From Phishing to Prison: A Forensic Breakdown of the Scattered Spider Cybercrime Operation

<h2>Overview</h2> <p>In May 2025, a 24-year-old British national known by the handle 'Tylerb' pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan, a senior member of the prolific English-speaking cybercrime group Scattered Spider, admitted orchestrating a series of SMS-based phishing attacks in the summer of 2022 that compromised at least a dozen major technology companies—including Twilio, LastPass, DoorDash, and Mailchimp—and resulted in the theft of tens of millions of dollars in cryptocurrency from individual investors. This tutorial dissects the attack chain used by Scattered Spider, from social engineering to SIM swapping, and extracts actionable lessons for security professionals. By examining Buchanan's methods and his eventual capture, we aim to fortify defenses against similar threats.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2021/03/kos-27-03-2021.jpg" alt="From Phishing to Prison: A Forensic Breakdown of the Scattered Spider Cybercrime Operation" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <h2>Prerequisites</h2> <p>To fully benefit from this guide, you should be familiar with basic cybersecurity concepts such as phishing, two-factor authentication (2FA), and SIM swapping. Basic knowledge of domain registration and IP tracking will help, but we explain key terms as we go. No advanced technical skills required—just a curiosity about how real-world cybercrime operations unfold.</p> <h2>Step-by-Step Breakdown of the Scattered Spider Attack Chain</h2> <h3>1. Reconnaissance and Target Selection</h3> <p>Scattered Spider focused on technology companies with high-value customer data, such as authentication tokens and cryptocurrency exchange credentials. They researched employee directories and corporate structures via LinkedIn and other public sources to identify help desk personnel and contractors.</p> <h3>2. SMS Phishing Campaigns</h3> <p>In 2022, Buchanan and his co-conspirators launched tens of thousands of SMS-based phishing messages. These texts appeared to come from internal IT departments and urged recipients to click a link to verify their account or reset a password. The links led to fake login pages that captured credentials and one-time passcodes.</p> <p><strong>Example phishing text:</strong> "[Company Name] Security Alert: Your account requires re-authentication. Please visit [malicious link] within 24 hours to avoid suspension."</p> <h3>3. Credential Harvesting and Lateral Movement</h3> <p>Using stolen employee credentials, the attackers logged into internal VPNs and email systems. They impersonated the victims when contacting help desks, often requesting password resets or MFA token reassignments. This social engineering granted them broader access to customer databases.</p> <h3>4. Data Exfiltration and SIM Swapping</h3> <p>From the compromised companies, Scattered Spider extracted personal identifiable information (PII) of cryptocurrency investors, including phone numbers, email addresses, and wallet details. They then performed SIM swapping: contacting mobile carriers while impersonating the victim and requesting a SIM card transfer. Once the target's phone number was linked to the attacker's device, they intercepted SMS-based 2FA codes and password reset links for crypto exchanges and wallets.</p> <h3>5. Cryptocurrency Theft</h3> <p>With control over the victim's phone number and accounts, the attackers logged into exchanges, bypassed existing security, and transferred digital assets to wallets they controlled. Buchanan alone admitted to stealing at least $8 million in virtual currency from victims across the United States.</p> <h2>Forensic Traces: How Investigators Caught the Attackers</h2> <h3>Domain Registration and IP Leakage</h3> <p>FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering that the same username and email address were used to register numerous phishing domains. The domain registrar NameCheap provided logs showing that less than a month before the phishing spree, the account logged in from an IP address in the United Kingdom. Scottish police confirmed the IP was leased to Buchanan throughout 2022.</p><figure style="margin:20px 0"><img src="https://krebsonsecurity.com/wp-content/uploads/2026/04/dailymail-tylerb.png" alt="From Phishing to Prison: A Forensic Breakdown of the Scattered Spider Cybercrime Operation" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: krebsonsecurity.com</figcaption></figure> <h3>Physical Confrontation and Flight</h3> <p>As first reported by KrebsOnSecurity, Buchanan fled the UK in February 2023 after a rival cybercrime gang burglarized his home, assaulted his mother, and threatened him with a blowtorch to force him to hand over his cryptocurrency wallet keys. This incident accelerated law enforcement interest.</p> <h3>Arrest in Spain</h3> <p>Buchanan was eventually detained by airport authorities in Spain (as shown in a Daily Mail photo from May 3, 2025). He now awaits sentencing in U.S. custody and faces more than 20 years in prison.</p> <h2>Common Mistakes Made by Scattered Spider (and Lessons for Defenders)</h2> <h3>Mistake 1: Reusing Identifiers Across Platforms</h3> <p>The attackers used the same username and email for multiple phishing domain registrations. This allowed investigators to connect the dots across different domains and tie them to a single actor.</p> <p><strong>Lesson:</strong> Security teams should monitor for repeated patterns in domain registrations and correlate them with known threat actor identifiers.</p> <h3>Mistake 2: Failing to Obfuscate IP Locations</h3> <p>Buchanan logged into the domain registrar from an IP address directly associated with him. Even proxy/VPN use could have obfuscated his location, but he didn't mask it effectively.</p> <p><strong>Lesson:</strong> For defenders, logging and analyzing IP addresses tied to administrative actions can reveal attacker infrastructure.</p> <h3>Mistake 3: Overreliance on Social Engineering Without Backup Plans</h3> <p>When the rival gang attacked Buchanan physically, he had no contingency to protect his digital assets or personal safety. The group's focus on social engineering made them vulnerable to counter-social engineering from competitors.</p> <p><strong>Lesson:</strong> Organizations should prepare for physical threats to employees who handle sensitive data; include security awareness training for off-work threats.</p> <h2>Summary</h2> <p>Scattered Spider's attack campaign, epitomized by Tyler Buchanan's guilty plea, demonstrates the devastating combination of social engineering, phishing, and SIM swapping. Their success hinged on exploiting human trust at help desks and mobile carriers. However, sloppy operational security—reusing usernames, connecting from personal IPs—allowed law enforcement to dismantle the group. Security professionals can mitigate similar risks by enforcing strong MFA, educating help desk staff on social engineering red flags, and monitoring for anomalous domain registrations. The case serves as a stark reminder that even sophisticated cybercriminals make mistakes that can lead to long prison sentences.</p>