British Cybercriminal 'Tylerb' Admits Role in Scattered Spider Phishing Scheme

Overview of the Guilty Plea

A 24-year-old British national and senior figure in the notorious cybercrime collective known as Scattered Spider has entered a guilty plea to charges of wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, who operated under the hacker alias "Tylerb," admitted to orchestrating a series of text-message phishing attacks during the summer of 2022. These attacks enabled the group to breach at least a dozen major technology companies and steal tens of millions of dollars in cryptocurrency from investors.

British Cybercriminal 'Tylerb' Admits Role in Scattered Spider Phishing Scheme — Source: krebsonsecurity.com

Buchanan's alias once appeared on a leaderboard within the English-speaking criminal hacking community, tracking the most prolific cyber thieves. Now in U.S. custody and awaiting sentencing, the native of Dundee, Scotland, faces a potential prison term exceeding 20 years.

The Phishing Campaign

As part of his guilty plea, Buchanan confessed to conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022. These attacks targeted and successfully breached several technology companies, including Twilio, LastPass, DoorDash, and Mailchimp. The group then leveraged data stolen from these breaches to execute SIM-swapping attacks, siphoning funds from individual cryptocurrency investors.

In a typical SIM swap, criminals transfer the target's phone number to a device they control, intercepting text messages and phone calls—including one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department stated that Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States.

Investigation and Evidence

FBI investigators linked Buchanan to the 2022 SMS phishing attacks after discovering that the same username and email address were used to register numerous phishing domains associated with the campaign. Domain registrar NameCheap reported that less than a month before the phishing spree, the account used to register those domains logged in from an internet address in the U.K. FBI investigators noted that Scottish police confirmed the address was leased to Buchanan throughout 2022.

Personal Consequences and Flight

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023 after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he surrendered the keys to his cryptocurrency wallet. Later that year, U.K. investigators found a device at Buchanan's residence that contained evidence of his criminal activities. Two photographs published in a Daily Mail article dated May 3, 2025, show Buchanan as a child and as an adult being detained by airport authorities in Spain. The abbreviation "M&S" in the screenshot referred to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider.

Scattered Spider: A Profile

Scattered Spider is the label assigned to a prolific English-speaking cybercrime group known for using social engineering tactics to infiltrate companies and steal data for ransom. The group often impersonates employees or contractors to deceive IT help desks into granting access. Their methods have made them a significant threat to corporate and individual cybersecurity.

Sentencing and Broader Implications

Buchanan currently awaits sentencing, with the possibility of more than 20 years in prison. His case highlights the ongoing battle against cybercrime and the international cooperation required to bring perpetrators to justice. The guilty plea serves as a warning to other members of Scattered Spider and similar groups that law enforcement agencies are increasingly capable of tracking and prosecuting such offenses.

For more details on the initial investigation, see the Investigation and Evidence section above. The case underscores the importance of robust cybersecurity measures and public awareness in combating phishing and SIM-swapping attacks.