A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.
Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.
Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider.
Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.
As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.
The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department said Buchanan admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States.
FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.
As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.
Buchanan was arrested by Spanish authorities in June 2024 while trying to board a flight to Italy. He was extradited to the United States and has remained in U.S. federal custody since April 2025.
Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.
Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.
Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.
One of the more popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most rapacious SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard previously listed Buchanan’s hacker alias Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.
Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Justice Department, he faces a statutory maximum sentence of 22 years in federal prison. However, any sentence the judge hands down in this case may be significantly tempered by a number of mitigating factors in the U.S. Sentencing Guidelines, including the defendant’s age, criminal history, time already served in U.S. custody, and the degree to which they cooperated with federal authorities.
The folly of the “very young and incredibly stupid”.
“The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K.”
Maybe I’m missing something, but it sounds like this POS was too lazy, too incompetent, too something, to use a freakin’ VPN – DUH. You know what they say about KARMA…
Do VPNs actually work like people think they do?
Sometimes. Not sure what you are asking. Sorta like asking if Tor works. Depends on what whoever uses the VPN is trying to accomplish?
tyler b never leased those domains on his main internet ip address, if you believe this then there is no hope for you.
the spanish polis said they seized $27mil and now he pleaded guilty to $8mil in america? so what abt the other unaccounted for money, it doesn’t really make a lot of sense,..
It says “at least” 8 million. Charges are only as good as evidence to prove beyond doubt.
It also doesn’t say his “main” internet IP address, only that it was leased to him in 2022.
Journalism can only supply as many facts as are available. Maybe his soft-VPN failed,
maybe his IP was only exposed a handful of times, yet was enough to link it to him.
Criminals make opsec mistakes all the time. That much is documented beyond doubt.
I don’t see what you can’t fathom here.
Are we talking about the same person whose online pseudonym was his REAL first and middle name (Tyler B)? It’s not a particularly unrealistic jump to surmise that perhaps his operational security practices needed some improvement, and therefore that he may have been equally as lacking in it in other domains (such as hiding his IP address). If you believe that it’s possible for him to have used his real name but somehow not his real IP then there is no hope for you.
I have kind of been confused about most ransomware attempts since ca. 2010. Given the fact that blockchain is so imminently traceable (and linked to various strangers’ often unrelated comments, at times), it would seem to me to be difficult to do something like withdraw a lot of it, not to mention ‘launder’ it, more than once or twice. Then again, I am not sure much of it is about the money. Is it more like a competition? I am vaguely ignorant about the ransomware scene.
privacy chains like monero aren’t traceable as the transactions aren’t publicly viewable. If the goal is spending in real life almost always the funds are just channeled through sites like houdiniswap that allow large exchanges without KYC (e.g. on houdiniswap I have heard of up to 250k being swapped without any identification, fully automated). The real issue I think would be trying to come up with an explanation to the IRS or other relevant tax party as to where you spawned in 10 years of wage from.
It also isn’t uncommon for the funds to be spent online in ways that don’t tie IRL at all. the OG username market is primarily driven by fraud, it isn’t uncommon for good telegram usernames to sell anywhere from 20-100k. Many of the accomplished criminals buy usernames like this as they hold their value and also are yet another way of flexing on the rest of the com, @dead on telegram has easily a million dollars worth of usernames tied to his account and another 1-2M spread across the channels he owns and uses as basically announcements when he is looking for databases to buy and then use in further cybercrime.
as stupid as it sounds there is *some* value in owning gaudy usernames. Almost all of the com is just connections, if you are more known and visibly accomplished you are more likely to be trusted and will inevitably find other higher skilled people to work with opposed to 99% of the com which are nonamers and don’t have any way to “break in” and learn how to do said crimes.
They just launder the money through many services like tornado cash and others, so the money becomes untreaceable. There are also services that give you cash for bitcoin so you can withdraw money like that and then clean them in other ways. It’s not as hard as you think to launder crypto + you can buy stuff with crypto and then sell it again and boom, clean money. There were people buying NFTs priced at millions of dollars, just to launder the money, because they were buying the NFTs from themselves.
It isn’t really untraceable, though… Is it? I mean, every transaction is in the ledgers. Even assuming you attempt to tumble the hell out of it, I cannot imagine it would be able to be done repeatedly, for all that much money… No?
Back when ransomware was sort of just starting out, and the ransoms were in the hundreds of dollars (and not yet crypto), there was already an issue with evidence trails. I would assume even if you just intend to use the cryptocurrency to purchase things, there is still a hefty audit trail (even putting aside the potential opsec issues)… including exact times and recipients.
I am guessing someone could pull one or two ‘big money’ ones off, if they really planned, but — and I am not a cybercriminal (or a criminal at all, I guess?) — I would never touch that sort of thing, if I were one… especially with the AI stuff that is so tragically hip right now. I don’t even want to think about that, though. The Orwellian aspects of blockchain were enough to make me avoid it for a very long time now. Combining it with AI is ungood.
I get what you are saying about ‘how’ it can be done, it just is kind of quite fallible, and relatively unanonymous, if you are planning to show up on anyone’s radar (I mean, it doesn’t even have to be a crime; there are certainly a lot of overly curious people and companies these days, even without that).
Guessing, from my experience, within a couple of years a lot of corporations and banks will figure out the downsides of blockchain and AI. Ironically it is usually the criminal and underground economies that figure things like this out first.
Given enough time you could still trace it, but it takes a LOT of resources to do that. That’s why the guv cracks down on those laundering services when it can. Ex: https://www.justice.gov/usao-dc/pr/operator-bitcoin-fog-sentenced-more-12-years-prison-running-notorious-darknet
Billions going through those “tumblers”… including nation-state level hacker funds…
“social engineering tactics” okay kid
“to carry out SIM-swapping attacks” okay now its become interessting a little.
“british computer geek” booooring (otherwise he dont looks like an immigrant)
“As first reported by KrebsOnSecurity” make sense now
Nothing like committing cyber crimes under a user handle that’s just your real name, lmao
that part lol. not very bright