# Alleged 'Scattered Spider' Member Extradited to U.S.
A 23-year-old Scottish man, Tyler Robert Buchanan, thought to be a member of the prolific cybercrime group Scattered Spider, has been extradited to the United States from Spain, where he faced charges of wire fraud, conspiracy, and identity theft. The extradition comes after a year-long investigation by the FBI and Spanish authorities.
Buchanan's alleged involvement with Scattered Spider began in 2022, when he hacked into dozens of companies in the United States and abroad, including major technology firms like Twilio, LastPass, DoorDash, Mailchimp, and many others. According to U.S. prosecutors, Buchanan personally controlled over $26 million stolen from victims.
Scattered Spider is a loosely affiliated group whose members have targeted some of the world's largest technology companies, breaking into and stealing data from them. The group's tactics include SMS-based phishing attacks, SIM-swapping scams, and other types of cybercrime.
Buchanan was arrested in Spain last year on a warrant from the FBI, which wanted him in connection with a series of SMS-based phishing attacks that led to intrusions at Twilio, LastPass, DoorDash, Mailchimp, and many other tech firms. At the time, Buchanan was fleeing the United Kingdom after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet.
Buchanan was arrested at Palma de Mallorca airport in June 2024 while trying to board a flight to Italy. His extradition to the United States was first reported last week by Bloomberg.
Members of Scattered Spider have been linked to several high-profile cybercrime incidents, including the 2023 ransomware attacks against MGM and Caesars casinos in Las Vegas. However, it remains unclear whether Buchanan was directly involved in these attacks.
The Justice Department's complaint against Buchanan focuses on his alleged involvement in the SMS phishing campaigns from 2022 and SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In a SIM-swapping attack, crooks transfer the target's phone number to a device they control and intercept any text messages or phone calls to the victim's device.
In August 2022, KrebsOnSecurity reviewed data harvested in a months-long cybercrime campaign by Scattered Spider involving countless SMS-based phishing attacks against employees at major corporations. The security firm Group-IB called these attacks "0ktapus," as the group typically spoofed the identity provider Okta in their phishing messages.
A Scattered Spider/0Ktapus SMS phishing lure sent to Twilio employees in 2022.
The complaint against Buchanan says the FBI tied him to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous Okta-themed phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K.
FBI investigators said the Scottish police told them the address was leased to Buchanan from January 26, 2022, to November 7, 2022. Authorities seized at least 20 digital devices when they raided Buchanan's residence, and on one of those devices, they found usernames and passwords for employees of three different companies targeted in the phishing campaign.
"The FBI's investigation to date has gathered evidence showing that Buchanan and his co-conspirators targeted at least 45 companies in the United States and abroad," the FBI complaint reads. "One of Buchanan's devices contained a screenshot of Telegram messages between an account known to be used by Buchanan and other unidentified co-conspirators discussing dividing up the proceeds of SIM swapping."
U.S. prosecutors allege that records obtained from Discord showed the same U.K. Internet address was used to operate a Discord account that specified a cryptocurrency wallet when asking another user to send funds. The complaint says the publicly available transaction history for that payment address shows approximately 391 bitcoin was transferred in and out of this address between October 2022 and February 2023; 391 bitcoin is presently worth more than $26 million.
In November 2024, federal prosecutors in Los Angeles unsealed criminal charges against Buchanan and four other alleged Scattered Spider members, including Ahmed Elbadawy, 23, of College Station, Texas; Joel Evans, 25, of Jacksonville, North Carolina; Joshua Henry, 22, of San Jose, California; and Robert Anthony Smith Jr., 34, of Sacramento, California.
The accused faces charges of wire fraud conspiracy, conspiracy to obtain information by computer for private financial gain, and aggravated identity theft. Convictions on the latter charge carry a minimum sentence of two years in prison.
Documents from the U.S. District Court for the Central District of California indicate Buchanan is being held without bail pending trial. A preliminary hearing in the case is slated for May 6.
Buchanan's court-appointed attorney did not respond to a request for comment.