Scattered Spider member Pleads Guilty in SIM-Swap Leaderboard Case

On April 21, 2026, the digital world witnessed a seismic shift in the ongoing battle against high-tier social engineering. Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, stood before an Orange County federal court and entered a guilty plea that effectively dismantled the myth of the untouchable “teen hacker.” Known in the clandestine channels of Telegram and Discord as “Tylerb,” this Scattered Spider member admitted to conspiracy to commit wire fraud and aggravated identity theft—charges that carry a maximum statutory penalty of 22 years in federal prison.

Buchanan’s plea pulls back the curtain on a decade-defining cybercrime collective. While groups like REvil or Conti relied on sophisticated malware and Russian state-tolerated sanctuaries, Scattered Spider (also tracked as UNC3944 or 0ktapus) leveraged something far more relatable: the English language and a profound understanding of human psychology. This group didn’t just hack systems; they hacked people. The case against Buchanan reveals a subculture defined by intense rivalries, “leaderboards” of stolen wealth, and a shocking descent into physical violence that involves blowtorches, home invasions, and “violence-as-a-service.”

The Rise of the Scattered Spider Member: Who is Tylerb?

Tyler Robert Buchanan was not a typical cybercriminal lurking in a basement in Eastern Europe. He was a senior figure in “The Com,” a sprawling, loosely organized community of mostly Western, English-speaking hackers. These individuals, often starting as teenagers in gaming communities, graduated from stealing Minecraft skins to orchestrating some of the most daring corporate breaches in history. As a prominent Scattered Spider member, Buchanan was the “glue” that held various operational cells together during their peak activity between 2021 and 2023.

Using the handle “Tylerb,” Buchanan became a specialist in the art of the SIM-swap. This technical maneuver involves convincing a mobile carrier to transfer a victim’s phone number to a SIM card controlled by the attacker. Once the attacker controls the phone number, they can bypass SMS-based two-factor authentication (2FA), reset passwords for cryptocurrency exchanges, and drain digital wallets in minutes. According to court records, Buchanan and his co-conspirators successfully siphoned at least $8 million in cryptocurrency, with Spanish authorities reporting that he at one point controlled Bitcoin worth upwards of $27 million.

The SIM-Swap Leaderboard: A Meritocracy of Crime

The most chilling revelation from the FBI’s investigation into “The Com” is the existence of a Telegram-based “leaderboard.” This was not merely a list of names; it was a real-time index of “conquests,” ranking the 100 most successful SIM-swappers by the total value of cryptocurrency they had stolen. On this leaderboard, Buchanan was ranked #65. His co-conspirator, Noah Michael Urban (known as “Sosa”), was ranked at #24.

This leaderboard incentivized increasingly aggressive attacks. It transformed cybercrime from a purely financial pursuit into a social status symbol. For young men in their late teens and early twenties, the “clout” gained by climbing the ranks was often as valuable as the stolen Bitcoin itself. This gamification of theft led to a hyper-competitive environment where hackers would frequently “dox” (release personal information) or “swat” (call in fake police raids) one another to eliminate rivals on the board.

Technical Mastery: How Scattered Spider Breached the Giants

The success of the Scattered Spider member was rooted in a specific technical workflow that traditional cybersecurity defenses were ill-equipped to handle. Their campaigns, most notably the 2022 “0ktapus” operation, targeted over 130 organizations, including tech titans like Twilio, Cloudflare, LastPass, DoorDash, and Mailchimp. The methodology followed a distinct pattern:

• Credential Harvesting (Smishing): The group would send tens of thousands of SMS phishing messages to employees of targeted companies. These messages often claimed to be from the company’s IT help desk or an outsourced Business Process Outsourcing (BPO) provider, warning of a security issue that required the user to log into a spoofed portal.
• MFA Bypass (Evilginx): The phishing sites were not static. They functioned as transparent proxies using tools like Evilginx, which captured not just the username and password, but also the session tokens and multi-factor authentication codes in real-time.
• Help Desk Social Engineering: If 2FA proved difficult to bypass, a Scattered Spider member would simply call the company’s IT help desk. Utilizing their native fluency in English and a calm, authoritative tone, they would impersonate an employee, claiming they had lost their phone or were having trouble with their MFA device. This “vishing” (voice phishing) was incredibly effective against low-level support staff who were trained to be helpful rather than suspicious.
• Lateral Movement: Once inside a corporate environment (often via an Okta or Microsoft Azure portal), the group moved rapidly. They targeted Slack, Jira, and internal documentation to find more credentials, eventually gaining access to sensitive customer data or internal administrative tools.

