Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, pleaded guilty in U.S. federal court to conspiracy to commit wire fraud and aggravated identity theft for his role in a scheme that prosecutors said hacked at least a dozen companies and stole at least $8 million in virtual currency from victims across the United States.
Multiple security firms have linked Buchanan and other defendants named by the DOJ in a Friday release to the notorious Scattered Spider cybercrime group. The group is known for aggressive social engineering, SMS phishing, SIM swapping, help-desk impersonation and, more recently, extortion and ransomware attacks.
Sentencing of Buchanan is scheduled for Aug. 21. Buchanan has been in federal custody since April 2025 and faces a statutory maximum of 22 years in prison.
“Buchanan admitted in his plea agreement that the scheme involved the theft of at least $8 million worth of virtual currency assets from individual victims located throughout the United States,” the DOJ said.
Scattered Spider’s Web
Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is believed responsible for a long list of ransomware attacks including the massive breach of the MGM Casino in 2023
Microsoft warned in a 2023 report that Scattered Spider / Octo Tempest, built much of its success on broad social engineering campaigns, including phishing, credential theft and telecom-centered tactics, before expanding into extortion and destructive activity.
“The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking idiolect on phone calls and understanding personal identifiable information to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods,” Microsoft wrote.
Don’t Do the Phish if You Can’t do the Time
According to the Justice Department, Buchanan and several co-conspirators listed by the DOJ, sent hundreds of text-message phishing lures to employees at targeted companies. The messages linked to lookalike websites designed to impersonate victim companies or their information technology or business process outsourcing providers. If a target fell for the trap and typed in their username, password and other data, the stolen credentials were funneled into a Telegram channel administered by Buchanan and another co-conspirator, prosecutors said.
“The victims and intended victims included interactive entertainment companies, telecommunications companies, technology companies, business process outsourcing (BPO) and information technology (IT) suppliers, cloud communications providers, virtual currency companies, and individuals,” the DOJ explained in announcing the charges.
Prosecutors said the crew harvested credentials and also carried out SIM-swapping attacks, in which a criminal tricks a mobile carrier into moving a victim’s phone number to a SIM card the attacker controls. That lets the attacker intercept calls and text messages, including one-time passcodes used for multifactor authentication and account recovery.
Caught in Their Own Web
DOJ said a digital device found at Buchanan’s residence in Scotland in April 2023 contained the names and addresses of numerous victims, including a text file with cryptocurrency seed phrases and login details for one victim’s account. Buchanan admitted in his plea agreement that the conspiracy stole at least $8 million in virtual currency assets from victims in the United States.
Additional Inditements
The young Scotsman is not the only person facing jail time in the case. Ahmed Hossam Eldin Elbadawy of College Station, Texas; Evans Onyeaka Osiebo of Dallas; and Joel Martin Evans of Jacksonville, North Carolina, still face criminal charges, according to DOJ.
Another defendant tied to the broader investigation, Noah Michael Urban, was sentenced last year to 10 years in prison in a related case involving cryptocurrency theft and phishing attacks against company employees.
Researchers have warned of the overlap between enterprise identity abuse, telecom fraud and consumer cybercrime. According to Microsoft threat intelligence, identity-based attacks—including phishing and credential theft—remain one of the most common initial access paths for financially motivated attackers.
The FBI reported $21 billion in cybercrime losses in 2025, a number that has climbed steadily year over year as phishing and identity-based attacks continue to dominate. IDCARE reported a 240% surge in SIM swap cases in in 2024, with 90% occurring with no victim interaction.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
Image by Sang Hyun Cho from Pixabay
