US Charges Five Alleged Scattered Spider Members Over SMS Phishing and Crypto Theft
U.S. prosecutors unsealed charges against five men allegedly linked to the Scattered Spider cybercrime ecosystem, accusing them of running a large-scale scheme that used SMS phishing, spoofed login pages, social engineering, stolen employee credentials, email hijacking, and SIM swapping to compromise companies and individuals. Court filings say the operation targeted technical employees across the United States between September 2021 and April 2023, enabling the theft of non-public corporate data, personal identifiers, and millions of dollars in cryptocurrency. Four suspects were charged in the United States with conspiracy to commit wire fraud, while a separate complaint was filed against a fifth defendant in the United Kingdom.
The case adds to mounting law-enforcement scrutiny of Scattered Spider, a loose English-speaking threat actor network also tracked under multiple aliases and associated with the broader "Com" ecosystem. Authorities and researchers have linked the group to high-profile intrusions and collaborations with ransomware operations including BlackCat/ALPHV, Qilin, and RansomHub, as well as incidents affecting MGM Resorts, Clorox, Snowflake-linked victims, and later investigations into the hacks at Marks & Spencer and Co-op. The charges mark a significant escalation in efforts to disrupt a group known for blending phishing, identity takeover, and extortion-focused intrusion tactics.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Tyler Buchanan pleads guilty in U.S. Scattered Spider-linked crypto theft case
Tyler Buchanan, a 24-year-old from Dundee, pleaded guilty in the United States to conspiring to hack at least a dozen companies and steal at least $8 million in cryptocurrency. The plea relates to the September 2021-April 2023 SMS phishing and credential-theft campaign previously described by U.S. prosecutors.
Police investigate Scattered Spider over M&S and Co-op hacks
By May 2025, Scattered Spider had become a focus of a police investigation into hacks affecting Marks & Spencer and Co-op, marking a new publicly reported investigative development involving the group.
U.S. unseals charges against five alleged Scattered Spider members
The U.S. Department of Justice announced charges against five alleged members or associates of the Scattered Spider cybercrime gang for wire-fraud-related conduct tied to the 2021-2023 phishing and cryptocurrency theft scheme. Four defendants were charged in the United States, and a separate complaint was filed against a fifth defendant in the United Kingdom.
UK arrests suspect tied to MGM Resorts ransomware attack
A suspect was arrested in the United Kingdom in connection with the 2023 MGM Resorts ransomware attack, an action cited as part of increasing law-enforcement pressure on the Scattered Spider ecosystem.
Spanish police arrest alleged Scattered Spider member in Mallorca
Spanish police, working with the FBI, arrested a 22-year-old British national in Palma de Mallorca suspected of being a key Scattered Spider member. Authorities said the suspect was detained while trying to fly to Italy, seized a laptop and phone, and linked him to attacks on dozens of U.S. companies and individuals.
Scattered Spider-linked phishing and theft scheme ends
Prosecutors said the charged conspiracy ran through April 2023, by which time the defendants had allegedly stolen non-public corporate data, personal identifiers, and millions of dollars in cryptocurrency from victims across the United States.
Scattered Spider-linked phishing and crypto theft campaign begins
According to U.S. court documents, individuals later charged as linked to Scattered Spider began a large-scale SMS phishing and social-engineering scheme targeting companies and individuals. The operation used spoofed login pages, stolen employee credentials, email hijacking, data theft, and SIM swapping to seize control of victims’ accounts and cryptocurrency wallets.
Sources
6 references tracked. Mallory keeps watching after this page renders.
