From Phishing to Prison: A Step-by-Step Guide to the Scattered Spider Cybercrime Operation

Overview

The arrest and guilty plea of Tyler Robert Buchanan, a 24-year-old British national and senior member of the cybercrime group known as 'Scattered Spider', provides a rare, detailed look into the mechanics of modern social-engineering attacks. This guide breaks down the entire operation—from the initial SMS phishing campaigns to the eventual downfall of one of its key operators. You will learn the specific techniques used, the infrastructure required, and the critical mistakes that led law enforcement to identify Buchanan. Whether you are a cybersecurity student, a security professional, or simply someone interested in understanding how cybercriminals operate, this tutorial offers a structured walkthrough of the attack chain and the subsequent investigation.

Prerequisites

Before diving into the step-by-step, ensure you have a basic understanding of the following concepts:

• Social Engineering: The psychological manipulation of people into divulging confidential information or performing actions that compromise security.
• SMS Phishing (Smishing): Phishing attacks carried out using text messages.
• SIM Swapping: A technique where an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card controlled by the attacker.
• Domain Registration and Phishing Infrastructure: How attackers set up fake websites to harvest credentials.

No specific tools are required for this guide, but familiarity with basic networking concepts (IP addresses, DNS) will help you follow along.

Step-by-Step Breakdown of the Scattered Spider Attack Methodology

Step 1: Reconnaissance and Target Selection

Scattered Spider began by identifying high-value targets. Their primary focus was major technology companies and, through them, individual cryptocurrency investors. In the summer of 2022, the group targeted companies such as Twilio, LastPass, DoorDash, and Mailchimp. The goal was to gain access to internal systems where they could steal employee credentials and customer data, which would later be used for SIM swapping.

Step 2: Launching the SMS Phishing Campaign

Under Buchanan’s direction, the group launched tens of thousands of SMS-based phishing attacks. These messages were designed to appear legitimate, often impersonating internal IT or security teams. A typical message would contain a link to a fake login page that captured the recipient's username and password. The group used social engineering to bypass multi-factor authentication (MFA) by tricking employees into providing one-time passcodes.

Step 3: Registering Phishing Domains

To host their fake login pages, the attackers needed domains that looked convincing. Buchanan used the same username and email address to register numerous phishing domains through the registrar NameCheap. The registration was done less than a month before the phishing spree began. Critically, Buchanan logged into the registration account from a UK-based IP address that was later linked to him.

Step 4: Gaining Initial Access

Once employees clicked the phishing link and entered their credentials, Scattered Spider immediately used the stolen information to log into the corporate VPN or email systems. They were then able to move laterally within the network, locate customer databases, and extract sensitive data including session tokens, password reset links, and phone numbers.

Step 5: Executing SIM Swaps to Steal Cryptocurrency

With the phone numbers of cryptocurrency investors in hand, the group performed SIM-swapping attacks. They contacted mobile carriers (e.g., T-Mobile, Verizon) impersonating the victim and requesting a SIM card replacement. Once the carrier transferred the number to the attacker’s device, all incoming SMS—including one-time passcodes for cryptocurrency exchanges and wallet services—were intercepted. Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States.

Step 6: Laundering the Stolen Cryptocurrency

After draining wallets, the funds were typically moved through a series of mixing services and exchanges to obscure the transaction trail. While the exact money laundering methods used by Scattered Spider are not fully detailed in the public record, it is standard practice for such groups to use decentralized exchanges and privacy coins to convert stolen assets into fiat currency.

Step 7: Law Enforcement Investigation and Arrest

The FBI traced the phishing domains back to Buchanan using the consistent username and email address. The domain registrar provided logs showing the login IP address originating from the UK. Scottish police confirmed that IP had been leased to Buchanan throughout 2022. In February 2023, Buchanan fled the UK after a rival gang attacked his home and assaulted his mother, threatening to burn him with a blowtorch if he did not surrender his cryptocurrency wallet. He was later arrested in Spain and extradited to the United States. In 2025, Buchanan pleaded guilty to wire fraud conspiracy and aggravated identity theft.

Common Mistakes Made by the Attackers (and What You Can Learn)

• Using the Same Credentials for Everything: Buchanan reused the same username and email address when registering phishing domains, making it easy for investigators to link the domains to him. Always use unique, compartmentalized accounts for illegal activities (but better, don't engage in them at all).
• Failing to Anonymize Domain Registration: The use of a registrar that logs IP addresses, combined with a lack of VPN or proxy usage during registration, exposed Buchanan’s physical location.
• Ignoring Operational Security: Rival gang attacks forced Buchanan to flee, but his haste likely led to poor opsec—such as using personal devices or accounts afterward.
• For Victims: Trusting Unsolicited Texts: Employees should never click links in unexpected SMS messages. Always verify through a separate communication channel.
• For Companies: Weak MFA Implementation: SMS-based MFA is vulnerable to SIM swapping. Use app-based or hardware token MFA instead.

Summary

The Scattered Spider case illustrates how a combination of social engineering, SMS phishing, and SIM swapping can lead to millions in losses. Tyler Buchanan’s guilty plea shows that even senior cybercriminals can be caught through simple operational mistakes—like reusing usernames and failing to hide IP addresses. This guide has walked through each phase of the attack, from reconnaissance to conviction, highlighting key vulnerabilities exploited by the group. For security professionals, the lessons are clear: implement phishing-resistant MFA, educate users about smishing, and perform regular reviews of domain registration logs for suspicious activity. For individuals, remain skeptical of any unexpected text message that demands immediate action.