Scattered Spider member Tyler Buchanan pleads guilty to major crypto theft

Tyler Buchanan, linked to Scattered Spider, pleaded guilty in the US to hacking companies and stealing millions in cryptocurrency.

Tyler Buchanan, a 24-year-old from Scotland linked to the Scattered Spider group, admitted in a US court that he hacked dozens of companies, committed fraud, and stole millions in cryptocurrency. Spanish police arrested the British national who was suspected of being a key member of the cybercrime group Scattered Spider (also known as UNC3944, 0ktapus). The man was arrested in Palma de Mallorca while attempting to fly to Italy. During the arrest, police confiscated a laptop and a mobile phone. The arrest resulted from a joint operation conducted by the U.S. Federal Bureau of Investigation (FBI) and the Spanish Police.

Spanish police tracked the suspect to Mallorca after he entered Spain via Barcelona in late May 2024.

“A United Kingdom man pleaded guilty today to conspiring with others to hack into the computer systems of at least a dozen companies via text message phishing attacks and to steal at least $8 million in virtual currency from individual victims throughout the United States.” reads the press release published by DoJ. “Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. “

Buchanan has stayed in U.S. custody since April 2025. Between 2021 and 2023, he and his group targeted companies and individuals across several sectors. They sent large SMS phishing campaigns that mimicked trusted services and tricked employees into sharing credentials and personal data. Using this access, they broke into corporate systems and stole sensitive information, including intellectual property and user data.

“The conspirators created a phishing kit that captured login credentials entered into the fraudulent phishing websites by a victim company’s employees.” continues the press release. “The stolen credentials were then transmitted to an online Telegram channel administered by Buchanan and another co-conspirator.”

Buchanan admitted he kept files linked to many victim companies at his home in Scotland. He and his accomplices used stolen data from corporate breaches to target individuals and access their cryptocurrency accounts and wallets, stealing millions. To do this, they broke into online accounts and carried out SIM swap attacks, taking control of victims’ phone numbers and intercepting two-factor authentication codes sent via SMS or calls. This let them bypass security protections and fully access accounts. Investigators also found sensitive data on his devices, including names, addresses, login credentials, and even cryptocurrency seed phrases tied to victims’ wallets, showing how the group combined corporate intrusions and personal targeting to maximize profits.

“Buchanan admitted in his plea agreement that the scheme involved the theft of at least $8 million worth of virtual currency assets from individual victims located throughout the United States.” concludes the press release. “United States District Judge John W. Holcomb scheduled an August 21 sentencing hearing, at which time Buchanan will face a statutory maximum sentence of 22 years in federal prison.”

Noah Michael Urban, also known as “Sosa” and “Elijah,” received a 10-year prison sentence and must pay $13 million in restitution after pleading guilty to fraud charges. Meanwhile, Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans have been charged in the same case and still face ongoing legal proceedings.

The cybercrime group Scattered Spider is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.

Scattered Spider members are part of a broader cybercriminal community called “The Com,” where hackers brag about high-profile cyber thefts, typically initiated through social engineering tactics like phone, email, or SMS scams to gain access to corporate networks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, cybercrime)