A 23-year-old man from Scotland, believed to be a participant in the notorious Scattered Spider cybercriminal organization, was sent back last week from Spain to the United States, where he is confronted with accusations of wire fraud, conspiracy, and identity theft. U.S. prosecutors assert that Tyler Robert Buchanan and his associates infiltrated numerous companies both in the U.S. and internationally, and that he directly managed over $26 million illicitly obtained from victims.

Scattered Spider is a loosely organized hacking faction whose associates have accessed and purloined data from some of the globe’s most significant tech enterprises. Buchanan was apprehended in Spain last year under an FBI warrant, which sought his involvement regarding a series of SMS phishing schemes during the summer of 2022 that resulted in breaches at Twilio, LastPass, DoorDash, Mailchimp, among other technology companies.

As initially reported by KrebsOnSecurity, Buchanan (also known as “tylerb”) departed the United Kingdom in February 2023 after a competing cybercrime faction hired assailants to invade his residence, attack his mother, and threaten to immolate him with a blowtorch if he did not relinquish access to his cryptocurrency wallet. Buchanan was detained in June 2024 at the airport in Palma de Mallorca while attempting to board a flight to Italy. His extradition to the United States was first disclosed last week by Bloomberg.

Members of Scattered Spider have been connected to the 2023 ransomware incidents affecting MGM and Caesars casinos in Las Vegas, yet it remains uncertain if Buchanan was involved in that case. The Justice Department’s complaint against him does not reference the 2023 ransomware incident.

Instead, the scrutiny into Buchanan seems to focus on the SMS phishing initiatives from 2022, and on SIM-swapping attacks that siphoned money from individual cryptocurrency investors. During a SIM-swapping attack, criminals transfer the target’s phone number to a device they control and capture any text messages or phone calls directed at the victim’s device — including one-time passcodes for authentication and password reset links sent via SMS.

In August 2022, KrebsOnSecurity analyzed data gathered during an extensive cybercrime campaign by Scattered Spider involving numerous SMS-based phishing attempts targeting employees of major corporations. The security firm Group-IB referred to them using a different term — 0ktapus, since the group primarily impersonated the identity provider Okta in their deceitful communications to personnel at targeted firms.

The document against Buchanan (PDF) indicates the FBI associated him with the 2022 SMS phishing attacks after unearthing that the same username and email address were utilized to register numerous Okta-themed phishing domains observed in the campaign. The domain registrar NameCheap discovered that just under a month prior to the phishing blitz, the account that registered those domains logged in from an Internet address located in the U.K. FBI investigators stated that Scottish police informed them the address was leased to Buchanan from January 26, 2022, to November 7, 2022.

Authorities confiscated at least 20 electronic devices during their raid on Buchanan’s home, and on one of those devices, they discovered usernames and passwords belonging to employees of three different companies targeted in the phishing operations.

“Thus far, the FBI’s inquiry has collected evidence demonstrating that Buchanan and his accomplices targeted at least 45 companies in the U.S. and abroad, including Canada, India, and the U.K.,” reads the FBI complaint. “One of Buchanan’s devices contained a screenshot of Telegram conversations between an account known to be operated by Buchanan and other unidentified associates discussing how to split the proceeds from SIM swapping.”

U.S. prosecutors allege that records obtained from Discord revealed the same U.K. Internet address was utilized to manage a Discord account that detailed a cryptocurrency wallet when asking another user to transfer funds. The complaint states that the publicly accessible transaction history for that payment address shows about 391 bitcoin were moved in and out of this address between October 2022 and February 2023; 391 bitcoin currently holds a value exceeding $26 million.

In November 2024, federal prosecutors in Los Angeles released criminal charges against Buchanan and four other presumed members of Scattered Spider, including Ahmed Elbadawy, 23, of College Station, Texas; Joel Evans, 25, of Jacksonville, North Carolina; Evans Osiebo, 20, of Dallas; and Noah Urban, 20, of Palm Coast, Florida. KrebsOnSecurity reported last year that another alleged member of Scattered Spider — a 17-year-old from the United Kingdom — was detained as part of a collaborative investigation with the FBI into the MGM breach.

Mr. Buchanan’s court-appointed representative did not reply to a request for commentary. The defendant faces accusations of wire fraud conspiracy, conspiracy to gather information via computer for personal financial advantage, and aggravated identity theft. Convictions on the latter charge carry a minimum incarceration term of two years.

Documents from the U.S. District Court for the Central District of California reveal that Buchanan is being held without bail while awaiting trial. A preliminary hearing in this matter is scheduled for May 6.