Back

Scattered Spider Hacker Pleads Guilty to $8 Million Crypto Theft

Severity: High (Score: 66.5)

Sources: www.mandiant.com, murciatoday.com, www.guidepointsecurity.com, www.documentcloud.org, Computing

Summary

Tyler Robert Buchanan, a 24-year-old from Scotland, pleaded guilty in the U.S. to charges of conspiracy to commit wire fraud and aggravated identity theft, linked to a scheme that stole at least $8 million in cryptocurrency. His involvement with the Scattered Spider cybercrime group included executing SMS phishing attacks targeting employees of various companies. These attacks, conducted between September 2021 and April 2023, utilized deceptive text messages to obtain sensitive information, leading to SIM-swapping attacks that compromised victims' accounts. The group targeted a wide range of industries, including telecommunications, entertainment, and cryptocurrency platforms. Buchanan was arrested in June 2024 in Spain and has been in U.S. custody since April 2025. He faces a maximum sentence of 22 years in prison, with sentencing scheduled for August 21, 2026. Three other co-conspirators are also facing charges related to these crimes. Key Points: • Tyler Robert Buchanan pleaded guilty to stealing over $8 million in cryptocurrency. • The Scattered Spider group used SMS phishing and SIM-swapping techniques in their attacks. • Buchanan faces a maximum of 22 years in prison, with sentencing set for August 2026.

Key Entities

  • 0ktapus (apt_group)
  • Scattered Spider (apt_group)
  • Unc3944 (apt_group)
  • Phishing (attack_type)
  • Ransomware (attack_type)
  • Caesars (company)
  • Caesars Entertainment (company)
  • Doordash (company)
  • Mailchimp (company)
  • MGM Resorts (company)
  • Scotland (country)
  • Spain (country)
  • United States (country)
  • CWE-287 - Improper Authentication (cwe)
  • Entertainment (industry)
  • Financial Services (industry)
  • Hospitality (industry)
  • Media and Entertainment (industry)
  • Retail (industry)
  • Atomic (malware)
  • Meduza Stealer (malware)
  • Recordstealer (malware)
  • Ultraknot (malware)
  • Vidar (malware)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1486 - Data Encrypted for Impact (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • Amazon S3 (platform)
  • Azure Data Factory (platform)
  • Azure Virtual Machines (platform)
  • Discord (platform)
  • GitHub (platform)
  • Alphv (ransomware_group)
  • BlackCat/ALPHV (ransomware_group)
  • Qilin (ransomware_group)
  • Ransomhub (ransomware_group)
  • AnyDesk (tool)
  • GitGuardian (tool)
  • PowerShell (tool)
  • TruffleHog (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed