Inside the Scattered Spider Cyberattack: A Step-by-Step Guide to Understanding Their Tactics and Defending Against SIM-Swap Phishing

Overview

In a landmark case that underscores the growing threat of English-speaking cybercrime, a 24-year-old British national named Tyler Robert Buchanan—known online as 'Tylerb'—has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Buchanan was a senior member of the notorious group Scattered Spider, which used social engineering to infiltrate major tech companies like Twilio, LastPass, DoorDash, and Mailchimp during the summer of 2022. Through a series of SMS-based phishing attacks, the group stole tens of millions of dollars in cryptocurrency from individual investors. Buchanan now faces up to 20 years in U.S. prison.

This tutorial unpacks the attack chain step by step, explains how the group operated, and provides actionable defense strategies for individuals and organizations. Whether you're a security professional, a business owner, or a concerned user, you'll learn how to recognize and block these threats before they succeed.

Prerequisites

Before diving into the technical details, you should be familiar with:

• Basic cybersecurity concepts (phishing, social engineering).
• How SMS and SIM cards work.
• The role of multi-factor authentication (MFA).
• Common cryptocurrency storage methods (hot wallets, exchanges).

No coding or advanced networking knowledge is required—this guide is technical but accessible to anyone with a general interest in cybercrime.

The Scattered Spider Attack Chain

Understanding how Scattered Spider operated is key to defending against similar attacks. Below is a step-by-step breakdown of their methods, based on court documents and FBI investigations.

Step 1: Reconnaissance and Target Selection

Scattered Spider didn't attack randomly. They focused on technology companies that housed sensitive customer data or managed authentication services. Their primary targets included Twilio (a cloud communications platform), LastPass (password manager), and DoorDash (food delivery). By breaching these firms, they could access internal systems used by millions of end users.

They gathered employee names, roles, and contact information from LinkedIn, company websites, and public breach databases. This intelligence helped them craft convincing phishing messages.

Step 2: SMS Phishing Campaigns

In the summer of 2022, Buchanan and his co-conspirators launched tens of thousands of SMS-based phishing attacks. These messages appeared to come from internal IT departments or trusted third parties. For example, they might text an employee: "Your Twilio account has been locked. Click here to verify your credentials." The link led to a fake login page controlled by the attackers.

Using the same username and email address, Buchanan registered numerous phishing domains through NameCheap. The FBI traced the registration IP back to an address in the UK that was leased to him at the time. This digital footprint became the key evidence tying him to the attacks.

Step 3: Credential Theft and Account Compromise

Once an employee entered their credentials on the fake page, the group immediately used them to log into the real company systems. They often bypassed MFA by tricking help desks. A common tactic: calling the IT support line, impersonating the employee, and claiming they'd lost their phone. The help desk would then issue a new MFA token or reset the password, giving the attackers full access.

With access to internal tools, they extracted customer databases, API keys, and session tokens. For instance, from Twilio they obtained two-factor authentication codes meant for customers of other services.

Step 4: SIM Swapping to Target Cryptocurrency Investors

The ultimate goal was to drain cryptocurrency wallets. Scattered Spider used the stolen customer data to perform SIM-swapping attacks. In a SIM swap, the attacker contacts the victim's mobile carrier and social engineers them into transferring the victim's phone number to a new SIM card controlled by the attacker. Once successful, all SMS and calls go to the attacker's device.

This interception allowed the group to receive password reset links and one-time passcodes sent via SMS for cryptocurrency exchanges. Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States.

Step 5: Money Laundering

Stolen cryptocurrency was quickly transferred through multiple wallets, often using mixers (tumbling services) to obscure the trail. The group then converted the funds into fiat currency through exchanges with weak KYC (Know Your Customer) rules, or via peer-to-peer transactions.

How to Defend Against These Attacks

Organizations and individuals can implement the following measures to thwart similar social engineering campaigns.

Defense 1: Strengthen Help Desk Verification

Train IT support staff to never rely solely on caller ID or employee-provided information. Use out-of-band verification—call back the employee on a known internal number or use a secure chat system. Implement strict procedures for password resets and MFA token reissues.

Defense 2: Eliminate SMS-Based MFA

SMS is inherently insecure due to SIM swapping risks. Replace it with app-based authenticators (Google Authenticator, Microsoft Authenticator) or hardware tokens (YubiKey). For high-value accounts, use FIDO2/WebAuthn. This was Scattered Spider's primary vector—they specifically targeted SMS one-time passcodes.

Defense 3: Educate Employees on Phishing

Conduct regular simulated phishing campaigns. Teach employees to never click links in unsolicited text messages—even if they appear to come from IT. Encourage reporting of suspicious messages. Use anti-phishing tools that scan URLs in real time.

Defense 4: Monitor for Phishing Domains

Companies should monitor domain registrations similar to their own. Services like DomainTools or commercial threat intelligence feeds can alert on newly registered domains that mimic the brand. The FBI found Buchanan through his domain registrations—proactive monitoring could have spotted the phishing infrastructure earlier.

Defense 5: Individual Cryptocurrency Security

Investors should never store large amounts of crypto on an exchange. Use hardware wallets (Ledger, Trezor) with a strong passphrase. Enable withdrawal whitelisting and avoid using phone numbers as MFA for exchange accounts. The safest approach: keep recovery phrases offline and never share them.

Common Mistakes

Avoid these pitfalls that made Scattered Spider's attacks successful:

• Over-reliance on SMS: Even if you use SMS MFA, a determined attacker can SIM-swap you. Always push for app-based or hardware tokens.
• Caller ID trust: Help desks that reset passwords based solely on a phone call are vulnerable. Implement a call-back policy using a pre-registered phone number.
• Ignoring phishing training: One employee's click can bring down the entire company. Regular training reduces risk dramatically.
• Lack of domain monitoring: Not checking for lookalike domains allows attackers to operate undetected for months.
• Poor session management: After a breach, attackers often harvest session tokens. Use short session timeouts and enforce re-authentication for sensitive actions.

Summary

The guilty plea of Tyler 'Tylerb' Buchanan highlights the real-world consequences of sophisticated cybercrime. Scattered Spider's blend of phishing, social engineering, and SIM swapping cost victims millions and disrupted major tech companies. By understanding their methods—from SMS phishing campaigns to help desk manipulation—you can build stronger defenses. The key takeaways: eliminate SMS MFA where possible, verify identity through multiple channels, educate users, and monitor for phishing infrastructure. For individuals, secure your crypto with hardware wallets and avoid tying your phone number to financial accounts. With these steps, you can significantly reduce the risk of falling victim to similar attacks.