CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

British Scattered Spider leader Tyler Buchanan pleads guilty; group’s fraud campaigns escalate to $8M cryptocurrency theft and multiple prosecutions

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Tyler Robert Buchanan, a 24-year-old British leader of the Scattered Spider cybercrime collective, pleaded guilty in the United States to wire fraud conspiracy and aggravated identity theft. Buchanan admitted orchestrating tens of thousands of SMS phishing attacks in 2022 that breached at least a dozen major technology companies—including Twilio, LastPass, DoorDash, and Mailchimp—enabling SIM-swapping attacks that stole at least $8 million in cryptocurrency from individual investors. Buchanan used the alias "Tylerb" and previously ranked #65 on a Telegram leaderboard of prolific SIM-swappers. Buchanan fled the U.K. in February 2023 after a rival gang invaded his home, assaulted his mother, and threatened him with a blowtorch to extort cryptocurrency wallet keys; U.K. investigators later seized a device from his Scotland residence containing stolen data and cryptocurrency seed phrases. Arrested in June 2024 in Palma de Mallorca and extradited to the U.S. in April 2025, Buchanan is scheduled for sentencing on August 21, 2026, facing up to 22 years in prison with potential sentence reductions due to mitigating factors such as his age and cooperation. His case follows the 10-year sentence of key member Noah Michael Urban in 2025 and precedes the upcoming trials of Owen Flowers and Thalha Jubair in the U.K. Scattered Spider continues to operate via Telegram and Discord under the "the Com" umbrella, relying on social engineering, phishing, MFA bombing, and SIM swapping to target organizations across sectors.

Timeline

  1. 20.04.2026 16:33 2 articles · 2d ago

    British Scattered Spider leader Tyler Buchanan pleads guilty to fraud and identity theft

    The article confirms and expands details of Buchanan’s guilty plea, including: his use of the alias "Tylerb" and ranking at #65 on a Telegram leaderboard of SIM-swappers; the scale of tens of thousands of SMS phishing attacks in 2022 targeting major technology companies such as Twilio, LastPass, DoorDash, and Mailchimp; the SIM-swapping-enabled theft of at least $8 million in cryptocurrency from individual investors; his flight from the U.K. in February 2023 after a rival gang invaded his home, assaulted his mother, and threatened him with a blowtorch to extort cryptocurrency wallet keys; the seizure by U.K. investigators of a device from his Scotland residence containing stolen data and cryptocurrency seed phrases; his arrest in June 2024 in Palma de Mallorca and extradition to the U.S. in April 2025; and his scheduled sentencing on August 21, 2026, facing up to 22 years in prison with potential sentence reductions under U.S. Sentencing Guidelines.

    Show sources
    Open in new tab
  2. 21.11.2025 17:41 2 articles · 5mo ago

    Scattered Spider teens charged for TfL breach

    Two British teenagers, Thalha Jubair and Owen Flowers, were arrested in September 2024 for their alleged involvement in the Transport for London (TfL) breach. They pleaded not guilty to computer misuse and fraud-related charges at Southwark Crown Court. The TfL breach in August 2024 caused millions of pounds in damage and exposed customer data, including names, addresses, and contact details. Flowers is also facing charges involving conspiring to attack the networks of SSM Health Care Corporation and Sutter Health in the United States. Jubair was charged by the U.S. Department of Justice with conspiracy to commit computer fraud, money laundering, and wire fraud, relating to at least 120 incidents of network breaches between May 2022 and September 2025, affecting at least 47 U.S. organizations and including extortion attempts worldwide and attacks on critical infrastructure entities and U.S. courts. Victims have paid Jubair and his accomplices over $115 million in ransom payments.

    Show sources
    Open in new tab
  3. 21.08.2025 11:34 5 articles · 8mo ago

    Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

    Noah Michael Urban, known as 'King Bob' and 'Sosa,' was sentenced to 10 years in prison plus three years of supervised release for wire fraud and conspiracy. Urban, arrested in January 2024 and pleaded guilty in April 2024, was involved in stealing millions from cryptocurrency wallets and running sophisticated phishing schemes that compromised over 130 companies, including Twilio, LastPass, DoorDash, MailChimp, and Plex. He will pay $13 million in restitution to more than 30 victims. Urban was considered a key figure in Scattered Spider and used SIM swapping and other social engineering tactics.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Phobos Ransomware Suspect Arrested in Poland

