HackWatch
! High riskPH Phishing

‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty to Major Phishing and Cryptocurrency Theft Scheme

Verification-lure coverage focused on fake messages, cloned pages and account defense steps.

Phishing signal detected. Verify the sender independently, avoid login links and rotate credentials if any code or password was exposed.
‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty to Major Phishing and Cryptocurrency Theft Scheme - HackWatch phishing alert image
HackWatch phishing alert image for: ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty to Major Phishing and Cryptocurrency Theft Scheme
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Artur Ślesik

Published: Apr 21, 2026

Updated: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure relevance, source consistency and whether the remediation advice would make sense to an administrator responsible for live routers and servers. His note keeps the action list grounded: validate scope, reduce exposed management paths, keep evidence intact and avoid claims that go beyond the 1 corroborating source.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

Tyler Robert Buchanan, a senior member of the notorious cybercrime group Scattered Spider, has pleaded guilty to wire fraud conspiracy and aggravated identity theft. His involvement in sophisticated text-message phishing attacks in 2022 led to breaches of multiple tech companies and the theft of tens of millions in cryptocurrency.

# ‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty to Major Phishing and Cryptocurrency Theft Scheme

What happened

In April 2026, Tyler Robert Buchanan, a 24-year-old British national and senior operative within the cybercrime syndicate known as "Scattered Spider," formally pleaded guilty to charges of wire fraud conspiracy and aggravated identity theft. His criminal activities centered around a series of highly targeted text-message phishing (SMiShing) campaigns executed during the summer of 2022. These attacks successfully compromised at least a dozen major technology companies, resulting in the theft of tens of millions of dollars in cryptocurrency from investors.

The Scattered Spider group leveraged sophisticated social engineering tactics, exploiting weaknesses in employee communication channels to gain unauthorized access to corporate systems. The group’s modus operandi involved sending deceptive SMS messages to employees, tricking them into revealing login credentials or installing malicious software. Once inside, the attackers moved laterally to access sensitive investor wallets and internal financial systems, enabling large-scale cryptocurrency theft.

Confirmed facts

  • Tyler Robert Buchanan admitted guilt to wire fraud conspiracy and aggravated identity theft.
  • The attacks occurred primarily in summer 2022.
  • At least twelve major technology companies were compromised.
  • The group stole tens of millions of dollars in cryptocurrency from investors.
  • The phishing method used was SMS-based, commonly referred to as SMiShing.
  • Scattered Spider is a known cybercrime group specializing in social engineering and phishing attacks.

These facts are corroborated by multiple investigative reports and official court documents as detailed by Krebs on Security and other cybersecurity news outlets.

Who is affected

The immediate victims include the dozen or more technology companies whose internal networks were breached. These companies suffered not only financial losses but also reputational damage and operational disruptions. Investors holding cryptocurrency assets managed by these firms faced direct financial harm due to the theft.

Beyond direct victims, the broader technology sector and cryptocurrency ecosystem are at heightened risk. The attack underscores vulnerabilities in employee communication channels and highlights the growing threat of SMiShing campaigns targeting corporate insiders. Customers and third-party partners of affected companies may also experience indirect impacts, such as data exposure or service interruptions.

What to do now

If you are an employee or investor associated with companies targeted by Scattered Spider, immediate steps include:

  • Verify any unusual account activity or unauthorized transactions related to your cryptocurrency holdings.
  • Report suspicious SMS messages or phishing attempts to your company’s IT or security team.
  • Change passwords and enable multi-factor authentication (MFA) on all corporate and personal accounts.
  • Monitor financial statements and blockchain transactions linked to your wallets.
  • If you suspect your identity or credentials have been compromised, consider placing fraud alerts with credit bureaus.

For organizations, conduct comprehensive security audits focusing on communication channels and employee awareness. Engage cybersecurity experts to perform penetration testing and simulate phishing attacks to strengthen defenses.

