How do dozens of short, seemingly harmless text messages become the keys to tens of millions of dollars in stolen cryptocurrency? That question sits at the center of the guilty plea entered this spring by a 24‑year‑old British national identified in court filings as a senior member of the cybercrime group known as "Scattered Spider."
From leaderboard fame to a federal courtroom
Tyler Robert Buchanan — who used the hacker handle "Tylerb" and once appeared on an English‑language SIM‑swapping leaderboard — pleaded guilty to wire fraud conspiracy and aggravated identity theft. In his plea, Buchanan admitted that he and others ran a campaign of tens of thousands of SMS‑based phishing attacks in the summer of 2022 that led to intrusions at numerous technology companies, including Twilio, LastPass, DoorDash and Mailchimp.
The Justice Department said Buchanan's activities helped fuel breaches that enabled SIM‑swapping attacks, through which attackers transfer a victim’s phone number to a device they control and intercept authentication texts and password resets. Federal prosecutors also said Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States; authorities have tied the broader series of crimes to the theft of tens of millions of dollars’ worth of cryptocurrency from investors.
How investigators pieced together the campaign
Federal investigators traced Buchanan to the campaign after finding the same username and email address used to register multiple phishing domains tied to the attacks. The domain registrar NameCheap reported that, less than a month before the phishing spree, the account that created those domains logged in from an Internet address in the United Kingdom. Scottish police told FBI investigators that the address was leased to Buchanan throughout 2022.
U.K. investigators later found a device at Buchanan’s Scotland residence containing data stolen from SMS‑phishing victims and seed phrases from cryptocurrency wallets. KrebsOnSecurity reported that Buchanan fled the United Kingdom in February 2023 after a rival criminal group allegedly hired attackers to assault his mother and threaten him in an attempt to seize his wallet keys.
Arrest, extradition and the international trail
Spanish authorities arrested Buchanan in June 2024 while he was trying to board a flight to Italy; he was extradited to the United States and has remained in U.S. federal custody since April 2025. Two photos published by the Daily Mail in May 2025 show Buchanan as a child and later being detained by airport authorities in Spain.
Prosecutors have scheduled Buchanan’s sentencing hearing for August 21, 2026. The Justice Department has said he faces a statutory maximum of 22 years in federal prison, though the U.S. Sentencing Guidelines list several mitigating factors that could significantly reduce any sentence — including his age, criminal history, time already served in custody, and the extent of his cooperation with authorities.
Scattered Spider and a larger online ecosystem
Scattered Spider has been described as a prolific English‑speaking cybercrime group that specializes in social engineering: impersonating employees or contractors to trick corporate IT help desks into granting access. Investigators say Scattered Spider’s members are active within a sprawling cybercriminal community online known as "The Com," where hackers on Telegram and Discord boast about high‑profile thefts that often begin with phone calls, emails or SMS lures.
One popular Telegram SIM‑swapping channel reportedly maintained a leaderboard that once listed Buchanan’s alias at #65 (out of 100), while another member, Noah Michael Urban — who pleaded guilty earlier — ranked #24. Urban, 21, of Palm Coast, Florida, was sentenced last year to 10 years in federal prison and ordered to pay $13 million in restitution.
Co‑defendants and parallel prosecutions
Buchanan is the second known Scattered Spider member to plead guilty in the United States. Several alleged co‑conspirators remain charged: Ahmed Hossam Eldin Elbadawy, 24, of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas; and Joel Martin Evans, 26, of Jacksonville, North Carolina. Two other alleged members — Owen Flowers, 18, and Thalha Jubair, 20 — face charges in the United Kingdom related to the hacking and extortion of several large British retailers, the London transit system, and health‑care providers in the United States; both have pleaded not guilty and have a trial slated to begin in June.
Why the case matters to companies, users and policymakers
The Buchanan plea crystallizes how social engineering and relatively low‑tech vectors like SMS can unlock far larger, high‑value thefts when attackers gain access to corporate systems that control account recovery and communications. For technologists, the breaches cited in the indictment — affecting service providers and tooling vendors — highlight the systemic risk that a single channel of operational access can pose across customer bases and third‑party dependencies.
For policymakers and corporate leaders, the case raises questions about how authentication and help‑desk procedures can be hardened to resist impersonation and coercion, and whether regulatory or industry standards should more strongly emphasize multi‑factor methods that do not rely on intercepted SMS. For users, the painful lesson is that protecting seed phrases, recovery emails, and phone numbers is not an abstract best practice but a frontline defense against theft.
What comes next and the broader risk
With Buchanan awaiting sentencing and several codefendants still facing charges on both sides of the Atlantic, the Scattered Spider saga is not yet concluded. Prosecutors will weigh cooperation and sentencing guidelines; investigators will press remaining cases and the broader online communities in which these actors operate will continue to evolve.
The larger question is whether law enforcement, technology firms and the public will close the gap between social‑engineering attacks and the systemic vulnerabilities they exploit — before the next campaign of texts, phishes and SIM swaps drains more wallets. If a few thousand words and a handful of intercepted SMS messages could produce tens of millions in losses, how much more is at stake if both attackers and the systems they target scale up?
