Scattered Spider Member Pleads Guilty in $8 Million SMS Phishing and Crypto Theft Scheme
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, pleaded guilty in U.S. federal court in California to conspiracy to commit wire fraud and aggravated identity theft for his role in Scattered Spider’s large-scale social-engineering operation. Prosecutors said Buchanan and co-conspirators ran SMS phishing campaigns from September 2021 to April 2023 that impersonated corporate IT help desks and labor providers, used fake login pages and stolen credentials, and carried out SIM swapping to breach companies and individuals. The Justice Department said the scheme stole at least $8 million in virtual currency from U.S. victims across telecommunications, technology, cloud communications, outsourcing, gaming, and cryptocurrency sectors.
Investigators tied Buchanan to the 2022 0ktapus campaign, which used fake Okta login pages to compromise more than 130 organizations, including Twilio and Cloudflare, and enabled downstream attacks affecting other major brands. Authorities said stolen credentials were funneled into a Telegram channel administered by Buchanan and an associate, and searches of his residence in Scotland uncovered victim company files, personal data, and roughly 20 devices. Buchanan was arrested in Palma de Mallorca by Spanish authorities, extradited to the United States, and has been in federal custody since April 2025; he now faces up to 22 years in prison, underscoring continued law-enforcement pressure on the loosely organized Scattered Spider group, an offshoot of The Com.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
DOJ announces guilty plea and August sentencing date
The U.S. Department of Justice publicly announced Buchanan's guilty plea and said sentencing was scheduled for August 21. Prosecutors stated he faces up to 22 years in prison.
Buchanan pleads guilty in U.S. federal court
On April 17, 2026, Buchanan pleaded guilty in U.S. federal court in California to conspiracy to commit wire fraud and aggravated identity theft. He admitted participating in SMS phishing operations that impersonated corporate IT help desks or labor providers and were linked to at least $8 million in stolen cryptocurrency.
Buchanan is extradited from Spain and enters U.S. federal custody
By April 2025, Buchanan had been extradited from Spain to the United States and was in federal custody. U.S. authorities pursued charges tied to conspiracy, identity theft, phishing, and cryptocurrency theft.
U.S. unseals charges against Buchanan and four alleged associates
In November 2024, U.S. authorities unsealed charges against Tyler Buchanan and four other alleged members tied to the Scattered Spider-linked phishing and cryptocurrency theft scheme. The case expanded the public legal action beyond Buchanan alone.
Spanish authorities arrest Tyler Buchanan in Palma de Mallorca
Spanish authorities arrested Buchanan in Palma de Mallorca while he was allegedly attempting to board a flight to Italy. Reporting in June 2024 identified him as a suspected leading member of the Scattered Spider cybercrime group.
U.S. criminal complaint against Buchanan is filed
A U.S. criminal complaint in the Central District of California was filed against Buchanan in connection with the Scattered Spider-linked phishing and cryptocurrency theft scheme. The referenced complaint document is dated May 25, 2024.
Police Scotland seizes devices from Buchanan's residence
In 2023, Police Scotland seized about 20 devices from Buchanan's residence in Scotland. Investigators said the devices contained files related to numerous victim companies and data on individual victims.
Fake Okta phishing campaign compromises 130+ organizations
In 2022, Buchanan was tied by the FBI to a phishing campaign using fake Okta login pages, widely associated with Scattered Spider and 0ktapus. The operation compromised more than 130 organizations, including Twilio and Cloudflare, and enabled downstream attacks on other victims.
Scattered Spider phishing and crypto theft scheme begins
From September 2021, Tyler Buchanan and co-conspirators began a large-scale SMS phishing, credential theft, and SIM-swapping campaign targeting companies and individuals. Prosecutors said the scheme ultimately stole at least $8 million in cryptocurrency from U.S. victims.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
19 references tracked. Mallory keeps watching after this page renders.