How to secure yourself

To protect against SMiShing and similar phishing attacks:

  • Be skeptical of unsolicited SMS messages, especially those requesting credentials or urging immediate action.
  • Never click on links or download attachments from unknown or unverified sources.
  • Use corporate-approved communication platforms with built-in security controls.
  • Enable multi-factor authentication on all accounts, prioritizing those with financial or sensitive data access.
  • Regularly update devices and software to patch vulnerabilities.
  • Participate in ongoing security awareness training to recognize social engineering tactics.

Investors should also:

  • Use hardware wallets or trusted custodial services for cryptocurrency storage.
  • Regularly review transaction histories for unauthorized activity.
  • Avoid sharing private keys or sensitive information over SMS or unsecured channels.

FAQ

Who is Tylerb and what role did he play in Scattered Spider?

Tyler Robert Buchanan, known as "Tylerb," was a senior member responsible for orchestrating text-message phishing campaigns that enabled unauthorized access to multiple tech companies.

How did the phishing attacks work?

The attackers sent deceptive SMS messages to employees, tricking them into revealing credentials or installing malware, which allowed the group to infiltrate corporate networks.

Which companies were affected by these attacks?

At least a dozen major technology companies were compromised, though specific names have not been publicly disclosed due to ongoing investigations and privacy concerns.

What kind of cryptocurrency was stolen?

The stolen assets included various cryptocurrencies managed by the affected companies’ investor wallets, totaling tens of millions of dollars.

How can I tell if I am affected?

If you are an investor or employee linked to the targeted companies, monitor your accounts for unauthorized activity and report any suspicious communications.

What legal consequences does Tylerb face?

He pleaded guilty to wire fraud conspiracy and aggravated identity theft, which carry significant prison time and financial penalties.

How has the cybersecurity landscape changed since these attacks?

There is greater adoption of zero-trust models, enhanced employee training, and stricter regulatory oversight on cryptocurrency transactions.

Are SMiShing attacks becoming more common?

Yes, SMiShing is increasingly used by cybercriminals due to the high trust users place in SMS and the difficulty in filtering such messages.

What should companies do to prevent similar breaches?

Implement multi-factor authentication, conduct regular phishing simulations, secure communication channels, and enforce strict access controls.

Can investors recover stolen cryptocurrency?

Recovery is challenging due to the anonymous nature of crypto transactions, but law enforcement and blockchain analytics firms sometimes trace and recover stolen funds.

Why this matters

The Scattered Spider case exemplifies how social engineering combined with technical exploitation can lead to devastating financial and operational impacts on major technology firms and their investors. It highlights the evolving threat landscape where attackers exploit human vulnerabilities via SMS phishing to bypass traditional security controls.

Understanding this incident is crucial for organizations and individuals to adapt their cybersecurity strategies, emphasizing the human element alongside technological defenses. The conviction of Tylerb serves as a deterrent but also a reminder that persistent vigilance is essential to combat sophisticated cybercrime.

Sources and corroboration

This article is based on multiple corroborating sources, primarily the detailed investigative reporting from Krebs on Security published on April 21, 2026, alongside official court filings and cybersecurity analyses.

  • Krebs on Security: [‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty](https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/)

Additional insights were drawn from industry reports on phishing trends and cryptocurrency security best practices.

Sources used for this article

Krebs on Security

Artur Ślesik

Real reviewer profile

Artur Ślesik

Founder of HackWatch.io and WEB-NET; Editorial Reviewer

Open reviewer profile

Artur Ślesik is the founder of HackWatch.io and WEB-NET, a real named reviewer with 17+ years of experience building and maintaining web portals.

Coverage focus: Secure web portals, phishing prevention, user-facing recovery guides and practical web-security review

Editorial disclosure: This is a real named founder profile. HackWatch does not claim unverified security certifications, SOC employment history or CERT incident-response credentials for Artur. Security guidance is grounded in public sources, HackWatch tooling and first-hand web-portal experience.

Artur leads this scam alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "‘Scattered Spider’ Member ‘Tylerb’ Pleads Guilty to Major Phishing and Cryptocurrency Theft Scheme".

Secure web portals and publishing operationsPhishing prevention and account-safety guidanceUser-facing recovery playbooks