Scattered Spider's 'Tylerb' pleads guilty — twelve firms, eight million in crypto
Tyler Buchanan admits wire fraud and aggravated identity theft. The plea writes down the kill chain that the Twilio, LastPass and DoorDash reports paraphrased out.
Tyler Robert Buchanan, the Dundee 24-year-old known online as Tylerb, pleaded guilty this week to wire fraud conspiracy and aggravated identity theft. The DOJ’s filings cover the 2022 smishing campaign that compromised at least a dozen major technology firms — Twilio, LastPass, DoorDash, Mailchimp among them — and netted Buchanan and co-conspirators at least $8 million in cryptocurrency from US victims. Sentencing is set for 21 August; the statutory maximum is 22 years.
The interesting thing in a plea filing isn’t the headline number. It’s that the DOJ has to write down what actually happened — the operational mechanics that vendor incident reports usually paraphrase out of recognisability. A smishing message lands on a corporate mobile number; the victim taps a fake SSO portal; the attacker grabs the credential and the live MFA token in the same flow; the attacker pivots into the SaaS stack while the session is still warm. That’s the kill chain, written down, attributed to a person, with tooling. Until now defenders had Mandiant conference slides and a long Krebs piece. From August it’ll be a US federal sentencing.
For defenders, the defence-side lesson hasn’t moved since 2022. Number-bound MFA loses to a real-time adversary-in-the-middle page that proxies the legitimate login. Phishing-resistant authenticators — FIDO2 hardware, passkeys bound to a device — are the only thing that breaks the chain at the credential step. Everything downstream of that, including SaaS-side detection and session-token monitoring, is mitigation after the credential is already gone.
What changes here is the weight the criminal disclosure adds to the case for moving the default. If your security-awareness deck still says “be careful clicking links in SMS,” it’s about to be sat next to a federal sentencing memo that says it wasn’t enough.
A second Scattered Spider member, Noah Michael Urban, was sentenced last year to ten years plus $13 million in restitution. The named-actor count for this group is now two. The risk arithmetic for the rest of them keeps changing.