Brit pleads guilty amid Scattered Spider hacking spree claims

A British man alleged to be a member of the Scattered Spider cyber crime group has pleaded guilty to hacking the computers of at least a dozen companies, stealing more than $8 million in virtual currency from individual victims in the US.

Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. He was arrested in 2024.

Between September 2021 and April 2023, according to Buchanan's plea agreement, he and his co-conspirators carried out cyber attacks against a range of organizations, including:

• Interactive entertainment companies
• Telecommunications firms
• Technology companies
• IT & business process outsourcing (BPO) suppliers
• Cloud communications providers
• Virtual currency companies

They carried out phishing attacks by sending hundreds of SMS phishing messages to the mobile phones of their victim company’s employees.

The messages purported to be from the company itself, or a contracted IT or BPO supplier, and contained links to phishing websites designed to look like the legitimate websites of the company or supplier.

Victims were then duped into providing confidential information, including personal identifying information (PII) and account usernames and passwords.

These stolen credentials were used to access the accounts of the company’s employees and computer systems, with the ultimate aim of stealing confidential information.

In some cases, this stolen information included confidential work products, intellectual property, and account access credentials, names, email addresses, and telephone numbers.

Links to Scattered Spider

Those involved in the scheme created a phishing kit that captured the login credentials that were entered into the fraudulent phishing websites, with the stolen credentials sent to an online Telegram channel allegedly administered by Buchanan and one of his co-conspirators.

In a raid on Buchanan's home in April 2023, the names and addresses of numerous individual victims, including a text file that contained cryptocurrency seed phrases and login information for one victim’s account, were found on a digital device.

Sentencing will be carried out on August 21, with a statutory maximum sentence of 22 years in federal prison.

One of Buchanan's co-conspirators, Noah Michael Urban, is already serving a ten-year sentence, and has been ordered to pay $13 million in restitution. Three more men, all from the US - Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo and Joel Martin Evans – still face criminal charges in the case.

The men are believed to be part of the Scattered Spider cyber crime group and are thought to have been behind attacks on some of the world’s largest technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.

Since Buchanan's arrest, the group's activity has continued, with attacks on MGM Group and, more recently, British firms Marks and Spencer, Jaguar Land Rover, and the Co-op.

The group has now evolved into a broader extortion ecosystem, operating under the name Scattered LAPSUS$ Hunters.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.