BREAKING NEWS – Spanish authorities, in a significant international collaboration, have announced the arrest of Tyler Buchanan, a 23-year-old Scottish national believed to be a key figure in the notorious ‘Scattered Spider’ cybercrime group. Buchanan, also known as ‘TylerB,’ was apprehended on Sunday, April 12, 2026, while attempting to board a flight to Italy, bringing an end to a sophisticated cybercrime spree that allegedly netted $27 million.
Buchanan faces grave charges of wire fraud, conspiracy to commit wire fraud, and aggravated identity theft. These charges stem from a widespread ransomware and data extortion scheme that targeted dozens of companies across the United States, Canada, India, and the United Kingdom. If convicted, Buchanan could face a minimum of two years for aggravated identity theft and a statutory maximum of 20 years for wire fraud conspiracy.
The scale of the alleged criminal enterprise is staggering. U.S. prosecutors claim that Buchanan personally controlled over $26 million stolen from victims. At the time of his arrest, Spanish police reported Buchanan was in possession of Bitcoins valued at $27 million. The Scattered Spider group is estimated to have pilfered 391 bitcoins, exceeding $27 million in value, from its victims. The FBI’s investigation has linked Buchanan and his co-conspirators to attacks on at least 45 companies, with the group’s total extortion demands estimated to surpass $66 million. Their modus operandi involved highly sophisticated social engineering tactics, primarily SMS-based phishing attacks and SIM swapping, to steal credentials and bypass multi-factor authentication (MFA).
Tyler Buchanan, a 23-year-old from Dundee, Scotland, is alleged to be a leader within the Scattered Spider collective. This group, primarily composed of young adults from the U.S. and UK, is believed to be affiliated with a larger cybercriminal network known as “The Com” or “The Community.” Buchanan’s involvement in cybercrime, particularly SIM swapping and phishing campaigns, has been a focus of international law enforcement for some time.
The extensive investigation involved multiple agencies, including the FBI, Spanish National Police, and Police Scotland. The FBI had an arrest warrant for Buchanan related to SMS-based phishing attacks dating back to 2022. The fraud was meticulously uncovered through digital forensics. Domain registration records for phishing domains used in the 2022 attacks were traced to a NameCheap account linked to Buchanan via a username and email address. This account was logged in from an IP address leased to Buchanan in the UK. Further evidence emerged when Police Scotland searched Buchanan’s residence in April 2023, seizing approximately 20 digital devices. Forensic analysis of these devices reportedly revealed usernames and passwords for employees of targeted companies, browser history showing attempts to connect to compromised firms, and screenshots of Telegram messages discussing the division of SIM swapping proceeds.
“This arrest underscores the relentless global pursuit of cybercriminals, demonstrating that anonymity online is a myth when law enforcement agencies collaborate effectively across borders.”
Following his arrest, Tyler Buchanan was extradited from Spain to the United States between April 24-30, 2025, and subsequently detained in California after a court appearance. He is currently being held without bail in a federal prison in downtown Los Angeles. A preliminary hearing in Buchanan’s case is slated for May 6, 2025, which will undoubtedly shed more light on the prosecution’s case and the path forward. The ongoing investigation continues to unravel the full extent of Scattered Spider’s activities and affiliations.
The list of alleged victims is extensive and diverse, spanning numerous critical sectors. Notable targets include hospitality giants Caesars Entertainment and MGM Resorts International, with Caesars paying a $15 million ransom and MGM suffering over $100 million in losses. Technology and telecommunications firms like Twilio, LastPass, DoorDash, Mailchimp, Okta, and T-Mobile were also hit. Financial services companies such as Visa, PNC Financial Services, and Coinbase Global fell victim, alongside major retailers like Marks & Spencer, Dior, and Adidas. Even aviation companies like Qantas and Hawaiian Airlines were not spared. These attacks resulted in significant data breaches, operational disruptions, and substantial financial losses across the board.
For organizations and individuals alike, several critical red flags should be heeded to prevent falling victim to similar schemes. The reliance of groups like Scattered Spider on bypassing multi-factor authentication (MFA) through fatigue attacks and SIM swapping highlights the need for stronger, more resilient MFA methods, such as hardware tokens. Insufficient employee training on social engineering tactics, where attackers impersonate IT staff via phone, SMS, and Telegram, remains a significant vulnerability. Regular and effective cybersecurity awareness training, focusing on recognizing phishing, smishing, and vishing attempts, is paramount. Furthermore, weaknesses in identity and access management protocols, allowing manipulation of help desks to reset passwords or bypass MFA, must be addressed. Robust security monitoring and alerting systems are essential to detect and respond to unusual login attempts, MFA requests, and account changes, especially given the group’s known tactic of deleting emails notifying users of suspicious account activity. Finally, organizations must scrutinize the security postures of their third-party vendors, as compromises often originate through these external connections. For more insights into emerging threats, visit our related fraud investigations.




