UK Cybercriminal Tyler Buchanan Admits Role in Scattered Spider Phishing Attacks
Introduction
A 24-year-old British national has pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft, admitting his central role in a series of text-message phishing attacks orchestrated by the cybercrime group known as Scattered Spider. Tyler Robert Buchanan, who operates under the hacker handle "Tylerb", participated in a campaign during the summer of 2022 that compromised at least a dozen major technology companies and siphoned tens of millions of dollars in cryptocurrency from individual investors.
What Is Scattered Spider?
Scattered Spider is a prolific English-speaking cybercrime group notorious for leveraging social engineering to infiltrate corporate networks. Members often impersonate employees or contractors to deceive IT help desks into granting unauthorized access. The group then exfiltrates sensitive data for ransom or uses it to facilitate further financial crimes.
The 2022 SMS Phishing Campaign
As part of his guilty plea, Buchanan admitted to orchestrating tens of thousands of SMS-based phishing attacks in 2022. These messages targeted employees of leading tech firms, including Twilio, LastPass, DoorDash, and Mailchimp. Once the attackers obtained credentials, they moved to compromise accounts on a larger scale.
The stolen data from these breaches was then used to execute SIM-swapping attacks against individual cryptocurrency investors. In a SIM swap, criminals transfer the victim's phone number to a device they control, intercepting text messages and calls—including one-time passcodes and password reset links—to drain digital wallets. The U.S. Department of Justice confirmed that Buchanan directly admitted to stealing at least $8 million in virtual currency from victims across the United States.
Investigation and Evidence
Federal Bureau of Investigation (FBI) agents linked Buchanan to the phishing spree after discovering that the same username and email address had been used to register numerous domain names involved in the campaign. The domain registrar NameCheap provided logs showing that less than a month before the attacks began, the account used to register those domains logged in from an internet address in the United Kingdom. Scottish police confirmed to the FBI that the address had been leased to Buchanan throughout 2022.
Buchanan's Flight and Arrest
As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang invaded his home, assaulted his mother, and threatened to burn him with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. He was later detained by authorities in Spain, as documented in photographs published by the Daily Mail on May 3, 2025. The images show Buchanan as a child and as an adult being taken into custody at a Spanish airport. Notably, the screenshot also references M&S (Marks & Spencer), a major UK retail chain that suffered a ransomware attack linked to Scattered Spider last year.
Sentencing and Consequences
Buchanan now remains in U.S. custody, awaiting sentencing. He faces a potential prison term of more than 20 years for his role in the wire fraud conspiracy and aggravated identity theft. His hacker handle "Tylerb" had once appeared on a leaderboard that tracked the most accomplished cyber thieves in the English-language criminal underground.
Broader Implications for Cybersecurity
The case highlights the persistent threat posed by social engineering attacks and the need for stronger authentication methods. SIM swapping and phishing remain top vectors for cryptocurrency theft. Organizations are urged to implement multi-factor authentication that does not rely solely on SMS-based codes, and to train employees to recognize deceptive requests from IT help desks.
For individuals, this case underscores the importance of using hardware security keys or authentication apps, and never sharing password reset links or one-time passcodes with unverified parties.