British National Pleads Guilty in U.S. to Leading Scattered Spider Cybercrime Operation, Orchestrating $8 Million Crypto Heist

A British national, identified as a key leader within the notorious Scattered Spider cybercrime collective, has entered a guilty plea in the United States to federal charges of wire fraud and aggravated identity theft. Tyler Robert Buchanan, 24, admitted his role in a sophisticated scheme that defrauded at least a dozen companies and individuals out of approximately $8 million in cryptocurrency between September 2021 and April 2023. This development marks a significant victory for U.S. law enforcement in their ongoing efforts to dismantle sophisticated transnational cybercriminal organizations.

The charges against Buchanan and his co-conspirators stem from a series of highly targeted phishing attacks that leveraged social engineering and SIM swapping techniques to compromise corporate accounts and illicitly transfer digital assets. The U.S. Department of Justice announced the plea in a statement on Friday, detailing the intricate methods employed by the group. Buchanan’s apprehension in June 2024 in Palma de Mallorca, Spain, followed an extensive investigation, and he has been in U.S. federal custody since April 2025, awaiting sentencing.

The scope of Scattered Spider’s criminal activities is extensive, impacting a diverse range of industries including entertainment, telecommunications, technology, business process outsourcing (BPO), information technology (IT) suppliers, cloud communications providers, and virtual currency providers. The group’s ability to penetrate such varied sectors underscores their adaptability and the pervasive threat they pose to global businesses.

The Mechanics of the Cybercrime Scheme

According to court documents, Buchanan and his associates meticulously planned and executed their attacks. A primary tactic involved the widespread distribution of Short Message Service (SMS) phishing messages, often referred to as "smishing." These messages were crafted to appear as legitimate communications from the victim companies themselves or from their trusted IT or BPO suppliers. The deceptive texts contained links that, when clicked, directed employees to sophisticated phishing websites designed to mimic authentic corporate portals.

"The SMS phishing messages contained links to phishing websites designed to look like legitimate websites of a victim company or a contracted IT or BPO supplier," the Justice Department stated. "The websites then lured the recipient into providing confidential information, including personal identifying information (PII), and account usernames and passwords."

Once this sensitive information was obtained, the cybercriminals escalated their attacks through SIM swapping. This technique involves tricking mobile carriers into transferring a victim’s phone number to a SIM card controlled by the attacker. By gaining control of a victim’s phone number, the hackers could bypass multi-factor authentication (MFA) protocols, which often rely on phone calls or SMS codes for verification. This access allowed them to hijack email accounts, and crucially, virtual currency wallets, enabling them to illicitly transfer millions of dollars in cryptocurrency to accounts under their control.

A Detailed Timeline of the Investigation and Apprehension

The investigation into Scattered Spider and its members has been a multi-year effort involving international cooperation. The indictment against Buchanan and four other suspects was unsealed in November 2024, detailing their alleged criminal enterprise.

• September 2021 – April 2023: The period during which Buchanan and his co-conspirators are accused of conducting their widespread phishing and SIM swapping attacks, stealing at least $8 million in cryptocurrency.
• November 2024: U.S. prosecutors formally accuse 24-year-old Tyler Robert Buchanan and four other suspects of the aforementioned crimes.
• June 2024: Buchanan is arrested in Palma de Mallorca, Spain, in connection with the ongoing investigation.
• April 2025: Buchanan is transferred to U.S. federal custody.
• August 21, 2026: Buchanan is scheduled to be sentenced. He faces a statutory maximum sentence of 22 years in prison.

The legal proceedings extend beyond Buchanan, with three of his alleged accomplices—Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans—also facing charges. They have been indicted for wire fraud, wire fraud conspiracy, and aggravated identity theft, carrying potential sentences of up to 20 years in federal prison if convicted.

Another key figure implicated in Scattered Spider’s operations, Noah Michael Urban, known online by aliases such as "Sosa" and "Elijah," has already faced judicial consequences. Urban pleaded guilty to wire fraud and conspiracy charges approximately one year prior to Buchanan’s plea and was subsequently sentenced to 10 years in prison. This sentence highlights the seriousness with which the justice system is treating the group’s activities.

The Scattered Spider Collective: A Multifaceted Threat

Scattered Spider, also recognized by various other monikers including 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra, is characterized as a loosely organized collective of English-speaking threat actors. The group’s membership is reportedly diverse, with some individuals as young as 16 years old. They leverage clandestine communication channels, including Telegram, Discord servers, and underground hacker forums, to coordinate their malicious activities.

