The Downfall of 'Tylerb': Inside the Scattered Spider Cybercrime Kingpin's Guilty Plea
In a landmark case against one of the most notorious English-speaking cybercrime groups, a 24-year-old British national known as 'Tylerb' has admitted to orchestrating a series of devastating SMS phishing attacks. Tyler Robert Buchanan, a senior member of the 'Scattered Spider' collective, pleaded guilty to wire fraud conspiracy and aggravated identity theft. His attacks targeted major technology companies and cryptocurrency investors, causing tens of millions of dollars in losses. Now in U.S. custody, Buchanan faces decades behind bars. This Q&A explores the key details of his crimes, the group's methods, and the investigation that brought him down.
Who Is 'Tylerb' and What Was His Role in Scattered Spider?
Tyler Robert Buchanan, also known by the hacker handle 'Tylerb,' was a senior member of the cybercrime group Scattered Spider. Originally from Dundee, Scotland, Buchanan started his criminal career as a teenager, quickly climbing the ranks of an English-language hacking leaderboard that tracked the most prolific cyber thieves. By 2022, he was a key figure in orchestrating phishing campaigns that targeted help desks and IT support teams. His specialty was social engineering—impersonating employees or contractors to trick companies into granting access to internal systems. Buchanan's guilty plea reveals he coordinated with other members to launch tens of thousands of SMS-based phishing attacks, which served as the gateway for larger data breaches and cryptocurrency thefts.
What Charges Did Buchanan Plead Guilty To?
Buchanan pleaded guilty to two serious federal crimes: wire fraud conspiracy and aggravated identity theft. Wire fraud conspiracy involves using electronic communications to deceive victims for financial gain—in his case, through phishing texts and SIM-swapping attacks. Aggravated identity theft applies because he used stolen personal information (such as names, passwords, and phone numbers) to access accounts without authorization. Each charge carries severe penalties; combined, Buchanan faces a potential sentence of over 20 years in a U.S. federal prison. The Justice Department emphasized that his crimes targeted both corporations and individual investors, causing widespread financial harm.
How Did Scattered Spider's SMS Phishing Attacks Work?
The group's modus operandi involved sending massive numbers of text messages—often posing as legitimate IT support or security alerts—to employees of targeted companies. These messages contained links to fake login pages that harvested credentials. Once inside, Buchanan and his accomplices moved laterally through networks to steal sensitive data, including customer databases and internal authentication tokens. They then used that data to execute SIM-swapping attacks: they transferred victims' phone numbers to devices controlled by the group, intercepting one-time passcodes sent via SMS. This allowed them to reset passwords and drain cryptocurrency wallets. The U.S. Justice Department confirmed that Buchanan alone admitted to stealing at least $8 million in virtual currency from individual victims across the United States.
Which Major Companies Were Targeted?
The phishing campaign in the summer of 2022 successfully breached at least a dozen prominent technology firms. Among the most notable were Twilio, LastPass, DoorDash, and Mailchimp. These intrusions allowed the group to harvest massive amounts of user data, including email addresses, password hashes, and API keys. The breach at LastPass, for example, exposed encrypted vaults and led to a wave of subsequent targeted attacks on cryptocurrency investors. The group also infiltrated other unnamed tech firms, siphoning intellectual property and customer information. The attack on Twilio alone affected hundreds of accounts and compromised two-factor authentication messages used by other services.
How Did the FBI Track Down Buchanan?
Investigators linked Buchanan to the phishing campaign through digital breadcrumbs. The FBI discovered that the same username and email address had been used to register dozens of phishing domain names just weeks before the attacks began. The domain registrar NameCheap provided logs showing that the account logged in from an IP address in the United Kingdom. Scottish police confirmed that the address was leased to Buchanan throughout 2022. This evidence, combined with analysis of the phishing links and stolen data, built a strong case. Buchanan was eventually arrested in Spain while attempting to flee, as shown in a Daily Mail photo of him being detained by airport authorities.
What Caused Buchanan to Flee the United Kingdom?
According to reporting by KrebsOnSecurity, Buchanan fled the U.K. in February 2023 after a violent incident. A rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he handed over the keys to his cryptocurrency wallet. Fearing for his safety, Buchanan left the country. However, his escape was short-lived. U.K. investigators later found a device belonging to Buchanan at his residence, which contained additional evidence of his crimes. The assault highlights the dangerous rivalries within the cybercriminal underworld, where betrayals and turf wars often spill into real-world violence.
What Sentence Does Buchanan Face, and What Happens Next?
Buchanan is currently in U.S. custody awaiting sentencing. The maximum penalty for wire fraud conspiracy is up to 20 years in federal prison, while aggravated identity theft carries a mandatory minimum of two years consecutive to any other sentence. Given the scale of the crimes—stealing millions from individuals and compromising Fortune 500 companies—prosecutors are likely to seek a sentence near the upper end. Buchanan's sentencing hearing is expected within the next few months. The case serves as a warning that even sophisticated cybercriminals operating from abroad can be brought to justice through international cooperation between law enforcement agencies like the FBI, Scottish police, and Spanish authorities.