Scattered Spider Member Pleads Guilty: The SMS Phishing Playbook That Breached 130+ Companies

TL;DR:

• On April 17, 2026, Scattered Spider member Tyler Buchanan pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft — the scheme breached 130+ organizations and stole $8M+ in cryptocurrency.
• The attack chain was simple: fake IT helpdesk SMS → fake Okta login page → real-time credential harvest → SIM swap for MFA codes.
• Financial services firms were directly in the crosshairs: PNC, Transamerica, New York Life, Synchrony, and Truist Bank were all confirmed targets.
• The conviction doesn’t retire this threat — the same tactics work today. Practitioners need to audit SMS MFA, helpdesk verification procedures, and social engineering training now.

A 24-year-old from Dundee walked into a U.S. federal courtroom on April 17, 2026, and admitted to running one of the most effective enterprise hacking campaigns in recent memory. Tyler Robert Buchanan — a member of the cybercrime group known as Scattered Spider — pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. He faces up to 22 years in federal prison when sentenced on August 21.

The case isn’t interesting because of who Buchanan is. It’s interesting because of how the attacks worked — and how many companies with multi-million-dollar cybersecurity budgets got beaten by a text message.

What Scattered Spider Actually Did

The criminal activity ran from September 2021 through April 2023. During that stretch, Buchanan and his co-conspirators targeted technology companies, telecommunications firms, entertainment and hospitality companies, business process outsourcing providers, IT vendors, cloud communications firms, and virtual currency companies. Over 130 organizations were compromised in their 2022 “0ktapus” campaign alone.

The attack chain was not sophisticated. That’s the point.

Step 1 — The Lure: Employees received SMS text messages appearing to come from their company’s IT department or an outsourced helpdesk provider. The message typically said something like: “Action required: Your account access expires today. Click here to verify your identity.”

Step 2 — The Fake Page: The link resolved to a convincing replica of the company’s login portal — often mimicking Okta, Microsoft 365, or internal SSO pages. Buchanan’s group registered lookalike domains through NameCheap, targeting telecom carriers, crypto exchanges, and technology companies. Police found these domains on approximately 20 devices seized in an April 2023 search.

Step 3 — Real-Time Credential Relay: When an employee entered their username and password, the attackers didn’t store it and use it later. They relayed it immediately to the real company login page in real time — completing the authentication and harvesting a live session token before the employee even noticed anything was wrong.

Step 4 — MFA Bypass: For accounts protected by SMS-based two-factor authentication, the group used SIM swapping — convincing mobile carriers to transfer the victim’s phone number to an attacker-controlled SIM card. Incoming 2FA codes then routed to the attacker instead.

Step 5 — Escalate and Extract: Once inside corporate networks, co-conspirators exfiltrated data, accessed virtual currency wallets, and in the most damaging cases, handed off access to ransomware operators.

What It Cost the Victims

The $8 million in cryptocurrency theft is the figure from Buchanan’s specific charges. The full damage from Scattered Spider’s operations runs significantly higher.

MGM Resorts is the most visible example. In September 2023, Scattered Spider called MGM’s IT helpdesk, identified a target employee on LinkedIn, impersonated that person in a voice call, and convinced the agent to reset their credentials. Within minutes, attackers added a new MFA device, logged in, and pivoted through the network. Within days, MGM’s slot machines, digital room keys, and reservation systems were offline. The company reported $100 million in losses — and that’s before litigation, regulatory scrutiny, and reputational damage.

Caesars Entertainment paid a ransom to avoid the same outcome. Reports put the payment at approximately $15 million.

Twilio and Cloudflare both published post-mortems after the 2022 0ktapus campaign. Attackers sent SMS messages to employees posing as Okta login alerts; once a victim entered a one-time code into the fake site, the attackers replayed it in real time and hijacked active sessions.

Financial services firms weren’t spared: confirmed targets included PNC Financial Services, Transamerica, New York Life Insurance, Synchrony Financial, and Truist Bank.

The Control Failures — Mapped to What Examiners Will Ask

The Buchanan guilty plea gives compliance and risk teams a very specific checklist. These aren’t hypothetical attack vectors — they’re documented, proven, and still active. Here’s how each failure maps to your program:

Five Things to Check Before Monday

If your organization still has SMS-based MFA on any high-risk system — email, SSO, VPN, or privileged access — this is your reminder to fix it.