British man pleads guilty to conspiring to steal $8m in virtual currency
bbc.com
Open sourceM&S and Co-op hacks: Scattered Spider is focus of police investigation
bbc.com
Open sourceDOJ charges 5 alleged Scattered Spider members | TechTarget
techtarget.com
Open sourceUS charges five men linked to ‘Scattered Spider’ with wire fraud | CyberScoop
cyberscoop.com
Open sourceUS charges five linked to Scattered Spider cybercrime gang
bleepingcomputer.com
Open sourceSpanish police arrested an alleged member of the Scattered Spider group
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Charges Alleged Scattered Spider Member Arrested in Finland
U.S. prosecutors have charged 19-year-old dual U.S.-Estonian citizen Peter Stokes, allegedly a member of the **Scattered Spider** cybercrime group who used the alias `Bouquet`, after his arrest in Finland on April 10. According to reports citing court records, Stokes was detained while allegedly attempting to board a flight to Tokyo and now faces wire fraud, conspiracy, and computer intrusion charges in a sealed six-count complaint, with U.S. authorities seeking his extradition to Chicago. Investigators allege he took part in at least four intrusions, including a 2023 breach of an online communications platform and other attacks carried out while he was still a teenager. The complaint links Stokes to Scattered Spider operations that relied on help-desk social engineering, credential resets, MFA fatigue, and SMS phishing to gain access to major corporate environments. One 2025 intrusion described in the filings allegedly targeted a multibillion-dollar luxury retailer, where attackers obtained administrator access, claimed to have stolen **100 GB** of data, and issued an **$8 million** extortion demand, causing more than **$2 million** in losses. The case adds to broader law-enforcement pressure on the financially motivated group, also tracked as **Octo Tempest**, which has been tied to intrusions affecting MGM Resorts, Caesars, Twilio, Reddit, Riot Games, Mailchimp, DoorDash, Harrods, Marks & Spencer, WestJet, and Jaguar Land Rover.
May 4, 2026
Scattered Spider Member Pleads Guilty in $8 Million SMS Phishing and Crypto Theft Scheme
Tyler Robert Buchanan, a 24-year-old British national from Dundee, Scotland, pleaded guilty in U.S. federal court in California to **conspiracy to commit wire fraud** and **aggravated identity theft** for his role in Scattered Spider’s large-scale social-engineering operation. Prosecutors said Buchanan and co-conspirators ran SMS phishing campaigns from September 2021 to April 2023 that impersonated corporate IT help desks and labor providers, used fake login pages and stolen credentials, and carried out SIM swapping to breach companies and individuals. The Justice Department said the scheme stole at least **$8 million in virtual currency** from U.S. victims across telecommunications, technology, cloud communications, outsourcing, gaming, and cryptocurrency sectors. Investigators tied Buchanan to the 2022 **0ktapus** campaign, which used fake Okta login pages to compromise more than 130 organizations, including **Twilio** and **Cloudflare**, and enabled downstream attacks affecting other major brands. Authorities said stolen credentials were funneled into a Telegram channel administered by Buchanan and an associate, and searches of his residence in Scotland uncovered victim company files, personal data, and roughly 20 devices. Buchanan was arrested in Palma de Mallorca by Spanish authorities, extradited to the United States, and has been in federal custody since April 2025; he now faces up to 22 years in prison, underscoring continued law-enforcement pressure on the loosely organized Scattered Spider group, an offshoot of **The Com**.
Apr 24, 2026
Scattered Spider Linked to MGM and Caesars Casino Breaches
MGM Resorts and Caesars Entertainment were hit in closely timed cyberattacks that investigators and security firms tied to the **Scattered Spider** criminal community, a loose English-speaking group known for social engineering, SIM swapping, phishing, and MFA fatigue. Caesars disclosed that attackers stole customer data and reportedly paid a ransom demand, while MGM suffered a far more disruptive intrusion that knocked hotel and casino operations offline for days and was later estimated to have cost about **$100 million**. Multiple reports said the intrusions involved help-desk impersonation and other employee-targeting tactics, with Scattered Spider affiliates also linked to ransomware operators including **BlackCat/ALPHV**. The fallout expanded beyond the initial breaches as Caesars sent breach notifications to thousands of affected people and both casino companies faced lawsuits and class actions alleging failures to protect personal information. Law enforcement pressure then intensified: investigators in the US, UK, and Spain pursued suspected Scattered Spider members, including a 22-year-old British man arrested in Spain as an alleged leader and a 17-year-old arrested in the UK over the MGM attack, with additional US arrests and prosecutors reportedly moving closer to charges. Security researchers said the Las Vegas casino intrusions put a bullseye on the group, which had evolved from SIM-swapping into ransomware, extortion, and cloud-focused intrusions against major enterprises.
May 25, 2026