Tyler Robert Buchanan, a 24-year-old British national and a pivotal figure in the notorious cybercriminal collective known as Scattered Spider, has formally pleaded guilty in a United States federal court to charges of wire fraud conspiracy and aggravated identity theft. The plea, entered in the Central District of California, marks a significant milestone in a multi-year international investigation into a series of sophisticated social engineering attacks that compromised some of the world’s most prominent technology firms. Buchanan, known in the digital underworld by the handle "Tylerb," admitted to orchestrating a wave of text-message phishing campaigns in 2022 that facilitated the theft of at least $8 million in cryptocurrency from individual investors and the unauthorized access of corporate networks belonging to industry giants such as Twilio, LastPass, DoorDash, and Mailchimp.
The admission of guilt by the Dundee, Scotland native sheds light on the inner workings of Scattered Spider, a group that has become a primary concern for the FBI and international law enforcement agencies due to its mastery of human-centric hacking. Unlike traditional cybercrime groups that rely solely on software vulnerabilities or malware, Scattered Spider—also tracked by security researchers under aliases such as UNC3944 and Starfraud—specializes in "social engineering." This involves deceiving employees, IT help desk personnel, or telecommunications providers into handing over credentials or administrative access. Buchanan’s role was central to these operations, leveraging deceptive SMS messages (smishing) to harvest employee login data, which served as the initial point of entry for wider corporate espionage and financial theft.
The Mechanics of the 2022 Phishing Campaign
The core of the criminal enterprise focused on a massive SMS phishing infrastructure established in the summer of 2022. According to court documents and Buchanan’s own admissions, the conspiracy involved the mass distribution of fraudulent text messages to employees of targeted technology companies. These messages typically mimicked urgent internal notifications, such as password expiration warnings or security alerts, and directed recipients to a malicious website that mirrored the company’s actual login portal.
Once an employee entered their credentials into the fraudulent site, Buchanan and his co-conspirators captured the data in real-time. This allowed them to bypass multi-factor authentication (MFA) protocols, often by using "MFA fatigue" (bombarding the victim with approval requests until they clicked "allow") or by contacting company help desks while impersonating the victim to reset security settings.
Among the high-profile victims of this campaign were:
- Twilio: The communications platform suffered a breach in August 2022 where attackers gained access to internal systems, allowing them to view data for a limited number of customers.
- LastPass: The password management service reported a series of incidents in 2022 where source code and technical information were exfiltrated.
- DoorDash: The food delivery giant confirmed that a phishing attack on a third-party vendor allowed unauthorized access to internal tools.
- Mailchimp: The email marketing firm was targeted multiple times, with attackers focusing on accounts related to cryptocurrency and finance.
SIM Swapping and the $8 Million Cryptocurrency Theft
The primary financial motive behind these corporate intrusions was often the facilitation of "SIM swapping." By gaining access to the internal administrative consoles of telecommunications companies or third-party service providers like Twilio, Buchanan and his associates could perform unauthorized transfers of a victim’s phone number to a device under the hackers’ control.
Once a phone number was successfully hijacked, the group could intercept SMS-based one-time passcodes (OTPs) and password reset links. This provided them with the keys to the victims’ cryptocurrency exchange accounts and digital wallets. The U.S. Department of Justice (DOJ) stated that Buchanan specifically admitted to stealing over $8 million in virtual currency from individuals across the United States. In many cases, these victims were high-net-worth investors who were specifically targeted after their contact information was harvested from the initial corporate breaches.
The scale of the theft was so significant that it placed Buchanan on a digital "leaderboard" within the cybercrime community. On various Telegram channels used by "The Com"—an umbrella term for a decentralized community of young, English-speaking hackers—Buchanan’s alias "Tylerb" was ranked as the 65th most successful SIM-swapper, a testament to the volume of wealth he managed to siphon from victims.
