Fbhchile

2026-05-19 04:45:58

How the Scattered Spider Cybercrime Group Executed Their Attacks: A Step-by-Step Breakdown

Learn how the Scattered Spider group used SMS phishing and SIM swapping to steal millions. A detailed guide based on the Tylerb case.

Fbhchile · Cybersecurity

Understanding the Scattered Spider Cyberattack Method

The case of Tyler Robert Buchanan (aka “Tylerb”), a senior member of the cybercrime group Scattered Spider, provides a chilling blueprint of how modern social-engineering attacks unfold. This guide breaks down the group’s proven tactics, from SMS phishing to SIM swapping, using real events from the 2022 campaign that targeted companies like Twilio, LastPass, DoorDash, and Mailchimp. Follow these steps to understand the attack chain—and learn how to defend against it.

How the Scattered Spider Cybercrime Group Executed Their Attacks: A Step-by-Step Breakdown
Source: krebsonsecurity.com

What You Need (for Educational Analysis)

  • Phishing domain registration (e.g., via NameCheap with fake credentials)
  • SMS gateway or bulk texting service
  • List of targeted employees or customers
  • SIM swap tools (social engineering scripts, fake ID templates)
  • Cryptocurrency wallets for receiving stolen funds
  • Proxy or VPN to mask location (e.g., UK-based IP addresses)

Step 1: Register Phishing Domains and Set Up Infrastructure

Before launching attacks, Scattered Spider members like Buchanan registered multiple phishing domains that mimicked legitimate tech companies. They used fake or anonymized accounts with the same username and email address across registrars. FBI investigators traced these domains back to Buchanan after discovering that an account logging in from a UK IP address—leased to Buchanan throughout 2022—registered the domains less than a month before the phishing spree. Key tactic: Use a real but non-obvious IP address to avoid immediate suspicion.

Step 2: Conduct Large-Scale SMS Phishing Campaigns

The group launched tens of thousands of text messages impersonating trusted services (e.g., password reset alerts, security notifications). These messages contained links to the fake login pages hosted on the phishing domains. The goal was to harvest credentials and one-time passcodes from employees at major tech firms. Buchanan admitted to conspiring with others to execute this campaign in the summer of 2022. Tip for defenders: Employees should always verify unsolicited SMS requests via a separate channel.

Step 3: Exploit Stolen Credentials to Breach Corporate Networks

Once victims entered their credentials on the phishing pages, Scattered Spider used them to gain unauthorized access to internal systems at companies like Twilio, LastPass, DoorDash, and Mailchimp. They often impersonated employees or contractors to deceive IT help desks into granting additional access. This social-engineering step is critical—human error is the weakest link.

Step 4: Extract Data and Plan SIM Swaps

From the breached systems, the group stole sensitive data, including customer contact information and account details. They then used this data to target individual cryptocurrency investors. The core method was SIM swapping—transferring the victim’s phone number to a device controlled by the attackers. This allowed them to intercept SMS-based one-time passcodes and password reset links.

How the Scattered Spider Cybercrime Group Executed Their Attacks: A Step-by-Step Breakdown
Source: krebsonsecurity.com

Step 5: Execute SIM Swaps to Steal Cryptocurrency

Using the stolen personal data, Scattered Spider members contacted mobile carriers pretending to be the victim, claiming they needed a new SIM card. Once the number was ported, they reset passwords for crypto exchange accounts and drained wallets. Buchanan admitted to stealing at least $8 million in virtual currency from U.S. victims through this method.

Step 6: Launder and Conceal Proceeds

After siphoning funds, the group likely used mixing services, decentralized exchanges, and peer-to-peer transfers to obscure the money trail. Buchanan fled the UK in February 2023 after a rival gang assaulted his mother and threatened him with a blowtorch, indicating how high tensions run in the cybercrime underworld.

Tips for Protection and Awareness

  • Enable multi-factor authentication (MFA) using authenticator apps, not SMS alone—this blocks SIM-swap attacks.
  • Educate employees about phishing—regular drills reduce the chance of falling for SMS-based social engineering.
  • Monitor for suspicious domain registrations that mimic your company name.
  • Use SIM card locks or PINs with your mobile carrier to prevent unauthorized transfers.
  • Report any phishing attempts to your IT security team immediately.

Understanding the Scattered Spider playbook—as revealed in the Tylerb guilty plea—helps organizations and individuals build stronger defenses. Stay vigilant, stay informed.

More Stories

Partner Publications

Halley's Comet Meteor Shower Peaks This Week: Eta Aquariids to Light Up Early Morning SkiesBeyond Endpoint Detection: Essential Data Sources for a Holistic Security StrategyHidden Cost of BIOS Tuning: Performance Gains May Be Ruining Your PC ExperienceBeyond the Endpoint: Key Data Sources for Holistic Threat Detection8 Ways Financial Services Are Revolutionizing Contact Centers with AI-Driven Empathy