Full Report
Tyler Buchanan admits role in scheme that stole at least $8 million in virtual currency A Scottish man linked to the Scattered Spider cybercrime crew has pleaded guilty in the US to a phishing and SIM-swap scheme that stole at least $8 million in cryptocurrency.…
Analysis Summary
# Threat Actor: Tyler Robert Buchanan
## Attribution & Identity
* **Identity:** Tyler Robert Buchanan, a 24-year-old Scottish national from Dundee.
* **Aliases:** "Dread Pirate Roberts," "Evefan," and "tylerb."
* **Associated Groups:** Linked to **Scattered Spider** (also known as UNC3944 or Roasted 0ktapus).
* **Known Associates:** Noah Michael Urban (convicted leader), Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans.
## Activity Summary
Between September 2021 and April 2023, Buchanan participated in a sophisticated conspiracy to defraud at least 12 US-based companies and numerous individuals. His activities focused on stealing credentials and bypassing security measures to drain cryptocurrency wallets, resulting in the theft of at least $8 million in virtual currency. He was arrested in Spain in June 2024 and extradited to the US in April 2025.
## Tactics, Techniques & Procedures
* **Social Engineering:** Extensive use of phishing campaigns to harvest employee and individual credentials.
* **Phishing Lures:** Sent SMS or email warnings claiming a user's VPN was about to expire, directing them to a credential-harvesting site.
* **Credential Harvesting:** Used "copycat" or look-alike websites to deceive targets into providing login details.
* **SIM Swapping:** Conducted unauthorized porting of victims' mobile phone numbers to devices controlled by the attackers.
* **MFA Bypass:** Used SIM swapping to intercept one-time passwords (OTPs) and bypass two-factor authentication (2FA).
* **Unauthorized Access:** Gaining entry to corporate environments to identify and target high-value individual virtual currency accounts.
**Associated MITRE ATT&CK IDs:**
* **T1566.002:** Phishing: Spearphishing Link
* **T1451:** SIM Card Swap
* **T1556:** Modify Authentication Process (MFA Bypass)
* **T1583.001:** Acquire Infrastructure: Domains
* **T1078:** Valid Accounts
## Targeting
* **Sectors:** Technology, Virtual Currency/Fintech, and various corporate sectors.
* **Geography:** Primarily targeting organizations and individuals within the **United States**.
* **Victims:** At least a dozen US companies and their employees; individual cryptocurrency wallet holders. (Note: While Scattered Spider later attacked MGM and Caesars, Buchanan’s specific timeline predates those events).
## Tools & Infrastructure
* **Infrastructure Management:** Buchanan was personally involved in creating, managing, and paying for domain names.
* **Phishing Sites:** Infrastructure included copycat websites designed to mimic legitimate corporate login portals.
* **Data Storage:** Used text files to store sensitive data including wallet seed phrases, names, addresses, and login credentials (found during a search of his residence).
* **Domains:** Hosted under various registrar services to facilitate phishing (specific domains defanged: e.g., corporate-vpn-active[.]com).
## Implications
Buchanan’s activities highlight the high degree of success that decentralized, youth-led cybercrime groups have in bypassing modern security measures (like MFA). His role emphasizes the "human element" of threat intelligence, where social engineering and SIM swapping remain more effective than sophisticated malware. The successful prosecution signals an increasing international effort to dismantle the core membership of the Scattered Spider ecosystem.
## Mitigations
* **Phishing Resistance:** Implement FIDO2-compliant hardware security keys (e.g., YubiKeys) to neutralize the effectiveness of credential harvesting and SIM swapping.
* **MFA Hardening:** Move away from SMS-based MFA and voice-call authentication, which are highly vulnerable to SIM swap attacks.
* **SIM Swap Protections:** Enable "Port Freeze" or "Account Lockdown" features with mobile carriers to prevent unauthorized number transfers.
* **Identity Provider (IdP) Monitoring:** Monitor for unusual login patterns, such as sessions originating from new devices or IPs immediately following a password change.
* **User Training:** Conduct specific training on recognizing urgent "service expiration" lures (VPN, Okta, etc.) often used by this actor.