities—was key. Buchanan fled the U.K. in February 2023 after a rival cybercrime gang attacked his home, but he was eventually detained in Spain by airport authorities, leading to his extradition.
What happened after the attacks?
Following the 2022 phishing spree, Buchanan’s life took a dramatic turn. In February 2023, as first reported by KrebsOnSecurity, a rival cybercrime gang hired thugs to invade his home. They assaulted his mother and threatened to burn him with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. Buchanan fled the United Kingdom shortly after. Meanwhile, law enforcement on both sides of the Atlantic built their case. The U.K. investigators later found a device at Buchanan’s home containing evidence. In 2025, he was arrested in Spain and eventually brought to the U.S. His guilty plea marks the end of his run, but it also highlights the violent underbelly of the cybercrime world.
What is Buchanan’s sentencing outlook?
Buchanan now faces the possibility of more than 20 years in prison for wire fraud conspiracy and aggravated identity theft. The charges carry severe penalties, especially due to the involvement of identity theft. His sentencing date has not yet been announced, but federal guidelines suggest a lengthy term given the financial losses and the deliberate targeting of U.S. victims. The case serves as a warning to other cybercriminals: even those operating internationally can be pursued and held accountable. It also reinforces the importance of corporate cybersecurity measures against social engineering, as Scattered Spider has shown that simple phone calls and text messages can bring down even tech giants.