A Chronology of Investigation, Violence, and Arrest
The investigation into Buchanan was a collaborative effort involving the FBI and the Scottish Police. Investigators began connecting the dots after identifying that the email addresses and usernames used to register dozens of phishing domains were linked to a single NameCheap account. This account had been accessed from an IP address in the United Kingdom which, according to Scottish authorities, was leased to Buchanan throughout the period of the attacks.
However, the legal pursuit of Buchanan took a dramatic turn involving criminal-on-criminal violence. In February 2023, Buchanan fled the United Kingdom under duress. Reports indicate that a rival cybercrime faction, seeking to seize his cryptocurrency holdings, hired enforcers to break into his home. During the home invasion, the assailants reportedly assaulted Buchanan’s mother and threatened him with a blowtorch in an attempt to force him to relinquish the private keys to his digital wallets.
Following this incident, Buchanan became a fugitive, moving through various jurisdictions. In June 2024, his flight ended at an airport in Spain, where he was detained by Spanish authorities while attempting to board a flight to Italy. Following a successful extradition request by the United States, he was flown to Los Angeles in April 2025 to face federal charges. A search of his residence in Scotland prior to his flight had already yielded a device containing stolen data and "seed phrases"—the master keys to cryptocurrency wallets—belonging to his victims.
The Broader Impact: Scattered Spider and "The Com"
Buchanan is the second major member of Scattered Spider to face justice in the United States. In 2025, 21-year-old Noah Michael Urban (known as "Sosa") was sentenced to 10 years in federal prison and ordered to pay $13 million in restitution. Urban had been ranked 24th on the same criminal leaderboard that featured Buchanan.
The prosecution of these individuals highlights the growing threat posed by "The Com." This subculture of cybercriminals is distinct from state-sponsored actors in China or Russia; they are often young, native English speakers who are highly adept at the social and psychological aspects of hacking. They frequent platforms like Discord and Telegram to share techniques, trade stolen data, and boast about their exploits.
The group gained global notoriety in late 2023 for the devastating ransomware attacks on MGM Resorts and Caesars Entertainment. While Buchanan’s current plea relates specifically to the 2022 phishing and SIM-swapping wave, the infrastructure he helped build laid the groundwork for the group’s later, more aggressive extortion tactics. Other members, including Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans, currently face pending charges in the U.S., while Owen Flowers and Thalha Jubair await trial in the United Kingdom for attacks on the London transit system and various retail chains.
Sentencing and Industry Implications
Tyler Robert Buchanan’s sentencing is scheduled for August 21, 2026. Under federal statutes, he faces a maximum of 20 years for wire fraud conspiracy and a mandatory consecutive two-year sentence for aggravated identity theft. While the statutory maximum is 22 years, legal analysts suggest the final sentence will be influenced by several factors, including the level of his cooperation with federal investigators and his lack of a prior formal criminal record before the 2022 spree.
The case serves as a stark warning to the technology and telecommunications sectors regarding the fragility of SMS-based security. The success of Scattered Spider’s campaigns has prompted a wider industry shift away from SMS-based multi-factor authentication in favor of more secure methods, such as hardware security keys (e.g., YubiKeys) and app-based authenticators that are less susceptible to SIM swapping and phishing.
The Department of Justice and the FBI have reiterated their commitment to dismantling groups like Scattered Spider, regardless of where the members are located. "Cybercriminals who target American citizens and businesses from abroad may believe they are out of reach, but this case proves otherwise," a DOJ spokesperson noted following the plea. "We will use every tool at our disposal, including international partnerships and extradition treaties, to ensure that those who profit from digital theft are held accountable in a court of law."
As the August 2026 sentencing date approaches, the focus remains on the ongoing efforts to recover stolen assets and bring the remaining members of the Scattered Spider conspiracy to justice. For the victims—both the corporations whose reputations were tarnished and the individuals who lost their life savings—Buchanan’s guilty plea represents a significant, if delayed, measure of closure in one of the most prolific cybercrime sagas of the decade.
