Scattered Spider Leader Pleads Guilty in $8M Cryptocurrency Heist
A 24-year-old British national, Tyler Robert Buchanan alleged leader of the cybercrime group Scattered Spider has pleaded guilty in the U.S. to charges of wire fraud and aggravated identity theft. Prosecutors accuse Buchanan and four co-conspirators of stealing at least $8 million in cryptocurrency between September 2021 and April 2023 through a series of SMS phishing (smishing) attacks targeting employees at over a dozen companies.
The victims spanned multiple industries, including entertainment, telecommunications, IT, cloud communications, and cryptocurrency services. The group used fraudulent text messages impersonating legitimate IT or business process outsourcing (BPO) suppliers, directing victims to fake login pages to harvest credentials. With stolen access, they executed SIM swap attacks, hijacking phone numbers and cryptocurrency wallets to siphon funds.
Buchanan was arrested in June 2024 in Palma de Mallorca, Spain, and has been in U.S. custody since April 2025. He faces a maximum sentence of 22 years and is scheduled for sentencing on August 21, 2026. Three accomplices Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans were charged in November 2024 with similar offenses, carrying potential 20-year prison terms. A fourth member, Noah Michael Urban (aka Sosa/Elijah), was sentenced to 10 years in 2024 after pleading guilty to related charges.
Scattered Spider, also known as 0ktapus, UNC3944, and Octo Tempest, is a loosely organized, English-speaking collective of young hackers (some as young as 16) that operates via Telegram, Discord, and hacker forums. The group employs social engineering, MFA bombing, and SIM swapping to breach corporate networks. Since 2023, they have collaborated with Russian ransomware gangs, including BlackCat/AlphV, Qilin, and RansomHub.
Notable attacks linked to Scattered Spider include breaches at MGM Resorts, Caesars, Riot Games, MailChimp, Twilio, DoorDash, and Reddit. In July 2024, UK authorities arrested a 17-year-old suspect tied to the 2023 MGM ransomware attack, further underscoring the group’s role in high-profile cybercrime.
MailChimp TPRM report: https://www.rankiteo.com/company/mailchimp
Caesars TPRM report: https://www.rankiteo.com/company/caesars-entertainment-inc
Riot Games TPRM report: https://www.rankiteo.com/company/riot-blockchain
MGM Resorts TPRM report: https://www.rankiteo.com/company/mgm-resorts-international
"id": "mgmmairiocae1776695654",
"linkid": "mgm-resorts-international, mailchimp, riot-blockchain, caesars-entertainment-inc",
"type": "Breach",
"date": "9/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['entertainment',
'telecommunications',
'IT',
'cloud communications',
'cryptocurrency services'],
'type': ['entertainment',
'telecommunications',
'IT',
'cloud communications',
'cryptocurrency services']},
{'industry': 'hospitality',
'name': 'MGM Resorts',
'type': 'corporation'},
{'industry': 'hospitality',
'name': 'Caesars',
'type': 'corporation'},
{'industry': 'gaming',
'name': 'Riot Games',
'type': 'corporation'},
{'industry': 'email marketing',
'name': 'MailChimp',
'type': 'corporation'},
{'industry': 'cloud communications',
'name': 'Twilio',
'type': 'corporation'},
{'industry': 'food delivery',
'name': 'DoorDash',
'type': 'corporation'},
{'industry': 'social media',
'name': 'Reddit',
'type': 'corporation'}],
'attack_vector': ['SMS phishing (smishing)',
'fake login pages',
'social engineering',
'MFA bombing'],
'data_breach': {'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['credentials',
'cryptocurrency wallet access']},
'description': 'A 24-year-old British national, Tyler Robert Buchanan, '
'alleged leader of the cybercrime group Scattered Spider, has '
'pleaded guilty in the U.S. to charges of wire fraud and '
'aggravated identity theft. The group stole at least $8 '
'million in cryptocurrency between September 2021 and April '
'2023 through SMS phishing (smishing) attacks targeting '
'employees at over a dozen companies across multiple '
'industries.',
'impact': {'financial_loss': '$8 million', 'identity_theft_risk': 'high'},
'initial_access_broker': {'entry_point': ['SMS phishing', 'fake login pages'],
'high_value_targets': ['cryptocurrency wallets',
'corporate networks']},
'investigation_status': 'ongoing (some members charged, others sentenced)',
'motivation': ['financial gain'],
'post_incident_analysis': {'root_causes': ['social engineering',
'credential harvesting',
'SIM swapping']},
'ransomware': {'ransomware_strain': ['BlackCat/AlphV', 'Qilin', 'RansomHub']},
'references': [{'source': 'U.S. Department of Justice'}],
'regulatory_compliance': {'legal_actions': ['wire fraud charges',
'aggravated identity theft '
'charges']},
'response': {'law_enforcement_notified': 'yes'},
'threat_actor': 'Scattered Spider (aka 0ktapus, UNC3944, Octo Tempest)',
'title': 'Scattered Spider Leader Pleads Guilty in $8M Cryptocurrency Heist',
'type': ['wire fraud',
'aggravated identity theft',
'SIM swap attacks',
'smishing'],
'vulnerability_exploited': ['credential harvesting', 'SIM swapping']}