A 24-year-old British man who is a senior member of a cyber crime group “Scattered spider” pleaded guilty to conspiracy to defraud and aggravated identity theft. Tyler Robert Buchanan he admitted his role in a series of phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major tech companies and steal tens of millions of dollars in cryptocurrency from investors.
Buchanan hacker’s handle “Tylerb” once appeared on a leaderboard in the English crime scene tracking down the most active thieves on the internet.” Now in US custody awaiting sentencing, the Dundee, Scotland native faces the possibility of more than 20 years in prison.
Two photographs published in the Daily Mail story of May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. The “M&S” in this screenshot refers to Marks & Spencer, a major UK retail chain that was hit with ransomware last year at the hands of Scattered Spider.
Scattered Spider is the name given to an English-speaking cybercriminal group known for using social engineering techniques to hack into companies and steal data for ransom, often posing as employees or contractors to trick IT help desks into providing access.
As part of his plea, Buchanan admitted that he conspired with other members of Scattered Spider to carry out tens of thousands of phishing attacks in 2022 that led to the penetration of numerous technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.
The group then used data stolen from that breach to carry out a SIM swap attack that took funds from individual cryptocurrency investors. In an unauthorized SIM swap, criminals transfer the target’s phone number to a device they control and intercept any text messages or phone calls on the victim’s device — such as one-time verification codes and password reset links sent via SMS. The US Department of Justice said Buchanan admitted to stealing at least $8 million in physical money from individual victims across the United States.
FBI investigators arrested Buchanan in the 2022 phishing attack after finding the same username and email address used to register several phishing domains seen in the campaign. Domain registrar The name is Cheap they discovered that less than a month before the phishing, an account that registered those domains was logged in from an internet address in the UK FBI investigators said Scottish police told them the address was known to Buchanan in mid-2022.
As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired criminals to raid his home, attack his mother, and threaten to burn him with a torch unless he gave up the keys to his cryptocurrency wallet. That same year, UK investigators found a device at Buchanan’s residence in Scotland that combined data stolen from SMS phishing victims with seed phrases from cryptocurrency theft victims.
Buchanan was arrested by Spanish authorities in June 2024 as he attempted to board a flight to Italy. He was extradited to the United States and remains in US government custody since April 2025.
Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban21, from Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other accused conspirators— Ahmed Hossam Eldin Elbadawy24, aka “AD,” of College Station, Texas; Evans Onyeaka Osiebo21, from Dallas, Texas; again Joel Martin Evans26, also known as “joeleoli,” from Jacksonville, North Carolina – is still facing criminal charges.
Two other members of the Scattered Spider will soon be on trial in the United Kingdom. Owen’s Flowers18, again Thalha Jubair20, are facing charges related to the robbery and extortion of several UK supermarkets, London’s transport system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is expected to begin in June.
Investigators say the Scattered Spider suspects are part of a criminal online community known as “Com,” where criminals from different genres brag publicly on Telegram and Discord about sophisticated cybercrimes that almost always begin with social engineering — tricking people by phone, email or SMS into providing credentials that allow remote access to corporate internal networks.
One of the most popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most malicious SIM-swappers, identified by their perceived success in stealing cryptocurrency. That leaderboard previously listed Buchanan’s shooter Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.
Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Department of Justice, he faces a maximum statutory sentence of 22 years in federal prison. However, any sentence a judge hands down in this case may be greatly reduced by a number of mitigating factors in the US Sentencing Guidelines, including the defendant’s age, criminal history, time already incarcerated in the US, and the extent to which they have cooperated with federal authorities.
