Scattered Spider Member ‘Tylerb’ Admits Guilt in Major Cybercrime Case

A 24-year-old British national described as a key figure in the cybercrime group known as “Scattered Spider” has pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted that he helped orchestrate a wave of text-message phishing attacks in the summer of 2022, which enabled the group to compromise at least a dozen major technology companies and steal tens of millions of dollars in cryptocurrency from investors.

Operating under the alias “Tylerb,” Buchanan once appeared on a leaderboard in English-speaking cybercriminal circles that ranked prolific SIM swappers and online thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native faces a potential sentence of more than 20 years in federal prison.

From online notoriety to international arrest

Images published in a May 3, 2025 Daily Mail story showed Buchanan both as a child and as an adult being detained by airport authorities in Spain. The article linked him to attacks on major organizations, including Marks & Spencer, a prominent U.K. retailer that suffered a ransomware incident attributed to Scattered Spider.

Scattered Spider is the label given to a highly active, English-speaking cybercrime crew known for using social engineering to infiltrate corporate networks. Members often impersonate employees or contractors, tricking IT help desks into granting access or resetting credentials, and then monetizing stolen data through extortion, fraud, or resale.

Phishing campaigns against major tech firms

As part of his plea, Buchanan acknowledged working with other Scattered Spider members to send tens of thousands of SMS phishing messages in 2022. These campaigns targeted employees at several technology companies, including Twilio, LastPass, DoorDash, and Mailchimp, and ultimately led to successful intrusions at multiple firms.

The stolen data from these breaches became fuel for large-scale SIM-swapping operations. In a SIM-swap attack, criminals transfer a victim’s phone number to a device they control, allowing them to intercept calls and text messages—especially one-time passcodes and password reset links sent via SMS. According to the U.S. Department of Justice, Buchanan admitted that these schemes enabled him and his co-conspirators to steal at least $8 million in virtual currency from victims across the United States.

How investigators connected ‘Tylerb’ to the attacks

FBI investigators linked Buchanan to the 2022 phishing campaigns after discovering that the same username and email address were used to register numerous phishing domains involved in the attacks. The domain registrar NameCheap reported that, less than a month before the phishing spree, the account responsible for registering those domains logged in from a U.K.-based IP address.

Scottish authorities later informed the FBI that this internet address was leased to Buchanan throughout 2022. This technical evidence, combined with data recovered from devices seized in the U.K., helped solidify the case tying him to the broader Scattered Spider operation.

Violence, flight, and extradition

Buchanan’s story took a darker turn in early 2023. As previously reported by KrebsOnSecurity, he fled the United Kingdom in February of that year after a rival cybercrime group allegedly sent attackers to his home. The intruders reportedly assaulted his mother and threatened to burn him with a blowtorch unless he surrendered access to his cryptocurrency wallets.

Later in 2023, U.K. investigators searching Buchanan’s residence in Scotland discovered a device containing data stolen from SMS phishing victims, as well as seed phrases linked to cryptocurrency thefts. In June 2024, Spanish authorities arrested Buchanan at an airport while he attempted to board a flight to Italy. He was subsequently extradited to the United States and has been held in federal custody since April 2025.

Other Scattered Spider members facing justice

Buchanan is the second known member of Scattered Spider to plead guilty. In a separate case, 21-year-old Noah Michael Urban of Palm Coast, Florida, received a 10-year federal prison sentence and was ordered to pay $13 million in restitution for his role in similar schemes.

Several alleged co-conspirators remain under indictment. Authorities have charged Ahmed Hossam Eldin Elbadawy, 24, also known as “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, known online as “joeleoli,” of Jacksonville, North Carolina. All three still face criminal proceedings in the United States.

Upcoming trials in the United Kingdom

Two additional suspects believed to be associated with Scattered Spider are scheduled to stand trial in the U.K. later this year. Eighteen-year-old Owen Flowers and 20-year-old Thalha Jubair are accused of participating in hacks and extortion attempts targeting major U.K. retailers, the London transit system, and healthcare providers in the United States.

Both defendants have pleaded not guilty, and their joint trial is expected to begin in June. The case is being closely watched, as it highlights the international reach of the group and the growing willingness of authorities to coordinate across borders in cybercrime investigations.

‘The Com’ and the culture of online bragging

Investigators say the Scattered Spider suspects are part of a broader online cybercriminal ecosystem often referred to as “The Com.” Within this loose community, hackers from various crews congregate on platforms like Telegram and Discord, where they openly boast about high-profile intrusions and thefts.

Many of these operations begin with social engineering—convincing targets over the phone, via email, or through SMS to reveal credentials or approve access that grants attackers a foothold inside corporate networks. One popular SIM-swapping channel on Telegram even maintains a public leaderboard ranking the most aggressive cryptocurrency thieves. Buchanan’s alias “Tylerb” previously appeared at #65 on that list, while Urban’s handle “Sosa” ranked at #24.

Sentencing and possible mitigating factors

Buchanan’s sentencing hearing is currently scheduled for August 21, 2026. The Justice Department notes that he faces a statutory maximum of 22 years in federal prison based on the charges to which he has pleaded guilty.

However, the final sentence will depend on how the judge applies the U.S. Sentencing Guidelines. Factors such as Buchanan’s age, prior criminal history, time already spent in custody, and the extent of his cooperation with investigators could all influence the outcome. Whatever the final term, his case underscores how quickly online notoriety in cybercrime circles can give way to long prison sentences and lasting consequences in the real world.