Polish authorities have arrested a 47-year-old man suspected of ties to the Phobos ransomware group. The arrest is part of "Operation Aether," a broader international effort coordinated by Europol. The suspect was found with stolen credentials, credit card numbers, and server access data, which could facilitate ransomware attacks. The suspect faces charges under Article 269b of Poland's Criminal Code, with a maximum prison sentence of five years if found guilty. Operation Aether has targeted Phobos-linked individuals at multiple levels, including backend infrastructure operators and affiliates involved in network intrusions and data encryption. The operation has led to the extradition of a key Phobos administrator to the United States and the seizure of 27 servers in Thailand. A Russian national, Evgenii Ptitsyn, pleaded guilty to a wire fraud conspiracy charge related to his role in administering the Phobos ransomware operation. Ptitsyn was extradited from South Korea in November 2024 and is facing up to 20 years in prison. The Phobos ransomware gang has collected over $39 million from more than 1,000 victims worldwide.

Open in new tab

JokerOTP MFA phishing-as-a-service dismantled, third suspect arrested

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Open in new tab

Ex-Google Engineer Convicted for Stealing AI Trade Secrets for China

Linwei Ding, a former Google engineer, has been convicted of stealing over 2,000 confidential documents containing AI-related trade secrets to benefit China. The theft occurred between May 2022 and April 2023, involving sensitive information about Google's supercomputing infrastructure, AI models, and custom hardware. Ding was found guilty on seven counts of economic espionage and seven counts of theft of trade secrets. Additionally, three former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The stolen data included details about Google's Tensor Processing Unit chips, Cluster Management System software, and other proprietary technologies. Ding used deceitful methods to cover up the theft, including transferring data to his personal Google Cloud account and using an accomplice to fake his presence at work. He also applied to a Shanghai-based talent program sponsored by Beijing, aiming to enhance China's AI capabilities. Ding was originally indicted in March 2024 after lying and not cooperating with Google's internal investigation. He was secretly affiliated with two China-based technology companies and negotiated a role as CTO at one of them. Ding founded his own AI company in China (Shanghai Zhisuan Technology Co.) and served as its CEO, intending to benefit entities controlled by the government of China. Ding faces a maximum sentence of 10 years for each theft count and 15 years for each espionage count.

Open in new tab

RedVDS Cybercrime-as-a-Service Disrupted by Microsoft

Microsoft, in coordination with legal partners in the US and UK, has disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. RedVDS offered cheap, effective, and disposable virtual computers running unlicensed software, enabling cybercriminals to operate anonymously. The service caused over $40 million in losses in the US alone since March 2025, with nearly 190,000 organizations worldwide affected. RedVDS utilized AI to tailor phishing and business email compromise (BEC) scams, including deepfake videos and voice cloning to impersonate individuals. The disruption involved legal action in the US and UK, supported by international law enforcement, including Europol. Microsoft emphasized the importance of reporting cybercrime to prevent future attacks and protect potential victims. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries. The service was used for various malicious activities, including credential theft, account takeovers, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

Open in new tab

UK ICO fines LastPass £1.2 million for 2022 data breach affecting 1.6 million users

The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million for security failures that led to a 2022 breach impacting up to 1.6 million UK users. The breach involved two interconnected incidents starting in August 2022, where an attacker stole personal information and encrypted password vaults. The ICO found that LastPass failed to implement adequate security measures to prevent the breach. The attacker initially compromised a LastPass employee's laptop, gaining access to the company's development environment. The following day, the attacker targeted a senior employee by exploiting a vulnerability in a third-party streaming application, capturing the employee's master password and bypassing multi-factor authentication. This allowed the attacker to steal an Amazon Web Services access key and a decryption key, which were used to breach the cloud storage firm GoTo and steal LastPass database backups. The stolen data included encrypted password vaults, names, email addresses, phone numbers, and website URLs associated with customer accounts. The ICO emphasized that while LastPass' Zero Knowledge architecture prevented the decryption of customer password vaults, the company failed to meet its obligation to protect customer data. The breach has enabled bad actors to take advantage of weak master passwords to crack the encrypted vaults and drain cryptocurrency assets as recently as late 2025. Evidence points to the involvement of Russian cybercriminal actors, with one of the Russian exchanges receiving LastPass-linked funds as recently as October. More $35 million in siphoned digital assets have been traced, out of which $28 million was converted to Bitcoin and laundered via Wasabi Wallet between late 2024 and early 2025. Another $7 million has been linked to a subsequent wave detected in September 2025.

Open in new tab