Scattered Spider Member Pleads Guilty in $8 Million SMS Phishing and Crypto Theft Scheme
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, pleaded guilty in U.S. federal court in California to conspiracy to commit wire fraud and aggravated identity theft for his role in Scattered Spider’s large-scale social-engineering operation. Prosecutors said Buchanan and co-conspirators ran SMS phishing campaigns from September 2021 to April 2023 that impersonated corporate IT help desks and labor providers, used fake login pages and stolen credentials, and carried out SIM swapping to breach companies and individuals. The Justice Department said the scheme stole at least $8 million in virtual currency from U.S. victims across telecommunications, technology, cloud communications, outsourcing, gaming, and cryptocurrency sectors.
Investigators tied Buchanan to the 2022 0ktapus campaign, which used fake Okta login pages to compromise more than 130 organizations, including Twilio and Cloudflare, and enabled downstream attacks affecting other major brands. Authorities said stolen credentials were funneled into a Telegram channel administered by Buchanan and an associate, and searches of his residence in Scotland uncovered victim company files, personal data, and roughly 20 devices. Buchanan was arrested in Palma de Mallorca by Spanish authorities, extradited to the United States, and has been in federal custody since April 2025; he now faces up to 22 years in prison, underscoring continued law-enforcement pressure on the loosely organized Scattered Spider group, an offshoot of The Com.
Timeline
Apr 17, 2026
DOJ announces guilty plea and August sentencing date
The U.S. Department of Justice publicly announced Buchanan's guilty plea and said sentencing was scheduled for August 21. Prosecutors stated he faces up to 22 years in prison.
Apr 17, 2026
Buchanan pleads guilty in U.S. federal court
On April 17, 2026, Buchanan pleaded guilty in U.S. federal court in California to conspiracy to commit wire fraud and aggravated identity theft. He admitted participating in SMS phishing operations that impersonated corporate IT help desks or labor providers and were linked to at least $8 million in stolen cryptocurrency.
Apr 1, 2025
Buchanan is extradited from Spain and enters U.S. federal custody
By April 2025, Buchanan had been extradited from Spain to the United States and was in federal custody. U.S. authorities pursued charges tied to conspiracy, identity theft, phishing, and cryptocurrency theft.
Nov 1, 2024
U.S. unseals charges against Buchanan and four alleged associates
In November 2024, U.S. authorities unsealed charges against Tyler Buchanan and four other alleged members tied to the Scattered Spider-linked phishing and cryptocurrency theft scheme. The case expanded the public legal action beyond Buchanan alone.
Jun 15, 2024
Spanish authorities arrest Tyler Buchanan in Palma de Mallorca
Spanish authorities arrested Buchanan in Palma de Mallorca while he was allegedly attempting to board a flight to Italy. Reporting in June 2024 identified him as a suspected leading member of the Scattered Spider cybercrime group.
May 25, 2024
U.S. criminal complaint against Buchanan is filed
A U.S. criminal complaint in the Central District of California was filed against Buchanan in connection with the Scattered Spider-linked phishing and cryptocurrency theft scheme. The referenced complaint document is dated May 25, 2024.
Jan 1, 2023
Police Scotland seizes devices from Buchanan's residence
In 2023, Police Scotland seized about 20 devices from Buchanan's residence in Scotland. Investigators said the devices contained files related to numerous victim companies and data on individual victims.
Jan 1, 2022
Fake Okta phishing campaign compromises 130+ organizations
In 2022, Buchanan was tied by the FBI to a phishing campaign using fake Okta login pages, widely associated with Scattered Spider and 0ktapus. The operation compromised more than 130 organizations, including Twilio and Cloudflare, and enabled downstream attacks on other victims.
