What happened
Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty on Friday in U.S. federal court to conspiracy to commit wire fraud and aggravated identity theft in connection with a cybercrime campaign that stole at least $8 million in cryptocurrency from companies and individuals.
Buchanan was previously identified as a suspected ringleader of Scattered Spider, a loosely organized hacking collective known for sophisticated social engineering. He was arrested at Palma Airport in Spain in June 2024 and has been in U.S. federal custody since April 2025. Sentencing is scheduled for later this year, with a maximum penalty of up to 22 years in prison.
According to court documents, Buchanan and co-conspirators sent hundreds of SMS phishing messages to employees, impersonating legitimate company communications and third-party service providers. Victims who clicked the fraudulent links were directed to spoofed websites that harvested login credentials, which were then shared across messaging platforms to coordinate intrusions. In some cases, attackers recovered cryptocurrency seed phrases and account credentials from seized devices. The campaign targeted at least a dozen companies across telecommunications, technology, and virtual currency services, as well as individual victims.
Buchanan was also named as part of the group responsible for the ransomware attack on MGM Resorts. One co-defendant, Noah Michael Urban, is currently serving a 10-year federal sentence after pleading guilty last April. Three other alleged co-conspirators remain awaiting prosecution.
Who is affected
Corporate victims span multiple sectors, including telecommunications, technology, and cryptocurrency services. Individual victims were also targeted, in some cases losing cryptocurrency holdings through credential and seed phrase theft. The full scope of organizational victims has not been publicly enumerated.
Why CISOs should care
Scattered Spider’s effectiveness has never been about technical sophistication. It’s about fluency. Native English speakers impersonating IT staff or third-party vendors over SMS, phone, and chat is a harder problem to solve than patching a CVE. The MGM breach alone cost hundreds of millions of dollars in operational disruption. The guilty plea is a meaningful enforcement outcome, but the tactics are well-documented and widely replicated. Any organization that hasn’t stress-tested its helpdesk and identity verification procedures against social engineering scenarios is still vulnerable to the same playbook, regardless of what happens to Buchanan.
3 practical actions
- Harden identity verification at the helpdesk: Implement strict out-of-band verification requirements before any account resets, MFA changes, or credential modifications are processed, since these are the exact entry points Scattered Spider exploited across multiple victims.
- Run smishing simulations against your workforce: Standard phishing simulations that focus on email miss the SMS vector entirely — test whether employees recognize and report credential-harvesting texts impersonating internal IT or third-party providers.
- Audit shared credential access across messaging platforms: Court documents indicate stolen credentials were distributed through online messaging channels to coordinate intrusions; review whether your organization has controls in place to detect unusual credential sharing or bulk authentication activity across accounts.
For more news about disruptive intrusions affecting business operations, click Cyberattack to read more.