The Alleged Leader of Scattered Spider Just Pleaded Guilty—The $8 Million Phishing Spree Hit MGM, Coinbase, and Mailchimp

The Guilty Plea

Tyler Robert Buchanan, a 24 year old British national from Dundee, Scotland, pleaded guilty in U.S. federal court to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. He faces a maximum sentence of 22 years in prison. Sentencing is scheduled for August 21, 2026.

Buchanan was arrested in June 2024 at the airport in Palma de Mallorca, Spain, while preparing to board a flight to Italy. He was extradited to the United States in April 2025 and has been in federal custody since.

He is believed to be the leader of Scattered Spider, a cybercriminal collective that the FBI, CISA, and multiple security firms have tracked under at least six different names: 0ktapus, Scatter Swine, Octo Tempest, Starfraud, UNC3944, and Muddled Libra.

How Scattered Spider Operated

Between September 2021 and April 2023, Buchanan and his associates ran a systematic campaign that combined two of the oldest tricks in cybercrime: phishing and SIM swapping.

The group sent hundreds of SMS phishing messages to employees at target companies, posing as internal IT teams or third party service providers. The messages contained links to websites that looked identical to legitimate corporate login pages. When employees entered their credentials, the attackers captured usernames, passwords, and in some cases multi factor authentication codes.

With those credentials in hand, the group executed SIM swap attacks. They convinced mobile carriers to transfer victims' phone numbers to attacker controlled SIM cards, redirecting text messages and phone calls. This gave them the ability to intercept password reset codes, bypass SMS based two factor authentication, and take over email accounts and cryptocurrency wallets.

The result: at least $8 million in stolen cryptocurrency from U.S. victims, extracted from at least a dozen companies.

The Target List

Scattered Spider did not target small businesses or individuals. They went after some of the largest technology and entertainment companies in the world:

• MGM Resorts: A social engineering attack that shut down slot machines, hotel check in systems, and digital room keys across Las Vegas properties for days.
• Caesars Entertainment: Paid a reported $15 million ransom after a similar breach.
• Coinbase: Customer support agents were targeted with SMS phishing, giving attackers access to a limited set of customer data.
• Twilio: The cloud communications company was breached through SMS phishing, which cascaded to affect downstream customers including Signal.
• Mailchimp: Employee credentials were stolen, exposing customer data from the email marketing platform.
• LastPass, DoorDash, Reddit, Riot Games: All confirmed as targets in the same campaign.

The group targeted entertainment, telecommunications, technology, business process outsourcing, IT suppliers, cloud communications providers, and cryptocurrency platforms. What they all had in common was employees who could be reached by text message.

A Teenage Crime Ring With Ransomware Partners

What makes Scattered Spider unusual in the cybercrime landscape is its membership. The group is a loose knit, English speaking collective with members as young as 16. They coordinated through Telegram, Discord, and hacker forums rather than the structured hierarchies typical of Russian or Chinese state linked groups.

Starting in 2023, Scattered Spider began partnering with established Russian ransomware operations including BlackCat/AlphV, Qilin, and RansomHub. This gave the young phishers access to professional grade ransomware tools, while the ransomware operators gained native English speakers who could craft convincing social engineering attacks against American and British companies.

The combination was devastating. Scattered Spider's social engineering skills got them inside corporate networks. The ransomware operators' tools let them encrypt systems and demand payment. Together they caused hundreds of millions in damages.

The Prosecution Scorecard

Buchanan is the second Scattered Spider member to plead guilty in the United States. The current status of the group's known members:

• Noah Michael Urban (aliases: Sosa, Elijah): Pleaded guilty, currently serving a 10 year sentence.
• Tyler Robert Buchanan: Pleaded guilty, sentencing scheduled for August 21, 2026. Faces up to 22 years.
• Ahmed Hossam Eldin Elbadawy, 24 (Texas): Awaiting trial, faces up to 20 years.
• Evans Onyeaka Osiebo, 21 (Dallas): Awaiting trial.
• Joel Martin Evans, 26 (North Carolina): Awaiting trial.

The prosecutions send a message, but the group's decentralized structure means other members remain unidentified. Security researchers believe the active core extends well beyond the five named defendants.

Why SMS Phishing Still Works

Scattered Spider's entire operation was built on a technique that has been known for over a decade: sending fake text messages with links to credential harvesting pages. No zero day exploits. No sophisticated malware. Just convincing text messages sent to the right people at the right time.

The lesson for everyone, not just enterprise security teams, is that SMS based two factor authentication is not enough. When a SIM swap can redirect your text messages to an attacker's phone, every account protected by SMS codes becomes vulnerable. The FBI has repeatedly warned that phishing and social engineering remain the most effective attack vectors, outpacing technical exploits by a wide margin.

Hardware security keys (FIDO2/WebAuthn) are the most effective defense against phishing. They cannot be intercepted by SIM swaps, they do not work on lookalike domains, and they cannot be socially engineered over the phone. After the MGM breach, Google reported that none of its 85,000+ employees had been successfully phished since deploying hardware keys company wide.