Scattered Spider co-conspirator pleads guilty | CSO Online
csoonline.com
Open sourceGuilt admitted by British hacker in $8M crypto theft scheme | brief | SC Media
scworld.com
Open sourceScottish man pleads guilty to attack spree that created Scattered Spider’s notoriety | CyberScoop
cyberscoop.com
Open sourceBritish National Admits Hacking Companies and Stealing Millions in Virtual Currency
cybersecuritynews.com
Open sourceAlleged Boss of ‘Scattered Spider’ Hacking Group Arrested - Krebs on Security
krebsonsecurity.com
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceUnclassified
ismg-cdn.nyc3.cdn.digitaloceanspaces.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Charges Five Alleged Scattered Spider Members Over SMS Phishing and Crypto Theft
U.S. prosecutors unsealed charges against five men allegedly linked to the **Scattered Spider** cybercrime ecosystem, accusing them of running a large-scale scheme that used SMS phishing, spoofed login pages, social engineering, stolen employee credentials, email hijacking, and SIM swapping to compromise companies and individuals. Court filings say the operation targeted technical employees across the United States between September 2021 and April 2023, enabling the theft of non-public corporate data, personal identifiers, and **millions of dollars in cryptocurrency**. Four suspects were charged in the United States with conspiracy to commit wire fraud, while a separate complaint was filed against a fifth defendant in the United Kingdom. The case adds to mounting law-enforcement scrutiny of Scattered Spider, a loose English-speaking threat actor network also tracked under multiple aliases and associated with the broader **"Com"** ecosystem. Authorities and researchers have linked the group to high-profile intrusions and collaborations with ransomware operations including **BlackCat/ALPHV**, **Qilin**, and **RansomHub**, as well as incidents affecting MGM Resorts, Clorox, Snowflake-linked victims, and later investigations into the hacks at **Marks & Spencer** and **Co-op**. The charges mark a significant escalation in efforts to disrupt a group known for blending phishing, identity takeover, and extortion-focused intrusion tactics.
May 25, 2026
US Charges Alleged Scattered Spider Member Arrested in Finland
U.S. prosecutors have charged 19-year-old dual U.S.-Estonian citizen Peter Stokes, allegedly a member of the **Scattered Spider** cybercrime group who used the alias `Bouquet`, after his arrest in Finland on April 10. According to reports citing court records, Stokes was detained while allegedly attempting to board a flight to Tokyo and now faces wire fraud, conspiracy, and computer intrusion charges in a sealed six-count complaint, with U.S. authorities seeking his extradition to Chicago. Investigators allege he took part in at least four intrusions, including a 2023 breach of an online communications platform and other attacks carried out while he was still a teenager. The complaint links Stokes to Scattered Spider operations that relied on help-desk social engineering, credential resets, MFA fatigue, and SMS phishing to gain access to major corporate environments. One 2025 intrusion described in the filings allegedly targeted a multibillion-dollar luxury retailer, where attackers obtained administrator access, claimed to have stolen **100 GB** of data, and issued an **$8 million** extortion demand, causing more than **$2 million** in losses. The case adds to broader law-enforcement pressure on the financially motivated group, also tracked as **Octo Tempest**, which has been tied to intrusions affecting MGM Resorts, Caesars, Twilio, Reddit, Riot Games, Mailchimp, DoorDash, Harrods, Marks & Spencer, WestJet, and Jaguar Land Rover.
May 4, 2026
Scattered Spider-Linked Pair Plead Guilty in Transport for London Cyberattack
Two men, **Thalha Jubair** and **Owen Flowers**, pleaded guilty under the UK Computer Misuse Act for their roles in the 2024 cyberattack on **Transport for London (TfL)**, an intrusion investigators linked to the **Scattered Spider** cybercrime ecosystem. Authorities said the attackers accessed TfL’s network between **31 August and 3 September 2024**, disrupting Oyster refund processing, temporarily affecting children’s and young people’s photocard applications, and forcing all **28,000** employees to reset passwords in person after trust in internal identity systems was lost. The breach is reported to have affected about **10 million** customers and caused losses and recovery costs estimated between **£29 million and £39 million**. The National Crime Agency, City of London Police, British Transport Police, and regional officers said a lengthy investigation produced digital evidence including screenshots showing connectivity to TfL infrastructure, videos of system access during the intrusion, Telegram communications, and activity on an online collaboration platform. Investigators also alleged that Flowers was linked to intrusions involving U.S. healthcare organizations including **SSM Health** and **Sutter Health**. Both defendants remain in custody and are due to be sentenced in July 2026, as officials cite the case as a warning about the operational impact of cyberattacks on critical infrastructure and the growing role of young, English-speaking offenders in serious cybercrime.
Jun 26, 2026