In the case of Twilio, the group used stolen credentials to gain access to the internal console, allowing them to view the data of approximately 125 customers. In the case of MGM Resorts, the group’s tactics shifted toward ransomware, causing a week-long shutdown of casino floors and hotel systems that cost the company over $100 million in lost revenue.

The Dark Side of the Com: The Blowtorch Incident

The intensity of the competition within “The Com” eventually spilled over from the digital realm into the physical world. The investigation into Buchanan highlighted a terrifying incident in February 2023. A rival cybercrime gang, seeking to settle a score and extort Buchanan’s massive cryptocurrency holdings, utilized “violence-as-a-service.”

This service allows hackers to hire local thugs via Telegram to carry out “IRL” (In Real Life) attacks. These thugs invaded Buchanan’s home in Dundee, assaulted his mother, and allegedly threatened to use a blowtorch on Buchanan unless he handed over the private keys to his cryptocurrency wallets. This escalation from digital theft to physical torture underscores the ruthless nature of modern cybercrime cliques. It was this specific incident that reportedly prompted Buchanan to flee the United Kingdom, eventually leading to his arrest at Palma Airport in Spain in June 2024 as he attempted to board a flight to Italy.

Law Enforcement and the “Old Guard”

The arrest and subsequent guilty plea of a high-ranking Scattered Spider member like Buchanan marks a significant victory for the FBI and its international partners, including Police Scotland and the Spanish National Police. For years, these young hackers operated with a sense of impunity, believing that their decentralized structure and use of encrypted messaging apps made them invisible.

However, the paper trail they left was extensive. Investigators traced IP addresses used to register fraudulent domains (often through NameCheap) back to Buchanan’s digital footprint. When Police Scotland raided his residence in April 2023, they seized approximately 20 devices containing stolen personal identifying information (PII), cryptocurrency seed phrases, and logs of his social engineering calls. This evidence was instrumental in securing the conspiracy and identity theft charges.

1. Tyler Robert Buchanan (Tylerb): Pleaded guilty; faces up to 22 years.
2. Noah Michael Urban (Sosa): Already serving a 10-year sentence and ordered to pay $13 million in restitution.
3. Joel Martin Evans (joeleoli): Currently facing charges in the United States.
4. Ahmed Hossam Eldin Elbadawy (AD): Currently facing charges.
5. Evans Onyeaka Osiebo: Currently facing charges.

Conclusion: The Evolving Threat of Social Engineering

The saga of the Scattered Spider member Tyler Robert Buchanan serves as a warning to the corporate world. It proves that no matter how many millions a company spends on firewalls and endpoint detection, the weakest link remains the human element. The “leaderboard” mentality of “The Com” ensured that these hackers were constantly refining their scripts and their psychological tactics, making them some of the most effective threat actors of the 21st century.

Buchanan’s sentencing, scheduled for August 21, 2026, will likely be a landmark moment. It signals to the remaining members of “The Com” that the FBI is no longer viewing their activities as “juvenile pranks,” but as serious federal crimes that carry adult consequences. While the “old guard” of Scattered Spider is being systematically dismantled, the techniques they pioneered—MFA fatigue, help desk impersonation, and the use of proxy-based phishing—have already been adopted by a new generation of criminals.

For organizations, the lesson is clear: Technical security is secondary to cultural security. Moving away from SMS-based 2FA, implementing “zero trust” architectures, and training employees to recognize the subtle nuances of a professional social engineer are no longer optional—they are essential for survival in an era where a 24-year-old with a Telegram account can bring a multi-billion dollar corporation to its knees.