Scattered Spider: The SMS Gang That Breached LastPass and Twilio

Scattered Spider: The SMS Gang That Breached LastPass and Twilio One hacker. Twenty-four years old. A laptop and a phone. That was all it took for Tyler Buchanan to compromise some of the most prominent technology companies in America. Using SMS phishing, Buchanan breached LastPass, Twilio, DoorDash, Mailchimp, and dozens of others. Estimated losses: $8 million. Tyler Buchanan's Guilty Plea Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty on April 17, 2026, in federal court in Santa Ana, California. He admitted to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. The charges stemmed from an indictment unsealed in November 2024 that named five Scattered Spider members. According to the Department of Justice, Buchanan admitted to "sending hundreds" of SMS phishing messages between September 2021 and April 2023. Those messages targeted employees of at least a dozen companies — interactive entertainment firms, telecommunications providers, cloud communications platforms, and cryptocurrency exchanges. The phishing credentials were then used to access corporate networks and, ultimately, to SIM-swap individual cryptocurrency investors out of millions. Buchanan was arrested in June 2024 at Palma de Mallorca airport in Spain as he attempted to board a chartered flight to Italy. Spanish police confiscated a laptop and phone. He has been in U.S. Federal custody since his extradition in April 2025. Sentencing remains pending; he faces a statutory maximum of 22 years in prison. Group Structure Scattered Spider, tracked by security vendors as UNC3944, 0ktapus, Octo Tempest, and Muddled Libra, is not a traditional ransomware cartel. It is a loose affiliation of English-speaking hackers, many of them teenagers or in their early twenties, operating out of the United States, the United Kingdom, and Canada. Unlike Eastern European ransomware groups that rely on technical exploits and malware, Scattered Spider's weapon of choice is conversation. Known handles within the group include "tylerb" (Buchanan), "Sosa" (Noah Michael Urban, sentenced to 10 years in August 2025), "Ok," "Maze," "Noah," "AD" (Ahmed Elbadawy), and "joeleoli" (Joel Evans). Many members originated from "The Comm," a broader English-speaking cybercriminal community on Telegram and Discord where hackers brag about high-profile thefts, share tools, and coordinate attacks. The group operates on a franchise model. Members collaborate on specific targets, share infrastructure, and rent ransomware payloads from affiliates like BlackCat/ALPHV and RansomHub. This distributed structure makes Scattered Spider extraordinarily difficult to dismantle — arresting five members does not stop ten more from picking up the same phone and calling the next helpdesk. The Technique SMS phishing (smishing): Messages appeared to come from IT departments or SSO portals Links to pixel-perfect credential-harvesting pages Employees entered usernames, passwords, and 2FA codes Some campaigns sent tens of thousands of messages simultaneously The pivot: Once inside telecom companies via third-party breaches, the group performed SIM-swap attacks, transferring phone numbers to attacker-controlled devices and bypassing SMS 2FA entirely. The Victims Target / Impact ———— / ———— LastPass / Encrypted password vaults for millions stolen Twilio / Customer MFA/SMS delivery systems accessed DoorDash / Customer and driver personal data stolen Mailchimp / Marketing accounts accessed Cloudflare / MFA bypassed using stolen session tokens MGM Resorts / $100M+ in losses, 10-day operational shutdown, ransomware via helpdesk call Caesars Entertainment / Customer loyalty database stolen; paid ~$15M ransom Riot Games / Source code exfiltrated for League of Legends and Valorant; $10M ransom demand refused AT&T / SIM swap access via Twilio compromise Coinbase / Employees targeted via SMS phishing campaigns The Helpdesk Pivot Beyond SMS phishing, Scattered Spider refined a signature technique that requires no malware and no exploit code: the helpdesk phone call. In the September 2023 MGM Resorts breach, attackers used LinkedIn to identify an employee, then called the company's IT helpdesk impersonating that employee. They claimed to have lost their phone and needed a password reset and new MFA device enrolled. The helpdesk complied. Within 10 minutes, the attackers had valid credentials to MGM's internal network. They escalated privileges, deployed BlackCat ransomware across 100+ VMware ESXi servers, and shut down slot machines, hotel room key systems, ATMs, and reservation platforms across the Las Vegas Strip. The total cost to MGM exceeded $100 million. This same playbook has been repeated against Caesars, Riot Games, and airlines targeted in 2025. The attackers research their marks on LinkedIn and company directories, learn internal jargon and team names, and use that context to sound legitimate. Some calls escalate to "MFA fatigue" attacks — bombarding the victim's phone with push notifications until they accept one out of frustration. CISA and the FBI released a joint advisory in November 2023 detailing these exact tactics, warning that Scattered Spider targets large companies and their third-party IT providers. SIM-Swap Mechanics