Sep 1, 2021
Scattered Spider phishing and crypto theft scheme begins
From September 2021, Tyler Buchanan and co-conspirators began a large-scale SMS phishing, credential theft, and SIM-swapping campaign targeting companies and individuals. Prosecutors said the scheme ultimately stole at least $8 million in cryptocurrency from U.S. victims.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
5 more from sources like cyberscoop, cyber security news, help net security, krebs on security and security affairs
Related Stories
US Charges Alleged Scattered Spider Member Arrested in Finland
U.S. prosecutors have charged 19-year-old dual U.S.-Estonian citizen Peter Stokes, allegedly a member of the **Scattered Spider** cybercrime group who used the alias `Bouquet`, after his arrest in Finland on April 10. According to reports citing court records, Stokes was detained while allegedly attempting to board a flight to Tokyo and now faces wire fraud, conspiracy, and computer intrusion charges in a sealed six-count complaint, with U.S. authorities seeking his extradition to Chicago. Investigators allege he took part in at least four intrusions, including a 2023 breach of an online communications platform and other attacks carried out while he was still a teenager. The complaint links Stokes to Scattered Spider operations that relied on help-desk social engineering, credential resets, MFA fatigue, and SMS phishing to gain access to major corporate environments. One 2025 intrusion described in the filings allegedly targeted a multibillion-dollar luxury retailer, where attackers obtained administrator access, claimed to have stolen **100 GB** of data, and issued an **$8 million** extortion demand, causing more than **$2 million** in losses. The case adds to broader law-enforcement pressure on the financially motivated group, also tracked as **Octo Tempest**, which has been tied to intrusions affecting MGM Resorts, Caesars, Twilio, Reddit, Riot Games, Mailchimp, DoorDash, Harrods, Marks & Spencer, WestJet, and Jaguar Land Rover.
2 days ago
California Man Sentenced for Laundering Millions From Social-Engineering Crypto Heists
Evan Tangeman, a 22-year-old from Newport Beach, California, was sentenced to 70 months in prison after pleading guilty to a `RICO` conspiracy tied to a cybercriminal network that stole roughly **$230 million to $260 million** in cryptocurrency from victims. Prosecutors said Tangeman laundered at least **$3.5 million** between October 2023 and May 2025 for the group, which allegedly stole more than **4,100 Bitcoin** from a Washington, D.C., victim in August 2024 and used the proceeds to fund luxury homes, private jets, high-end vehicles, private security, and other lavish purchases. Authorities said the organization, identified by law enforcement as the **Social Engineering Enterprise**, targeted wealthy cryptocurrency holders using stolen and dark-web-sourced data, spoofed phone numbers, impersonation of Google and Gemini support staff, and remote-access tools including **AnyDesk** to obtain Bitcoin Core private keys. Investigators alleged the group then obscured the proceeds through mixers, exchanges, peel chains, pass-through wallets, and VPNs, while Tangeman also helped rent properties under false identities and destroy devices after arrests of key members. Another alleged launderer, **Kunal Mehta**, has also pleaded guilty and is awaiting sentencing.
2 days ago
Scattered Spider-Linked Teenagers Plead Not Guilty to Transport for London Cyberattack
Two British teenagers, Thalha Jubair and Owen Flowers, have pleaded not guilty to charges stemming from a cyberattack on Transport for London (TfL) in August 2024. The attack, attributed to the Scattered Spider hacking collective, caused significant disruption to TfL's online services and internal systems, impacting the agency's ability to process refunds and initially believed not to have compromised customer data. However, a later update from TfL confirmed that customer information, including names, addresses, and contact details, was exposed during the breach. Both suspects were arrested by the UK National Crime Agency and City of London Police, and the charges they face are among the most severe under English law for cyber offenses, carrying a maximum sentence of life imprisonment. In addition to the TfL incident, Owen Flowers faces further charges for allegedly conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States, while Thalha Jubair is also charged with refusing to provide device passcodes to investigators. The U.S. Department of Justice has unsealed a complaint against Jubair for related computer crimes. The case highlights the international scope of the investigation and the serious legal consequences for those accused of high-impact cyberattacks targeting critical infrastructure and healthcare organizations.
1 months ago