Full Report
Tyler Robert Buchanan “was the glue that held this gang together,” a cybercrime researcher said. He faces up to 22 years in federal prison. The post Scottish man pleads guilty to attack spree that created Scattered Spider’s notoriety appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Tyler Robert Buchanan
## Attribution & Identity
- **Name:** Tyler Robert Buchanan
- **Nationality:** Scottish (Dundee, Scotland)
- **Age:** 24
- **Associated Groups:**
- **Scattered Spider** (also known as UNC3944)
- **The Com** (described as an aggressive subset/offshoot)
- **Known Associates:** Noah Michael Urban (sentenced to 10 years), Ahmed Hossam Eldin Elbadawy, Evans Onyeaka Osiebo, and Joel Martin Evans.
## Activity Summary
Buchanan served as a "core leader" and the "glue" for a cell within the Scattered Spider ecosystem. Between September 2021 and April 2023, he orchestrated high-profile phishing and SIM-swapping campaigns. He was arrested in Spain in 2024 and pleaded guilty in April 2026 to conspiracy to commit wire fraud and aggravated identity theft. His operations resulted in the theft of over $8 million in cryptocurrency.
## Tactics, Techniques & Procedures
- **Social Engineering & Phishing:** Harvesting thousands of corporate and personal credentials via phishing pages.
- **SIM Swapping:** Redirecting victim phone numbers to attacker-controlled devices to bypass multi-factor authentication (MFA).
- **Identity Theft:** Stealing personal data and vanity usernames.
- **Financial Extortion:** Use of physical violence and threats (noted by researchers as a characteristic of "The Com" subculture).
- **Credential Harvesting:** Accessing employee accounts to pivot into corporate environments.
**MITRE ATT&CK IDs (Inferred):**
- T1566: Phishing
- T1450: SIM Card Swap
- T1594: Search Victim-Owned Resources
## Targeting
- **Sectors:** Entertainment, Telecommunications, Technology, Business Process Outsourcing (BPO), IT, Cloud Services, and Virtual Currency.
- **Geography:** Primarily targeting individuals and businesses within the United States.
- **Victims:** High-net-worth individuals and at least a dozen major U.S.-based companies and their employees.
## Tools & Infrastructure
- **Phishing Kits:** Used to harvest thousands of credentials.
- **Digital Infrastructure:** Spanish police seized devices containing personal data of victims and company employees.
- **Cryptocurrency Wallets:** Used to store and launder over $8 million in stolen digital assets.
## Implications
- **Strategic Threat Shift:** Buchanan represent a shift where "The Com"—originally a community focused on gaming and "vanity" handles—has evolved into a sophisticated, high-stakes financial criminal enterprise.
- **Operational Risk:** The group’s willingness to use extreme social engineering and physical coercion marks them as significantly more volatile than traditional state-sponsored or purely digital ransomware groups.
- **Global Reach:** Despite being based in the UK, the actor was able to compromise major US infrastructure and was only apprehended due to international cooperation during personal travel.
## Mitigations
- **Phishing Defense:** Implementation of FIDO2-compliant hardware security keys (e.g., YubiKeys) to neutralize the effectiveness of credential harvesting.
- **SIM Swap Protection:** Transition away from SMS-based MFA toward app-based authenticators or hardware tokens; requesting "Port Freeze" or "NAP" (No Account Changes) protection from telecom providers.
- **Privileged Access Management:** Restrict access to internal tools (like help desk portals) that allow for password resets or SIM changes.
- **Monitoring:** Vigilant monitoring for unauthorized access to BPO and IT support portals, which are frequent entry points for Scattered Spider.