SIM swapping is the technical backbone of Scattered Spider's cryptocurrency theft. The mechanics are straightforward but devastating: The attacker gathers personal information on the target: name, phone number, address, often from previous data breaches or the corporate credentials stolen in the SMS phishing phase. The attacker contacts the target's mobile carrier, impersonating the victim and claiming their phone was lost or damaged. If social engineering fails, the attacker bribes carrier employees. Reports from 2024 show Scattered Spider members offering T-Mobile and Verizon staff $300 per SIM swap, using stolen employee directories to find their marks. The carrier ports the victim's phone number to a new SIM card in the attacker's possession. The victim's phone goes dead. The attacker now receives all SMS messages and phone calls — including one-time passwords for bank accounts, cryptocurrency exchanges, and email password resets. More sophisticated variants exploit SS7, the 1970s-era telecommunications protocol that underpins global mobile networks. SS7 was designed when only trusted operators had access, so it lacks authentication. An attacker who compromises SS7 access can intercept SMS messages and calls without touching the carrier's helpdesk at all. The FCC imposed new rules on U.S. Carriers in November 2023 to reduce SIM swap fraud, but enforcement remains uneven. The 2023-2024 Crackdown Law enforcement has made significant progress against Scattered Spider, but the group continues to operate. In November 2024, the DOJ unsealed charges against five Scattered Spider members: Tyler Buchanan (Scotland), Ahmed Elbadawy (Texas), Noah Urban (Florida), Evans Osiebo (Texas), and Joel Evans (North Carolina). Each faced wire fraud conspiracy and aggravated identity theft charges. The indictment described $11 million in losses from at least 29 victims across 12 companies. Noah Michael Urban — alias "Sosa" — pleaded guilty and was sentenced to 10 years in federal prison in August 2025, ordered to pay roughly $13 million in restitution. A 19-year-old Florida suspect, Remington Ogletree, was arrested in December 2024 for sending 8.6 million phishing texts through compromised telecom systems. In April 2026, a 19-year-old dual U.S.-Estonian citizen known as "Bouquet" was arrested at Helsinki airport on related charges. Despite these arrests, Scattered Spider remains active. In 2025, the group joined forces with ShinyHunters and LAPSUS$ to form a new cybercrime alliance and has been linked to attacks on Marks & Spencer, Harrods, and Qantas. New members fill vacated roles. The franchise model ensures the group survives its casualties. Why SMS Phishing Still Works Organizations treat SMS as a trusted security channel — it predates the internet and carries an implicit assumption of legitimacy BYOD corporate access on personal phones lacks endpoint protection and central management SSO monoculture means one credential set grants access to dozens of systems through Okta, Microsoft, or other identity providers SMS 2FA is not authentication — SIM-swap transfers phone numbers in minutes, and SS7 interception requires no user interaction at all Helpdesks are trained to help, not to suspect. The human instinct to assist someone in distress is the group's most reliable attack surface Third-party risk: Scattered Spider increasingly targets BPO and IT outsourcing vendors, knowing that compromising one vendor unlocks access to dozens of downstream clients Defense in Depth Never act on SMS links — navigate directly to sites from your browser bookmarks, not from a text message Hardware security keys (FIDO2/WebAuthn) — A YubiKey or Google Titan key is phishing-resistant by design. It will not authenticate to a fake domain, even if you type your password into it. Set one up for every account that supports it: Google, Microsoft, GitHub, Okta. App-based TOTP (Authy, Google Authenticator) is better than SMS but still phishable. SMS 2FA is better than no 2FA, but barely — treat it as the absolute minimum Enable app-based or hardware 2FA everywhere — If a service only offers SMS 2FA, consider whether you should use that service at all Organizations: ban SMS 2FA for privileged accounts — Deploy phishing-resistant identity systems (FIDO2, passkeys, certificate-based authentication). Implement helpdesk verification protocols: out-of-band callback to a manager, employee ID verification with a hardware token, or a mandatory in-person visit for credential resets Breach-and-attack-simulation (BAS) training — Run simulated smishing campaigns against employees. Measure who clicks, and retrain them. Treat it like a recurring safety drill, not a one-time checkbox Monitor for SIM swap indicators — Services like the free Microsoft Account Activity report or Google's Advanced Protection Program can alert you when a phone number changes on your account. If your phone suddenly loses service for no reason, call your carrier immediately from another line Tyler Buchanan stole $8 million using a phone and a talent for deception. He never wrote exploit code. He did not need to. The only way to stop the next Buchanan is to stop trusting SMS. Check your Password Exposure against known breaches. Generate secure 2FA codes with our 2FA Code Generator.