On April 17, 2026, Tyler Robert Buchanan stood before a U.S. federal court and pleaded guilty. Two counts: conspiracy to commit wire fraud and aggravated identity theft. Sentencing is set for August 21, 2026. He faces a maximum of 22 years in prison.
Buchanan is 24. He is from Dundee, Scotland. And for a period running through 2022 and 2023, he was among the most consequential threat actors operating against U.S. companies β part of the loosely organised cybercrime group known as Scattered Spider.
This guilty plea has been years in the making, and it closes one chapter of a larger law enforcement campaign against a group that turned social engineering into a commercial weapon.
Who Is Tyler Buchanan
Buchanan was arrested in May 2024 by Spanish authorities in Palma de Mallorca, as he attempted to board a chartered flight to Naples. Spanish police, acting on a U.S. warrant, took him into custody at the airport. He was subsequently extradited to the United States, where he has been held in federal custody since April 2025.
He was indicted alongside four co-defendants as part of a broader Department of Justice action against Scattered Spider. The group is accused collectively of stealing approximately $11 million from at least 29 victims β with Buchananβs specific share of the cryptocurrency theft amounting to at least $8 million.
Buchananβs co-defendants β including Noah Urban, who has already been sentenced to 10 years and ordered to pay $13 million in restitution β still face their own criminal proceedings. Urbanβs sentencing, handed down in 2025, set the benchmark for what federal prosecutors are seeking from the groupβs leadership.
The Phishing Infrastructure That Made It Work
In his plea agreement, Buchanan admitted to sending βhundredsβ of SMS phishing messages impersonating the IT helpdesk or outsourced labour providers of targeted companies. The messages were crafted to convince employees that their credentials needed to be verified β and the pages they were directed to were convincing replicas of real authentication portals.
The FBI has specifically linked Buchanan to a summer 2022 campaign that used spoofed Okta authentication pages to breach more than 130 organisations. The targets during that campaign included Twilio and Cloudflare β two companies that publicly disclosed the intrusions and provided detailed post-incident analyses that later became foundational reading in the security community.
Twilio confirmed that attackers used SMS phishing to reach its employees directly, capturing credentials used to access internal customer data systems. Cloudflare, which uses hardware security keys for employee authentication, was better positioned β attackers reached their staff but were unable to leverage stolen credentials because hardware tokens cannot be phished. That contrast between the two incidents became one of the most cited arguments for hardware-based multi-factor authentication in enterprise environments.
What made Scattered Spider particularly effective was not technical sophistication. It was persistence, fluency in English, and a detailed understanding of how corporate IT helpdesk processes work. The group would contact helpdesk staff directly, impersonating employees who had lost access to their accounts, and social-engineer their way past verification procedures. When SMS-based MFA stood between them and access, they would conduct SIM swapping operations β convincing mobile carriers to transfer a victimβs phone number to a SIM card under their control.
The Broader Scattered Spider Case
Buchananβs prosecution is one thread in a larger federal effort. The five defendants charged together β Buchanan, Noah Urban, Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans β were named in a November 2024 indictment that accused them collectively of one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.
The groupβs targets spanned interactive entertainment, telecommunications, technology, and virtual currency firms, as well as individual cryptocurrency holders. Court documents describe a consistent playbook: SMS phishing to capture credentials, SIM swapping to bypass MFA, access to corporate systems to exfiltrate data and identify cryptocurrency holdings, and direct theft from victim wallets.
Scattered Spider has also been publicly linked β though prosecutors have been careful in their language β to the catastrophic 2023 attacks on MGM Resorts International and Caesars Entertainment. Those incidents, which together caused well over $100 million in financial damages and operational disruption, drew sustained public attention to the group. MGM has stated that the five defendants in this case do not appear to be directly connected to the attack on its network. Caesars paid an approximately $15 million ransom. The exact attribution for those attacks, as it relates to the indicted defendants, remains a matter of ongoing investigation and legal proceedings.
We covered the MGM and Caesars attacks in detail when they occurred β the deep dive into the MGM financial and operational impact and the full breakdown of both casino heists remain useful background for understanding what this group cost the industry. The subsequent teen charged in the $100M Las Vegas casino heist and the moment a member publicly surrendered rounded out the unravelling of the group through late 2025.
Why This Guilty Plea Matters
Scattered Spider occupied a specific and troubling niche in the cybercrime landscape. Most advanced threat groups are either nation-state actors or ransomware-as-a-service operations with professional infrastructure. Scattered Spider was neither, at least not fully. It was a loosely affiliated group of young, English-speaking individuals β many of them teenagers or in their early twenties β who achieved outsized damage through social engineering, not malware engineering.
That profile made them harder to defend against. Detection tools, threat intelligence feeds, and network monitoring are calibrated for technical intrusion patterns. A threat actor who calls your helpdesk and convincingly impersonates a locked-out employee is operating in the gap between technical security and human judgment. The SIM swapping techniques they used to defeat MFA are a known vulnerability, but one that many organisations had not fully mitigated.
Buchananβs plea β and the broader prosecution of the group β is a signal that law enforcement has developed the investigative capability to pursue these actors across borders, including through international extradition. Getting a Spanish arrest, followed by U.S. extradition, followed by a guilty plea nearly two years later, is not a rapid process. But it is a completed one.
For organisations that were targeted in the 2022 phishing campaign β or that remain vulnerable to the techniques Buchanan and his associates used β the relevant question is not whether these specific individuals will offend again. It is whether the structural vulnerabilities they exploited have been addressed.
The Structural Vulnerabilities Are Still There
SMS-based MFA remains widespread. Helpdesk social engineering remains viable in organisations that rely on knowledge-based verification rather than hardware tokens. SIM swapping attacks continue against mobile carriers with weak identity verification processes.
Buchananβs campaign worked against 130+ organisations not because those organisations were uniquely negligent, but because the attack techniques were calibrated precisely to the weaknesses of standard enterprise security architectures. Okta-based authentication, without hardware token enforcement, was the entry point. That combination is still the standard configuration for many companies.
The organisations that successfully blocked the attack β Cloudflare being the most documented example β had hardware security keys in place before the campaign began. Their deployment was not a response to Scattered Spider; it was a prior security decision that happened to make the attack inoperable against their environment.
That is the lesson the Buchanan prosecution should leave with security teams. The campaign is over. The techniques are not.
What Comes Next
Buchanan will be sentenced on August 21, 2026. Federal sentencing guidelines for wire fraud conspiracy and aggravated identity theft support significant custodial sentences β Noah Urbanβs 10-year term provides one reference point, though Buchananβs specific circumstances, cooperation, and plea agreement terms will influence the final sentence.
The three remaining co-defendants β Elbadawy, Osiebo, and Evans β still face trial. Their cases will continue to develop the evidentiary record of how Scattered Spider operated, what systems they accessed, and how the cryptocurrency thefts were executed and laundered.
The Buchanan plea represents a point of resolution for victims who have been waiting since 2022 and 2023 for accountability. It does not fully close the case. But it confirms that federal prosecutors built a case strong enough to bring a defendant from Scotland, via Spain, to a guilty plea in a U.S. federal court β and that the rest of the group now faces that same calculus.
Tyler Robert Buchanan pleaded guilty on April 17, 2026 to conspiracy to commit wire fraud and aggravated identity theft. Sentencing is scheduled for August 21, 2026. He faces a maximum sentence of 22 years.
