Scattered Spider Member Pleads Guilty to Hacking Dozen Companies and Stealing $8 Million in Cryptocurrency
Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, has pleaded guilty in a California federal court to conspiracy to commit wire fraud and aggravated identity theft for his role in a hacking operation that breached at least twelve companies and stole $8 million in cryptocurrency from individual victims across the United States. Buchanan has been in federal custody since April 2025 and faces up to 22 years in prison at sentencing scheduled for August 21.
The operation, active from September 2021 to April 2023, targeted a cross-section of high-value industries including entertainment, telecommunications, technology, cloud communications, business process outsourcing, and cryptocurrency companies. Buchanan and his co-conspirators conducted mass SMS phishing campaigns, sending hundreds of messages to employees at target companies that impersonated the company itself or contracted IT suppliers. The messages directed victims to convincing replica websites designed to harvest login credentials and personal information.
Stolen credentials were funneled through a Telegram channel administered by Buchanan and another conspirator, giving the group real-time access to compromised accounts. From there, they accessed internal company systems to steal confidential work product, intellectual property, and employee PII including names, email addresses, phone numbers, and additional account credentials.
The group then pivoted from corporate intrusions to individual cryptocurrency theft. Using information harvested from company breaches, they identified and targeted victims' crypto wallets and accounts. To bypass two-factor authentication, they conducted SIM swap attacks — fraudulently convincing mobile carriers to reassign victims' phone numbers to attacker-controlled devices, allowing them to intercept authentication codes in real time.
When law enforcement searched Buchanan's residence in Scotland in April 2023, they found files related to numerous victim companies along with a text file containing cryptocurrency seed phrases and login credentials for at least one victim's account.
Buchanan is the latest member of the broader Scattered Spider ecosystem to face consequences. Co-conspirator Noah Michael Urban, 21, known online as "Sosa," is already serving a 10-year federal sentence and was ordered to pay $13 million in restitution after pleading guilty in April 2025. Three additional defendants — Ahmed Elbadawy, Evans Osiebo, and Joel Martin Evans — still face criminal charges.
Significance:
This prosecution continues the steady dismantling of Scattered Spider's operational network, one of the most prolific cybercrime groups targeting major enterprises over the past several years. The group's playbook — SMS phishing to credential theft to SIM swapping to crypto drainage — remains widely replicated across the cybercriminal ecosystem. The case also underscores how corporate breaches frequently serve as stepping stones to individual financial theft, with stolen employee data enabling downstream attacks on personal crypto holdings.
