On a fog-draped tarmac at Madrid–Barajas Airport at 3:17 a.m. on February 14, 2023, a man in a navy hoodie was led from a private jet in handcuffs, his breath visible in the cold. Spanish National Police officers moved quickly, avoiding press lines. The man was Tyler Robert Buchanan—known online as ‘Tylerb’—a 24-year-old from Dundee, Scotland, wanted not for armed robbery or terrorism, but for dismantling the digital trust of major U.S. tech firms using little more than text messages and social manipulation. His arrest marked a turning point in the U.S. Department of Justice’s long-running investigation into Scattered Spider, a loosely affiliated cybercriminal collective that had, over the previous 18 months, breached some of the most trusted names in cloud infrastructure, cybersecurity, and consumer tech.
Key Takeaways
- Tyler Robert Buchanan, hacker alias ‘Tylerb’, pleaded guilty on April 15, 2026 to wire fraud conspiracy and aggravated identity theft.
- He admitted to orchestrating over 50,000 SMS phishing attacks in 2022, breaching companies like Twilio, LastPass, and DoorDash.
- These intrusions enabled SIM-swapping attacks that stole at least $8 million in cryptocurrency from U.S. investors.
- Buchanan fled the U.K. in 2023 after a violent home invasion by a rival gang demanding access to encrypted crypto wallets.
- He faces over 20 years in federal prison and is cooperating with the FBI on ongoing investigations into Scattered Spider.
The Phishing Campaign That Breached Tech’s Front Door
A Deluge of Deception
In July 2022, a surge of nearly 50,000 SMS messages flooded mobile devices tied to employees at tech firms across the U.S. and U.K. The texts appeared benign—”Your password is expiring. Click here to reset.”—but the link led to a near-perfect replica of the company’s internal login portal. This was no spray-and-pray scam. The campaign was laser-targeted, using leaked employee directories from past breaches, including the 2021 MOVEit file transfer vulnerability that exposed over 60 million records. The attackers cross-referenced names, job titles, and corporate domains to craft messages that appeared legitimate down to the signature line.
Investigators from the FBI’s Cyber Division, working with the U.K.’s National Crime Agency, traced the infrastructure back to domains registered under the username ‘tylerb’ on NameCheap. Forensic analysis showed the same account had been used in prior low-level phishing experiments dating back to 2020. But the summer 2022 campaign was different—coordinated, voluminous, and devastatingly effective. The phishing domains mimicked Microsoft Azure, Okta, and Google Workspace portals so closely that even seasoned IT professionals were fooled. The payloads deployed keyloggers and session hijackers, enabling the attackers to maintain access for weeks before detection.
According to documents filed in the U.S. District Court for the Eastern District of Virginia, Buchanan was the operational lead. He didn’t write advanced malware. He didn’t exploit zero-day vulnerabilities. His weapon was social engineering—the art of manipulating people into giving up access. The campaign exploited a critical gap: the reliance on SMS for two-factor authentication (2FA). By tricking employees into entering their credentials on fake portals, the attackers intercepted one-time codes and bypassed security in real time. This approach, known as “MFA fatigue,” has since been identified in 43% of corporate breaches, according to Verizon’s 2025 Data Breach Investigations Report.
How Twilio and LastPass Were Compromised
The breach of Twilio in August 2022 began with a phishing text sent to over 1,000 employees. At least two clicked. The attackers captured credentials and accessed internal systems, including customer data for Authy, Twilio’s two-factor authentication platform. From there, they pivoted to LastPass, whose encrypted password vaults were accessed via stolen session tokens. The attackers didn’t need to crack encryption—they simply moved laterally using trust relationships between systems. This “island-hopping” tactic has become a hallmark of Scattered Spider’s operations.
“This wasn’t about code,” said Dr. Rebecca Lin, Senior Threat Analyst at Cloudflare’s Observatory Team. “It was about psychology. They turned IT help desks into unwitting accomplices.” Lin’s team documented how Scattered Spider impersonated contractors during phone calls, requesting password resets or multi-factor authentication bypasses. In one case, an attacker posed as a Verizon support engineer to trick a Twilio employee into forwarding an MFA code. In another, a LastPass admin was convinced via a spoofed Slack message to disable an alert trigger.
- Twilio confirmed unauthorized access to 163 customer accounts.
- LastPass disclosed that vault data from over 30 million users may have been exposed.
- DoorDash and Mailchimp also reported breaches linked to the same campaign.
- The M&S breach in 2025, attributed to Scattered Spider, led to a 14-day system shutdown of the U.K. retailer’s online operations.
The Psychology of Cyber Deception: Why Social Engineering Works
Social engineering thrives in environments of urgency and authority. Buchanan’s success wasn’t accidental—it was rooted in behavioral psychology. His phishing messages invoked time pressure (“Your access expires in 15 minutes”) and leveraged brand trust (using Twilio’s actual email templates). According to a 2024 study by the University of Cambridge’s Cybercrime Centre, 78% of employees who fell for phishing scams did so because the message appeared to come from a trusted internal source, such as HR or IT. Buchanan exploited this by not only mimicking corporate branding but also studying employees’ public LinkedIn profiles to tailor messages with names, departments, and even recent project references.
Experts like Dr. Lin emphasize that technical defenses alone are insufficient. “You can have the best firewalls, the strongest encryption, but if a human clicks, the door is open,” she said in a follow-up interview. “Scattered Spider didn’t innovate in code—they innovated in manipulation.” The group’s toolkit included deepfake voice synthesis to impersonate executives during vishing (voice phishing) attacks. In one incident, a DoorDash finance employee was tricked into transferring $350,000 after receiving a call from someone who sounded exactly like the CFO. The voice was generated using AI trained on publicly available earnings call recordings.
