Key Findings

• Tyler Robert Buchanan, 24, from Dundee, Scotland pleaded guilty to hacking dozens of companies and stealing at least $8 million in cryptocurrency

• Arrested in Spain in May 2024 after entering via Barcelona; extradited to US custody where he has remained since April 2025

• Used SMS phishing campaigns targeting corporate employees between 2021 and 2023 to steal login credentials and access systems

• Employed SIM swap attacks and intercepted two-factor authentication codes to breach cryptocurrency wallets and accounts

• Faces up to 22 years in federal prison with sentencing scheduled for August 21, 2026

• Second member of Scattered Spider to be convicted; multiple co-conspirators still facing charges or serving sentences

Background

Tyler Buchanan is a 24-year-old member of Scattered Spider, a cybercriminal group also known as UNC3944 and 0ktapus that has targeted hundreds of organizations over the past two years. The group includes high-profile victims like Twilio, LastPass, DoorDash, and Mailchimp. Scattered Spider operates within a broader criminal network called "The Com" where hackers boast about major thefts and coordinate activities. Buchanan's arrest came from a joint operation between the FBI and Spanish Police, who tracked him to Palma de Mallorca as he attempted to flee to Italy.

Phishing and Initial Access

Buchanan and his co-conspirators created sophisticated SMS phishing campaigns that impersonated trusted services. They sent mass text messages containing phishing links to corporate employees, tricking them into entering login credentials on fraudulent websites. The group developed phishing kits specifically designed to capture these credentials as victims typed them in. Once captured, the stolen usernames and passwords were transmitted to a Telegram channel administered by Buchanan and another accomplice, giving the entire operation real-time access to compromised accounts.

Corporate Breaches and Data Theft

Using the stolen credentials, Buchanan's network broke into corporate systems across multiple sectors. Inside these networks, they extracted sensitive information including intellectual property, proprietary material, and customer data. Police found files at his home in Scotland connected to numerous victim companies, indicating he maintained detailed records of their breaches. The group didn't just steal data for resale but strategically used corporate information to identify high-value individual targets with cryptocurrency assets.

Cryptocurrency Theft Methods

The conspiracy's most profitable element involved targeting individuals' cryptocurrency accounts. After gaining corporate access, they pivoted to individual victims and used stolen data to identify people with significant crypto holdings. They conducted SIM swap attacks, convincing mobile carriers to transfer victims' phone numbers to their control. This allowed them to intercept two-factor authentication codes sent via SMS or phone calls, completely bypassing security protections. Investigators discovered that Buchanan kept detailed records including names, addresses, login credentials, and cryptocurrency seed phrases on his devices.

Legal Consequences

Buchanan pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. He admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States. The Department of Justice noted that actual losses likely exceed this figure when accounting for incident response costs, legal action, and reputational damage to affected companies. At his August 21 sentencing, he faces a statutory maximum of 22 years in federal prison.

Co-Conspirators' Status

Several members of the conspiracy have already faced consequences. Noah Michael Urban, known as "Sosa" and "Elijah," received a 10-year prison sentence and was ordered to pay $13 million in restitution. Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans still face ongoing legal proceedings. Buchanan's guilty plea marks the second major conviction of a Scattered Spider member, signaling increased pressure on the group from law enforcement.

Sources

• https://securityaffairs.com/191052/cyber-crime/scattered-spider-member-tyler-buchanan-pleads-guilty-to-major-crypto-theft.html

• https://hackread.com/british-hacker-tyler-buchanan-guilty-hacking-scheme/

• https://www.threads.com/@mrjoetidy/post/DXQ_GMKjDi1/tyler-buchanan-a-notorious-scottish-scattered-spider-hacker-has-pleaded-guilty

• https://www.linkedin.com/posts/psilvas_saturday-security-scattered-spider-member-activity-7451290219334516736-LihR