Tyler Robert Buchanan, a 24-year-old British national known online as “Tylerb”, has pleaded guilty in US federal court to wire fraud conspiracy and aggravated identity theft for his role as a senior member of Scattered Spider — the English-language cybercrime group behind some of the most damaging social engineering campaigns against enterprise organisations in recent years. Buchanan faces a maximum sentence of 20 years and agreed to forfeit approximately $8 million in cryptocurrency proceeds from SIM-swapping operations.
Who Scattered Spider Is
Scattered Spider (also tracked as UNC3944, Roasted 0ktapus, Starfraud, and Muddled Libra) is a loosely organised network of primarily English-speaking young adults, many in their late teens and early twenties, who became proficient at social engineering and SIM swapping. Unlike traditional nation-state or organised crime groups, Scattered Spider exploited the same techniques at scale — phishing, SIM hijacking, help desk impersonation, and MFA fatigue attacks — against high-value corporate targets.
The group’s notoriety peaked with the August 2023 MGM Resorts and Caesars Entertainment breaches, in which MGM suffered an estimated $100 million in losses after attackers impersonated an MGM employee to a help desk agent and used the access to deploy ransomware across hotel and casino operations. Caesars paid approximately $15 million in ransom to prevent data publication.
What Buchanan Did
Buchanan’s guilty plea covers his participation in the 2022 SMS phishing campaign that targeted employees of over 130 organisations, collecting Okta, Microsoft 365, and VPN credentials at scale. The campaign — known publicly as “0ktapus” following Twilio’s August 2022 disclosure — used SMS messages impersonating employer IT departments to direct victims to credential-harvesting pages that also captured one-time passwords from Okta push notifications in real time.
Buchanan personally conducted SIM-swapping operations to bypass SMS-based MFA, bribing or socially engineering mobile carrier employees to transfer victims’ phone numbers to attacker-controlled SIMs. This allowed the interception of SMS one-time passwords even on accounts where the phishing page approach was insufficient. Victims included employees at Twilio, Cloudflare, LastPass, DoorDash, and dozens of cryptocurrency exchanges.
The $8 million forfeiture covers proceeds from SIM-swapping cryptocurrency account owners — a separate criminal enterprise Buchanan ran in parallel with the enterprise-targeting phishing campaign.
Identity and Access Management Lessons
The Scattered Spider campaign succeeded primarily by attacking the weakest links in enterprise identity infrastructure:
SMS-based MFA is the entry point, not the defence. The 0ktapus campaign collected credentials and OTPs in real time via transparent proxy phishing pages. SMS OTPs were interceptable via SIM swap. Both weaknesses are well-documented; the campaign’s success reflects how slowly enterprise identity policies are actually updated.
Help desk social engineering is an underestimated vector. The MGM and Caesars breaches — subsequent to the 0ktapus campaign — succeeded not through technical exploitation but through a phone call to a help desk. Identity verification procedures for help desk interactions lag far behind authentication requirements for self-service access.
FIDO2/passkeys are the correct countermeasure. Phishing-resistant authentication (FIDO2 hardware keys, device-bound passkeys) would have blocked both the 0ktapus phishing interception attack and the MFA fatigue/bypass techniques Scattered Spider used against push-notification MFA. Organisations still relying on SMS OTPs or push-notification MFA for privileged access should treat this case as a concrete costing of that risk.
Law Enforcement Trajectory
Buchanan is the most senior Scattered Spider member to plead guilty, though he is one of several members who have been arrested or charged. His prosecution follows the 2024 arrests of Ahmad Wagaafe Hared and multiple co-conspirators in the US and UK, and comes alongside ongoing DOJ investigations into the MGM/Caesars attack chain. The prosecution represents a deliberate DOJ focus on the English-language cybercrime ecosystem, which had historically been less scrutinised than Russian-language threat actor groups.
For enterprise security teams, the guilty plea confirms what the technical record has always shown: Scattered Spider’s techniques were not novel exploits but systematic abuse of gaps in identity verification, MFA design, and help desk processes — gaps that remain present in most enterprise environments today.
Share this article