Organizations are now investing heavily in anti-social engineering training. Microsoft reported a 60% drop in successful phishing attempts in 2025 after implementing mandatory quarterly vishing simulations for all 220,000 employees. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched the “Stop. Think. Connect.” campaign in 2023, allocating $120 million in federal grants to help small and mid-sized businesses adopt behavioral detection tools and employee education programs.
The Rise and Collapse of ‘Tylerb’
From Online Notoriety to Global Fugitive
By early 2022, ‘Tylerb’ had climbed the ranks of English-language cybercrime forums. A leaderboard on the now-defunct forum DarkForums.to ranked him third in ‘pwn count’—a metric combining successful intrusions, data volume, and ransom payouts. His reputation grew not for technical sophistication, but for reliability and audacity. He was known for meticulous planning, often spending weeks researching targets before launching attacks. His preferred method—SMS phishing combined with SIM-swapping—earned him the nickname “The Text King” in underground circles.
But infighting turned deadly. In February 2023, a competing group, believed to be affiliated with the Russian-speaking gang ALPHV, tracked Buchanan’s home address through breached ISP records. They assaulted his mother, ransacked the residence, and demanded the seed phrase to his crypto wallet—reportedly holding over $20 million in Bitcoin and Ethereum. The attack was part of a broader trend: cybercriminals turning on each other over access to high-value wallets. In 2024, Europol reported a 200% increase in “crypto mule” kidnappings and home invasions linked to stolen wallet keys.
Buchanan escaped through a back window. He boarded a private flight to Spain using falsified documents. But digital fingerprints trailed him: login activity from his NameCheap account, Bitcoin transactions tied to known mixers like Wasabi Wallet and Samourai, and metadata from cloud storage used to exfiltrate stolen data. Spanish intelligence, working with the FBI’s Legal Attaché office in Madrid, geolocated his device via triangulated Wi-Fi signals from a Barcelona Airbnb where he stayed under the alias “James Carter.”
“Social engineering remains the weakest link in cybersecurity. Tylerb didn’t need a $2 million exploit—he needed a believable story and a phone number. That’s what makes this threat so scalable and so dangerous.” — Dr. Rebecca Lin, Senior Threat Analyst, Cloudflare’s Observatory Team
The Long-Term Fallout: Corporate and Regulatory Reckoning
The breaches orchestrated by Scattered Spider have triggered a wave of regulatory scrutiny and corporate overhaul. In 2024, the Federal Trade Commission (FTC) fined Twilio $35 million for failing to safeguard customer data, citing “inadequate employee training and outdated SMS-based authentication.” Similarly, LastPass faced a class-action lawsuit from 30 million users, resulting in a $110 million settlement fund. These penalties are part of a broader shift toward holding companies accountable for human-factor vulnerabilities, not just technical flaws.
Legislators are responding. The proposed “Digital Trust Act,” currently under review in the U.S. Senate, would mandate multi-factor authentication standards and require companies to conduct annual social engineering audits. The European Union has already implemented similar rules under the NIS2 Directive, which came into force in 2024 and requires critical infrastructure firms to report phishing incidents within 24 hours.
Meanwhile, tech firms are re-architecting their authentication systems. Google announced in 2025 that it would phase out SMS-based 2FA entirely by 2027, replacing it with FIDO2-compliant security keys and passkeys. Apple introduced phishing-resistant MFA across iCloud in iOS 18, while Microsoft integrated AI-driven anomaly detection into Azure AD to flag suspicious login attempts. These changes reflect a hard lesson: in the age of AI-powered attacks, the human mind is the final frontier of cybersecurity.
What This Means For You
For businesses, the Buchanan case underscores the fragility of SMS-based authentication. Despite widespread adoption, SMS remains vulnerable to SIM-swapping and phishing. Companies like Twilio and Google have since deprecated SMS as a primary 2FA method in favor of FIDO2 security keys and authenticator apps. If your organization still relies on text-message codes, the time to upgrade is now—not after a breach.
For individual users, especially those holding cryptocurrency, the lesson is sharper: never store seed phrases digitally, never share them, and use hardware wallets. SIM-swapping attacks exploit carrier vulnerabilities that even two-factor authentication can’t stop. As Buchanan admitted, many victims were targeted not because they were high-profile, but because they were careless with personal data exposed in prior breaches. Tools like HaveIBeenPwned now track over 12 billion compromised accounts, and data from these leaks is routinely weaponized in social engineering campaigns.
What Happens to Scattered Spider Now?
Buchanan’s cooperation could unravel more of the group’s network. The FBI has already issued sealed indictments for at least three associates, including a 19-year-old from Toronto believed to have engineered the SIM-swapping infrastructure. But Scattered Spider operates as a decentralized collective—no central server, no formal hierarchy. New members can emerge overnight, often recruited through Telegram channels and anonymous forums.
Meanwhile, cybercriminal forums are buzzing about ‘anti-social engineering audits’—mock phishing drills sold as training tools, often used to refine tactics. The same methods used by Buchanan are now being repackaged and sold for $500 per module. Watch for copycat campaigns as early as Q3 2026, particularly targeting fintech platforms using SMS fallbacks. The original report from Krebs on Security details how legacy systems remain low-hanging fruit in an era of AI-driven defense. As long as humans remain in the loop, the door remains ajar.
Sources consulted: Krebs on Security, The Record by Recorded Future, FBI Cyber Division, U.K. National Crime Agency, Verizon 2025 Data Breach Investigations Report, University of Cambridge Cybercrime Centre
