Overview
Cybercriminal groups like Scattered Spider have mastered the art of social engineering, using SMS phishing and SIM swapping to steal millions from cryptocurrency investors. This guide dissects the real-world attack chain used by a senior member known as "Tylerb" (Tyler Robert Buchanan) to breach major tech firms and loot digital wallets. By understanding each step—from reconnaissance to cash-out—you can better defend against these sophisticated threats. This tutorial is based on the guilty plea of a 24-year-old British national who admitted to wire fraud conspiracy and aggravated identity theft in 2025.
Prerequisites
Before diving into the attack methodology, ensure you have a basic grasp of these concepts:
- Phishing: Fraudulent messages designed to trick recipients into revealing sensitive data.
- SIM swapping: Transferring a victim’s phone number to a criminal-controlled SIM card to intercept SMS-based authentication.
- Cryptocurrency wallets: Digital wallets that hold private keys; often protected by SMS 2FA.
- Social engineering: Manipulating people into breaking normal security procedures.
No programming experience is required, but familiarity with basic networking and authentication flows will help.
Step-by-Step Anatomy of the Attack
Step 1: Reconnaissance and Target Selection
Scattered Spider first identifies high-value targets—both companies and individual investors. In the 2022 campaign, they focused on technology companies such as Twilio, LastPass, DoorDash, and Mailchimp. Attackers gather employee names, phone numbers, and organizational structures through open-source intelligence (OSINT) and previous data breaches. Buchanan used the username and email address linked to his real identity, a mistake that later helped FBI investigators tie him to the phishing domains.
Step 2: SMS Phishing Campaign
The group launched tens of thousands of SMS-based phishing attacks. These messages often impersonate IT support or security teams, urging recipients to click a link and enter credentials. For example, a typical SMS might read: "Alert: Your account has been locked. Verify immediately at [malicious domain]." Buchanan registered numerous phishing domains using NameCheap, logging in from a UK-based IP address that Scottish authorities confirmed was leased to him throughout 2022.
Example phishing SMS:
From: +1 (415) 555-0199
Message: "Twilio Security: Unauthorized login detected. Reset password now: http://twilio-verify-ok[.]com"The attackers cloned legitimate login pages to harvest credentials and session tokens. Once a victim entered their details, the attackers instantly captured them.
Step 3: Credential Harvesting and Internal Access
With stolen credentials, Scattered Spider gained initial footholds inside corporate networks. They often impersonated employees contacting help desks to reset Multi-Factor Authentication (MFA) devices or request new access tokens. This social engineering tactic—calling IT support with stolen personal details—allowed them to bypass security controls. The group used the stolen data from these breaches to identify cryptocurrency investors among the employee base or downstream customers.
Step 4: SIM Swapping to Intercept 2FA
After identifying victims, the attackers performed SIM swapping. They tricked mobile carriers into transferring the victim’s phone number to a SIM card in their possession. This allowed them to intercept SMS-based one-time passcodes and password reset links. The U.S. Justice Department noted that Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States. The SIM swap is the critical step that enables emptying cryptocurrency wallets protected only by SMS 2FA.
- Attacker gathers victim’s personal data (from phishing or data breaches).
- Attacker contacts the mobile carrier, impersonating the victim, and requests a SIM swap, claiming the phone is lost.
- Carrier activates the new SIM, transferring the number.
- Attacker now receives all SMS messages, including password reset codes from crypto exchanges.
- Attacker resets passwords, logs into the exchange, and transfers funds to their own wallets.
Step 5: Exfiltration and Laundering
The stolen cryptocurrency was moved through multiple wallets and mixers to obscure the trail. Buchanan's involvement was eventually traced when rival cybercriminals hired thugs to invade his home in the UK, assault his mother, and threaten him with a blowtorch to give up his crypto wallet keys—a bizarre twist that drove him to flee the UK in February 2023. He was later detained by Spanish airport authorities and extradited to the U.S.
Common Mistakes
Mistakes Made by Attackers
- Using easily traceable accounts: Buchanan used his real name and email to register phishing domains, which FBI correlated with his ISP records and Scottish police data.
- Internal rivalries: The group’s internal conflict led to a violent home invasion, forcing Buchanan to expose his identity and location.
Mistakes Made by Victims
- Relying solely on SMS 2FA: SMS is vulnerable to SIM swapping. Always use app-based or hardware tokens for cryptocurrency accounts.
- Clicking unsolicited links: Even if the message appears urgent, manually navigate to the official website instead of clicking SMS links.
- Sharing too much personal data online: Employees should limit public availability of phone numbers and job roles.
Summary
The Scattered Spider case illustrates the complete lifecycle of a modern phishing and SIM-swapping attack: reconnaissance, large-scale SMS phishing, credential theft, social engineering to bypass MFA, SIM swapping, and cryptocurrency theft. By learning from Buchanan's mistakes—like using personal identifiable information on domains—and knowing the attacker's playbook, organizations and individuals can implement stronger defenses. Replace SMS-based 2FA with authenticator apps, train teams to recognize phishing attempts, and secure personal data. The 24-year-old now faces over 20 years in prison, a stark reminder that cybercrime has real-world consequences.