Pradipta eManuel
Tyler Robert Buchanan, a 24-year-old British national and a key figure within the notorious cybercrime syndicate known as Scattered Spider, has formally pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft. Buchanan, operating under the hacker handle "Tylerb," confessed his direct involvement in a series of highly effective text-message phishing campaigns executed during the summer of 2022. These malicious operations were instrumental in breaching the security of at least a dozen major technology companies, ultimately leading to the illicit acquisition of tens of millions of dollars worth of cryptocurrency from unsuspecting investors. The gravity of his actions now places him in U.S. custody, awaiting a sentencing hearing that could see him imprisoned for over two decades.
Buchanan’s alias, "Tylerb," once held a prominent position on a leaderboard within the English-language criminal hacking community, a ranking system designed to identify and celebrate the most skilled and prolific cyber thieves. His current predicament, however, marks a stark contrast to his former notoriety. Hailing from Dundee, Scotland, Buchanan now faces the grim reality of potential imprisonment in the United States, a consequence of his deep entanglement with one of the most aggressive cybercrime groups currently operating. The accompanying image, sourced from a Daily Mail article dated May 3, 2025, offers a visual representation of Buchanan’s journey, depicting him as a child and later as an adult being apprehended by Spanish authorities. The inclusion of "M&S" in the screenshot serves as a poignant reminder of the real-world impact of Scattered Spider’s activities, referencing Marks & Spencer, a major U.K. retail chain that fell victim to a ransomware attack orchestrated by the group.
Scattered Spider has earned its reputation as a prolific and English-speaking cybercrime collective, distinguished by its adept use of social engineering tactics to infiltrate corporate networks and extort sensitive data. Their modus operandi often involves impersonating legitimate employees or contractors to cunningly deceive IT help desks, thereby gaining unauthorized access to valuable information. This insidious approach allowed them to bypass traditional security measures by exploiting human trust and adherence to established protocols.
As part of his guilty plea, Buchanan meticulously detailed his conspiracy with other members of Scattered Spider. He admitted to orchestrating tens of thousands of SMS-based phishing attacks throughout 2022. These attacks served as the initial gateway for the group to gain unauthorized access to numerous technology companies, with notable victims including Twilio, LastPass, DoorDash, and Mailchimp. The stolen data harvested from these breaches then became the foundation for subsequent, more targeted attacks.
Following the initial intrusions, Scattered Spider leveraged the compromised information to execute highly effective SIM-swapping attacks. These attacks were specifically designed to siphon funds from individual cryptocurrency investors. In a SIM-swap, cybercriminals illicitly transfer a victim’s phone number to a device under their control. This allows them to intercept all incoming text messages and phone calls directed to the victim’s device. Critically, this includes sensitive information such as one-time passcodes (OTPs) used for multi-factor authentication and password reset links that are commonly sent via SMS. The U.S. Department of Justice has officially stated that Buchanan has admitted to stealing at least $8 million in virtual currency from individual victims across the United States, underscoring the vast financial damage caused by these operations.
The intricate web of evidence that ensnared Buchanan was painstakingly pieced together by FBI investigators. Their breakthrough came when they discovered that the same username and email address were used to register numerous phishing domains that were actively deployed during the 2022 campaign. Further investigation by the domain registrar NameCheap revealed that, in the period leading up to the phishing spree, the account responsible for registering these malicious domains had logged in from an internet address located in the United Kingdom. Acting on this crucial lead, FBI investigators collaborated with Scottish police, who confirmed that the identified internet address was leased to Buchanan throughout 2022, directly linking him to the phishing infrastructure.
The narrative of Buchanan’s downfall is further illuminated by a disturbing incident that predates his capture. As previously reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, following a brutal home invasion orchestrated by a rival cybercrime gang. Thugs reportedly assaulted his mother and threatened him with severe violence, including the use of a blowtorch, demanding the keys to his cryptocurrency wallet. In a chilling discovery later that year, U.K. investigators found a device at Buchanan’s residence in Scotland containing data stolen from SMS phishing victims, alongside seed phrases belonging to cryptocurrency theft victims. This evidence painted a grim picture of the illegal activities he was involved in and the dangerous circles he moved within.
Buchanan’s apprehension finally came in June 2024, when he was arrested by Spanish authorities at an airport while attempting to board a flight to Italy. Following his arrest, he was extradited to the United States, where he has remained in federal custody since April 2025. His plea represents a significant victory for law enforcement agencies pursuing cybercriminals who operate across international borders.
Buchanan is not the first member of Scattered Spider to face legal repercussions. Noah Michael Urban, a 21-year-old from Palm Coast, Florida, was previously sentenced to 10 years in federal prison and ordered to pay $13 million in restitution for his role in SIM-swapping schemes. The legal net continues to tighten around other alleged co-conspirators, including Ahmed Hossam Eldin Elbadawy, 24, known as "AD," of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, also known as "joeleoli," of Jacksonville, North Carolina. These individuals currently face ongoing criminal charges.
Furthermore, the reach of Scattered Spider extends beyond the United States, with two other alleged members, Owen Flowers, 18, and Thalha Jubair, 20, slated for trial in the United Kingdom. They are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is scheduled to commence in June. Investigators believe that the individuals associated with Scattered Spider are part of a larger, interconnected online criminal ecosystem known as "The Com." This community thrives on platforms like Telegram and Discord, where hackers from various cliques openly boast about their high-profile cyber thefts. These operations almost invariably begin with social engineering, a tactic that relies on manipulating individuals through phone calls, emails, or SMS messages to divulge credentials that grant remote access to corporate internal networks.
The lucrative nature of SIM-swapping is further evidenced by the existence of leaderboards on Telegram, which track the most prolific SIM-swappers based on their reported cryptocurrency theft achievements. Buchanan’s alias, "Tylerb," was previously ranked at #65 out of 100 hackers on one such leaderboard, while Urban’s moniker, "Sosa," held the #24 position. These rankings highlight the competitive and status-driven nature of this illicit underworld.
Buchanan’s sentencing hearing is currently scheduled for August 21, 2026. According to the Department of Justice, he faces a statutory maximum sentence of 22 years in federal prison. However, the final sentence handed down by the judge may be influenced by various mitigating factors outlined in the U.S. Sentencing Guidelines. These factors can include the defendant’s age, their prior criminal history, the amount of time they have already served in U.S. custody, and the extent to which they have cooperated with federal authorities throughout the investigation and legal proceedings. The outcome of his sentencing will serve as a stark warning to others engaged in similar high-stakes cybercriminal activities.