The Federal Bureau of Investigation (FBI) has identified several key tactics employed by Scattered Spider, emphasizing their reliance on sophisticated social engineering and technical exploitation. These tactics include:

• Social Engineering: Manipulating individuals into divulging confidential information or performing actions that compromise security.
• Phishing and Smishing: Deceptive attempts to acquire sensitive information through fraudulent emails and text messages.
• Multi-Factor Authentication (MFA) Bombing: Overwhelming victims with repeated MFA requests to induce fatigue and eventual acceptance of a fraudulent prompt.
• SIM Swapping: A critical technique for bypassing MFA and gaining unauthorized access to accounts.

Further complicating the threat landscape, some members of Scattered Spider are believed to be affiliated with "the Com," another hacking collective implicated in both violent incidents and cyberattacks. This overlap suggests a deeper and more dangerous interconnectedness within the cybercriminal underworld.

Partnerships and High-Profile Attacks

In recent years, Scattered Spider has forged alliances with several prominent Russian ransomware gangs, demonstrating a strategic partnership model within the cybercrime ecosystem. These collaborations have been observed with groups such as BlackCat/AlphV, Qilin, and RansomHub, amplifying the reach and impact of their attacks. This partnership with ransomware operators indicates a sophisticated understanding of the cybercrime economy, where different groups specialize in various stages of an attack, from initial compromise to data encryption and extortion.

The group has been linked to a series of high-profile breaches that have garnered significant media attention and caused substantial disruption to major corporations. These incidents include:

• MGM Resorts: A devastating ransomware attack in 2023 that crippled the hotel and casino giant’s operations for an extended period. A 17-year-old suspected Scattered Spider hacker linked to this attack was arrested by UK police in July 2024.
• Caesars Entertainment: Another major casino operator that fell victim to a cyberattack, reportedly involving data theft and a ransom demand.
• Riot Games: The developer of the popular game "League of Legends" experienced a breach where hackers threatened to leak stolen source code.
• MailChimp: The email marketing platform disclosed a breach after some of its employees were targeted.
• Twilio: A significant breach at the cloud communications provider was attributed to Scattered Spider, impacting numerous downstream clients.
• DoorDash: The food delivery service suffered a data breach that was subsequently linked to the Twilio hack.
• Reddit: The social media platform disclosed a security incident where hackers threatened to leak stolen data.

The sheer volume and prominence of these attacks underscore Scattered Spider’s status as one of the most active and disruptive cybercriminal organizations operating today. Their ability to consistently evade detection and execute complex attacks against well-resourced organizations highlights the ongoing challenges faced by cybersecurity professionals and law enforcement agencies worldwide.

Broader Implications and Future Outlook

The guilty plea by Tyler Robert Buchanan represents a significant step in the U.S. government’s strategy to hold cybercriminals accountable. It serves as a potent message to other actors within Scattered Spider and similar organizations that their actions will not go unpunished. The successful extradition and prosecution of an individual based in the UK further demonstrate the effectiveness of international law enforcement cooperation in combating transnational cybercrime.

However, the underlying vulnerabilities exploited by Scattered Spider remain a critical concern. The reliance on human error through social engineering, the persistent threat of SIM swapping, and the effectiveness of phishing attacks against even sophisticated organizations highlight the need for continuous improvement in cybersecurity awareness training, technical security controls, and authentication protocols.

The prosecution of Buchanan and his co-conspirators is unlikely to be the end of Scattered Spider’s activities. The group’s decentralized nature and the participation of young, adaptable individuals mean that new members can emerge, and existing ones can continue to operate. Nevertheless, the disruption caused by the arrests and legal proceedings may force the organization to regroup, potentially altering its tactics and targets.

The financial losses incurred by victim companies, estimated in the millions of dollars, underscore the tangible economic impact of cybercrime. Beyond direct financial losses, these breaches can lead to significant reputational damage, loss of customer trust, and substantial costs associated with incident response, forensic investigations, and system remediation.

As the cybersecurity landscape continues to evolve, with threat actors constantly developing new methods of attack, the defense against groups like Scattered Spider requires a multi-layered approach. This includes robust technical defenses, proactive threat intelligence gathering, strong international partnerships, and a sustained focus on educating individuals about the risks of cyber threats. The conviction of Buchanan is a crucial milestone, but the fight against sophisticated cybercriminal enterprises is an ongoing battle that demands constant vigilance and adaptation.