From SMiShing to SIM Swapping: Anatomy of the Scattered Spider Attack (Based on the Tylerb Case)

Overview

In May 2025, a 24-year-old British national named Tyler Robert Buchanan—known by his hacker handle "Tylerb"—pleaded guilty to wire fraud conspiracy and aggravated identity theft. As a senior member of the prolific cybercrime group Scattered Spider, Buchanan orchestrated a series of SMS-based phishing (SMiShing) attacks in the summer of 2022 that compromised at least a dozen major tech companies and siphoned tens of millions of dollars in cryptocurrency from investors. This guide dissects the group's methodology, drawing directly from the Tylerb case to provide a technical but accessible walkthrough of how modern social engineering attacks unfold. By understanding these steps, you can better protect your organization and personal assets.

Prerequisites

Before diving into the attack chain, ensure you have:

• A basic understanding of phishing and social engineering concepts
• Familiarity with SIM swapping and its risks
• Knowledge of common authentication methods (SMS one-time passcodes, password reset links)
• An interest in real-world cybercrime case studies

No coding skills are required, but we will reference technical details like domain registration IP logs and SMS crafting.

Step-by-Step Guide: How the Scattered Spider Attack Worked

Step 1: Reconnaissance and Target Selection

Scattered Spider identified high-value technology companies such as Twilio, LastPass, DoorDash, and Mailchimp. The group focused on firms that relied heavily on SMS-based authentication for their employees or customers. They gathered information about employee names, roles, and contact details from public sources like LinkedIn and corporate websites. This reconnaissance was manual but systematic—Buchanan and his co-conspirators built a list of potential victims who could be tricked into revealing credentials.

Step 2: Crafting the SMiShing Campaign

Using the collected data, the group created tens of thousands of personalized text messages. These messages mimicked legitimate security alerts or password reset requests. For example:

"Your Twilio account requires verification. Click here to confirm: [malicious link]"

The links led to fake login pages (phishing domains) that looked identical to the real company portals. Buchanan admitted that the campaign was launched in 2022, with the messages sent in rapid succession to overwhelm employees and increase the chance of a click.

Step 3: Registering Phishing Domains

To host the fake pages, the group registered numerous domains under similar-sounding names (e.g., "twilio-auth.com" instead of "twilio.com"). The FBI traced these domains back to Buchanan because the same username and email address were used to register them with NameCheap. The registrar revealed that the account logged in from a U.K. internet address just weeks before the phishing spree—and Scottish authorities confirmed that address was leased to Buchanan throughout 2022. This oversight became a crucial piece of evidence.

Step 4: Executing the SMS Attacks

With domains ready, the group sent the phishing texts. Recipients who clicked were taken to fake login pages where they unwittingly entered their credentials. The stolen credentials were then used to log into the real company systems. In some cases, the attackers impersonated the victims to deceive IT help desks into granting additional access—a classic social engineering tactic that Scattered Spider perfected.

Step 5: Gaining Initial Access

Once inside a company's network, the attackers moved laterally—accessing internal databases, employee portals, and customer data. For example, the breach of Twilio allowed Scattered Spider to steal authentication tokens that could bypass multi-factor authentication (MFA). They also exfiltrated sensitive information like email addresses and phone numbers of customers, which fueled the next phase.

Step 6: Data Theft and Preparation for SIM Swapping

The data stolen from companies—especially phone numbers and account details—was used to identify cryptocurrency investors among the victims. Scattered Spider then initiated SIM-swapping attacks. In a SIM swap, the attacker contacts the victim's mobile carrier, pretending to be the victim, and requests a new SIM card to be activated. If successful, all calls and texts intended for the victim (including one-time passcodes and password reset links) are redirected to the attacker's device.

Step 7: Stealing Cryptocurrency Funds

With control of the victim's phone number, Buchanan and his crew reset passwords on cryptocurrency exchanges and wallets. They intercepted SMS-based authentication codes, drained accounts, and transferred funds to their own wallets. Buchanan admitted to stealing at least USD $8 million in virtual currency from individual victims across the United States. The Justice Department noted that the group used multiple wallets and mixing services to obscure the flow of funds.

Step 8: Attempting to Evade Detection

After the attacks, Buchanan fled the United Kingdom in February 2023—not because of law enforcement, but because a rival cybercrime gang had violently invaded his home, assaulted his mother, and threatened to burn him with a blowtorch unless he surrendered his cryptocurrency wallet keys. This inter-gang conflict highlights the dangerous ecosystem in which such criminals operate.

Despite his flight, the FBI had already connected him to the phishing domains. When Buchanan was later detained by airport authorities in Spain, he was finally brought into U.S. custody. He now faces over 20 years in prison.

Common Mistakes Made by the Attackers

• Using consistent identifiers: Buchanan used the same username and email to register all phishing domains, making it easy for NameCheap and the FBI to link them.
• Not hiding IP addresses: The login IP from his residence in Scotland was a simple oversight; using a VPN could have delayed attribution.
• Overconfidence in rival dealings: The attack on his home by a rival group shows that criminal reputation can attract unwanted attention.
• Leaving a paper trail: By using SMS-based attacks that rely on phone carriers, the group left logs that law enforcement could trace.

Summary

The Scattered Spider operation, exemplified by Tylerb's guilty plea, demonstrates a sophisticated multi-stage attack combining SMiShing, domain squatting, credential theft, and SIM swapping. This guide walked through the eight critical steps from reconnaissance to fund extraction. The case underlines the importance of moving away from SMS-based authentication and educating employees about phishing. By understanding this anatomy, you can implement stronger security controls—such as hardware tokens or app-based MFA—and avoid the costly mistakes that led to the downfall of one of the group's senior members. For further reading, explore our guides on phishing detection and SIM swap prevention.