‘Scattered Spider’ Leader ‘Tylerb’ Admits Guilt in Cryptocurrency Heist

A 24-year-old British national who operated under the hacker alias 'Tylerb' has admitted to his role in a series of cyberattacks that targeted major technology companies and drained millions from cryptocurrency investors. Tyler Robert Buchanan, a senior member of the notorious group Scattered Spider, pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft in a U.S. court.

The Guilty Plea and Charges

Buchanan, originally from Dundee, Scotland, confessed to orchestrating a campaign of text-message phishing attacks during the summer of 2022. These attacks enabled Scattered Spider to breach the networks of at least a dozen prominent tech firms, including Twilio, LastPass, DoorDash, and Mailchimp. The group then leveraged stolen data to execute SIM-swapping schemes, ultimately stealing tens of millions of dollars in virtual currency.

According to the U.S. Department of Justice, Buchanan admitted to personally siphoning at least $8 million from individual victims across the United States. He now faces the possibility of more than 20 years in federal prison when sentenced.

The Phishing Campaign and Tech Company Breaches

As part of his plea, Buchanan acknowledged launching tens of thousands of SMS-based phishing messages in 2022. These messages mimicked legitimate communications from trusted organizations, tricking employees at major technology companies into revealing credentials or granting access to internal systems.

The breaches at Twilio, LastPass, DoorDash, and Mailchimp were among the most damaging. Scattered Spider used the stolen information to infiltrate other accounts, often impersonating employees or contractors to deceive IT help desks. This social engineering tactic proved highly effective, allowing the group to move laterally within corporate networks and exfiltrate sensitive data.

SIM-Swapping and Cryptocurrency Theft

With credentials in hand, Buchanan and his accomplices turned to SIM-swapping. In this attack, criminals transfer a victim's phone number to a device they control, intercepting any text messages or calls—including one-time passcodes for authentication and password reset links. This gave them access to cryptocurrency exchange accounts and digital wallets.

The group targeted individual investors, draining funds from wallets and exchanges before victims could react. Buchanan's role included orchestrating the phishing that enabled these swaps, as well as directly handling stolen cryptocurrency.

How Investigators Traced the Hacker

The Federal Bureau of Investigation connected Buchanan to the 2022 phishing spree through digital breadcrumbs. The same username and email address used to register numerous phishing domains appeared in the campaign. The domain registrar NameCheap revealed that the account logged in from a U.K. internet address shortly before the attacks. Scottish police confirmed that the address was leased to Buchanan throughout 2022.

Buchanan's hacker handle 'Tylerb' had previously appeared on a leaderboard for English-speaking cybercriminals, tracking top thieves. That notoriety may have contributed to his downfall, as investigators monitored his online activity.

The Dangers of Social Engineering

Scattered Spider is known for its sophisticated use of social engineering. Members often pose as employees or contractors to manipulate help desks into granting access. In Buchanan's case, the group's methods extended to real-world threats. In February 2023, he fled the United Kingdom after a rival cybercrime gang invaded his home, assaulted his mother, and threatened to burn him with a blowtorch unless he surrendered his cryptocurrency wallet keys.

Later that year, U.K. investigators found a device at Buchanan's residence that contained evidence linking him to the phishing domains. The discovery further solidified the case against him.

Sentencing and Ongoing Threat

Buchanan is currently in U.S. custody awaiting sentencing. The charges carry a maximum penalty of over 20 years in prison. His case highlights the international reach of cybercrime and the effectiveness of cooperation between U.S. and U.K. law enforcement.

Scattered Spider remains an active threat. Last year, the group was linked to a ransomware attack on Marks & Spencer, a major U.K. retail chain. Buchanan's guilty plea is a significant blow, but experts warn that similar groups continue to operate, using the same social engineering tactics to target companies and individuals worldwide.

Two photos published in the Daily Mail in May 2025 show Buchanan as a child and as an adult being detained by airport authorities in Spain—a stark reminder of how far-reaching cybercrime consequences can be.