1. Audit your MFA stack. Pull up your identity platform (Okta, Azure AD, Duo, whatever you’re running) and filter accounts by authentication method. How many use SMS or voice call as primary MFA? How many use hardware keys or FIDO2? If SMS is in use for systems with access to customer data, financial systems, or privileged accounts — escalate it now.

2. Review your IT helpdesk reset procedures. The MGM attack started with a phone call. Your helpdesk should not be able to reset credentials or add new MFA devices based solely on a caller providing an employee name and a few identifying details found on LinkedIn. Implement out-of-band callback verification: if someone calls to reset their account, hang up and call a verified number. Require a second verification factor before any account modification.

3. Check for lookalike domain registrations. Search for your company name across domain registration records. Services like dnstwist or commercial threat intel providers flag typosquat and homoglyph domains before attackers activate them. If you find them, report to your registrar and initiate takedowns.

4. Verify your incident response plan covers social engineering. Most IR plans focus on malware and technical exploitation. Scattered Spider’s entry point was a phone call and a text message. Does your plan include procedures for responding to credential theft via social engineering? For helpdesk-initiated account compromises? For SIM swap incidents? If not, update it — specifically these scenarios.

5. Run a tabletop that includes the helpdesk attack scenario. Walk your team through: “An attacker calls your helpdesk, impersonates an employee, and convinces your agent to reset a privileged account. What happens next? Who gets notified? How do you detect that the real employee never made that call?” If the room goes quiet, you have a gap.

The Co-Conspirators Still Out There

Buchanan isn’t the only one facing charges. His co-defendants include Ahmed Hossam Eldin Elbadawy, Evab Onyeaka Osiebo, and Joel Martin Evans — all charged but awaiting trial. Co-conspirator Noah Michael Urban, 21, previously pleaded guilty in April 2025 and was sentenced to 10 years in federal prison plus $13 million in restitution.

The broader Scattered Spider group has continued operating since the initial indictments. A July 2025 report documented the group pivoting to aviation targets. This isn’t a case study from an extinct threat actor — it’s an active criminal enterprise.

The Regulatory Angle

For financial institutions, the Scattered Spider attacks are not just a cybersecurity story. They’re an enforcement story.

SEC Regulation S-P and the 8-K cybersecurity disclosure rules require public companies to disclose material cyber incidents within four business days. MGM filed an 8-K in September 2023; the SEC has been scrutinizing whether companies are disclosing incidents promptly and accurately. If your organization experiences a Scattered Spider-style breach, disclosure obligations begin the moment the incident is confirmed as material — not after the full forensic investigation.

FFIEC examination guidance on authentication (most recently updated with the cybersecurity assessment tool) specifically calls out that SMS OTP is considered “single-factor authentication” for risk purposes because it can be intercepted. Banks using SMS OTP for customer-facing systems face questions in exams; SMS used for employee access to internal systems raises the same concerns.

The OCC, FDIC, and Federal Reserve have each incorporated cybersecurity resilience into their examination frameworks. An incident like this — where the attack vector was documented, widely publicized, and exploited against the institution anyway — will draw scrutiny about whether the risk was identified and adequately controlled.

For a practical framework on aligning your response and notification procedures to current requirements, the cyber resilience and business continuity framework covers the overlap between cyber incidents and operational resilience expectations.

The Broader Pattern: Human Layer Attacks Are the Entry Point

One of the most consistent findings across major breaches — Scattered Spider, MOVEit, Change Healthcare, Colonial Pipeline — is that technical defenses tend to hold right until the human layer fails. Perimeter firewalls, EDR, SIEM: all bypassed when an employee types their credentials into a fake page or a helpdesk agent resets the wrong account.

This case is a reminder that your incident response plan needs to account for the attack chain before the network is even touched. The containment and escalation procedures that matter most in a Scattered Spider-style attack aren’t the ones that kick in after malware is detected — they’re the identity verification controls that should have stopped the initial access.

The attack that cost MGM $100 million started with a LinkedIn search and a phone call. The controls that would have stopped it cost significantly less.

Ready to update your incident response plan to cover social engineering, credential theft, and breach notification timelines? The Incident Response & Breach Notification Kit includes a tested IR plan template, breach notification decision tree, and post-incident review guide built for compliance-heavy environments.