British Scattered Spider Hacker Pleads Guilty in $8M Crypto Theft
目次
Tyler Robert Buchanan, 24, from Dundee, Scotland pleaded guilty on 17 April 2026 in an Orange County federal court to conspiracy to commit wire fraud and aggravated identity theft. He and his co-conspirators stole at least $8 million in cryptocurrency from companies and individuals across the US between September 2021 and April 2023. Buchanan faces a maximum sentence of 22 years when he appears before a judge on 21 August 2026. His co-conspirator Noah Urban was sentenced in August 2025 to 10 years in federal prison and ordered to pay $13 million in restitution — the clearest signal yet that US prosecutors are successfully dismantling Scattered Spider’s core membership.
The average eCrime breakout time dropped to just 29 minutes in 2025, a 65% decrease from the prior year, according to CrowdStrike’s 2026 Global Threat Report. Buchanan’s operation shows why that speed matters: once attackers have a victim’s phone number, the window between initial compromise and cryptocurrency theft can be measured in minutes.
What Buchanan actually did
Court documents show Buchanan admitted to sending hundreds of SMS phishing messages impersonating targeted companies’ IT helpdesks and outsourced labour providers. The FBI tied him to a summer 2022 campaign using fake Okta authentication pages that breached more than 130 organisations, including Twilio and Cloudflare. Police Scotland searched his Dundee address in April 2023, seizing approximately 20 devices after tracing an IP address linked to domains designed to mimic telecommunications companies, cryptocurrency exchanges, and technology firms.
The operation combined SMS phishing with SIM swapping — where attackers convince mobile carriers to transfer a victim’s phone number to an attacker-controlled device. Once they controlled a victim’s number, the group intercepted two-factor authentication codes from cryptocurrency exchanges and digital wallets, bypassing SMS-based security controls entirely.
SIM swapping succeeds because it targets telecoms customer service processes, not software. Attackers call carriers armed with personal information harvested from data breaches, social media, and data broker services, then impersonate account holders to request SIM transfers. Representatives approve these requests without adequate verification. The attacker now receives every SMS sent to that number — including authentication codes for every financial account the victim holds.
Scattered Spider has a specific structural advantage here. The group is structured as a loose collective whose members are often native English speakers, which significantly enhances their ability to carry out social engineering attacks against US targets. They can convincingly impersonate employees when calling carrier support lines — something automated attack tools cannot replicate.
Scattered Spider’s reconnaissance relies heavily on exposed employee data — personal information circulating on dark web forums, paste sites, and credential marketplaces that they use to build convincing impersonation profiles before contacting carriers. CybelAngel’s Credential Intelligence solution continuously scans these sources, alerting security teams when employee credentials or personal data appear in places Scattered Spider actively monitors.
How Scattered Spider has evolved since these attacks
The crimes Buchanan pleaded guilty to date from 2021 to 2023. The group has moved considerably since then. Throughout 2025, Scattered Spider’s strategy remained consistent: tricking help desks and employees into offering access, then jumping straight into cloud applications to steal sensitive data. In May 2025 the group was linked to attacks on UK retailers including Marks & Spencer, Co-op, and Harrods.
A collective including Scattered Spider, LAPSUS$, and ShinyHunters was forged in 2025, creating multiple shared Telegram channels — less a formal merger than a reflection of how these crews share members, tooling, and tactics while maintaining pressure on high-value targets. The combination adds data theft capabilities from ShinyHunters to Scattered Spider’s social engineering expertise.
Despite mounting arrests, these groups remain loose and flexible — even when members are taken down, the operation continues, with new participants filling roles rather than the group shutting down.
Three actions security teams should take now
- Replace SMS-based MFA immediately: this is the primary control Scattered Spider’s entire operation depends on bypassing. Move to app-based authenticators, hardware security keys, or FIDO2/WebAuthn. Attackers cannot intercept these through SIM swapping regardless of what personal information they obtain beforehand.
- Establish carrier verification protocols for critical accounts: contact your mobile carriers and set up additional authentication requirements for any SIM change request on accounts tied to executives, treasury staff, and cryptocurrency traders. Most carriers offer this — most organisations haven’t requested it.
- Monitor for exposed employee personal information: scattered Spider’s reconnaissance pulls from data breaches, social media, and data broker services to build convincing impersonation profiles before contacting carriers. CybelAngel’s Dark Web Monitoring tracks the forums, marketplaces, and paste sites where this data circulates — surfacing employee exposure before it becomes the intelligence package behind a SIM swap attempt. Our REACT team verifies findings and flags what needs immediate action.
Scattered Spider is a financially motivated cybercrime collective active since May 2022. The group specialises in social engineering — particularly SIM swapping, SMS phishing, and MFA push bombing — to steal credentials and cryptocurrency from US and UK companies. Members are predominantly native English speakers, which makes their impersonation attempts unusually convincing against US targets.
Buchanan pleaded guilty on 17 April 2026 to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. He faces sentencing on 21 August 2026 with a maximum penalty of 22 years in federal prison.
An attacker calls a mobile carrier, impersonates the account holder using harvested personal data, and requests a SIM transfer. Once approved, the attacker receives all SMS messages sent to that number — including authentication codes — giving them access to any account protected by SMS-based two-factor authentication.
Replace SMS-based MFA with FIDO2/WebAuthn hardware keys or app-based authenticators. Set up additional carrier verification protocols for critical accounts. Monitor for exposed employee personal data used in social engineering reconnaissance.
Noah Urban was sentenced in August 2025 to 10 years in prison and $13 million in restitution. Three others — Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans — face pending charges.
著者について
