
A 23-year-old Scottish man considered a member of the prolific Scattered Spider cybercrime group was extradited final week from Spain to the USA, the place he’s dealing with costs of wire fraud, conspiracy and id theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of corporations in the USA and overseas, and that he personally managed greater than $26 million stolen from victims.
Scattered Spider is a loosely affiliated felony hacking group whose members have damaged into and stolen knowledge from among the world’s largest expertise corporations. Buchanan was arrested in Spain final 12 months on a warrant from the FBI, which needed him in reference to a collection of SMS-based phishing assaults in the summertime of 2022 that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and plenty of different tech corporations.

Tyler Buchanan, being escorted by Spanish police on the airport in Palma de Mallorca in June 2024.
As first reported by KrebsOnSecurity, Buchanan (a.ok.a. “tylerb”) fled the UK in February 2023, after a rival cybercrime gang employed thugs to invade his house, assault his mom, and threaten to burn him with a blowtorch except he gave up the keys to his cryptocurrency pockets. Buchanan was arrested in June 2024 on the airport in Palma de Mallorca whereas making an attempt to board a flight to Italy. His extradition to the USA was first reported final week by Bloomberg.
Members of Scattered Spider have been tied to the 2023 ransomware assaults in opposition to MGM and Caesars casinos in Las Vegas, nevertheless it stays unclear whether or not Buchanan was implicated in that incident. The Justice Division’s criticism in opposition to Buchanan makes no point out of the 2023 ransomware assault.
Somewhat, the investigation into Buchanan seems to heart on the SMS phishing campaigns from 2022, and on SIM-swapping assaults that siphoned funds from particular person cryptocurrency buyers. In a SIM-swapping assault, crooks switch the goal’s telephone quantity to a tool they management and intercept any textual content messages or telephone calls to the sufferer’s gadget — together with one-time passcodes for authentication and password reset hyperlinks despatched by way of SMS.
In August 2022, KrebsOnSecurity reviewed knowledge harvested in a months-long cybercrime marketing campaign by Scattered Spider involving numerous SMS-based phishing assaults in opposition to workers at main firms. The safety agency Group-IB known as them by a unique identify — 0ktapus, as a result of the group sometimes spoofed the id supplier Okta of their phishing messages to workers at focused corporations.

A Scattered Spider/0Ktapus SMS phishing lure despatched to Twilio workers in 2022.
The criticism in opposition to Buchanan (PDF) says the FBI tied him to the 2022 SMS phishing assaults after discovering the identical username and e-mail handle was used to register quite a few Okta-themed phishing domains seen within the marketing campaign. The area registrar NameCheap discovered that lower than a month earlier than the phishing spree, the account that registered these domains logged in from an Web handle within the U.Ok. FBI investigators mentioned the Scottish police advised them the handle was leased to Buchanan from January 26, 2022 to November 7, 2022.
Authorities seized at the very least 20 digital units after they raided Buchanan’s residence, and on a kind of units they discovered usernames and passwords for workers of three completely different corporations focused within the phishing marketing campaign.
“The FBI’s investigation thus far has gathered proof displaying that Buchanan and his co-conspirators focused at the very least 45 corporations in the USA and overseas, together with Canada, India, and the UK,” the FBI criticism reads. “One among Buchanan’s units contained a screenshot of Telegram messages between an account identified for use by Buchanan and different unidentified co-conspirators discussing dividing up the proceeds of SIM swapping.”
U.S. prosecutors allege that data obtained from Discord confirmed the identical U.Ok. Web handle was used to function a Discord account that specified a cryptocurrency pockets when asking one other consumer to ship funds. The criticism says the publicly out there transaction historical past for that fee handle exhibits roughly 391 bitcoin was transferred out and in of this handle between October 2022 and
February 2023; 391 bitcoin is presently value greater than $26 million.
In November 2024, federal prosecutors in Los Angeles unsealed felony costs in opposition to Buchanan and 4 different alleged Scattered Spider members, together with Ahmed Elbadawy, 23, of Faculty Station, Texas; Joel Evans, 25, of Jacksonville, North Carolina; Evans Osiebo, 20, of Dallas; and Noah City, 20, of Palm Coast, Florida. KrebsOnSecurity reported final 12 months that one other suspected Scattered Spider member — a 17-year-old from the UK — was arrested as a part of a joint investigation with the FBI into the MGM hack.
Mr. Buchanan’s court-appointed lawyer didn’t reply to a request for remark. The accused faces costs of wire fraud conspiracy, conspiracy to acquire data by pc for personal monetary achieve, and aggravated id theft. Convictions on the latter cost carry a minimal sentence of two years in jail.
Paperwork from the U.S. District Court docket for the Central District of California point out Buchanan is being held with out bail pending trial. A preliminary listening to within the case is slated for Could 6.