How Scattered Spider Executed a Multi-Million Dollar Crypto Heist: A Step-by-Step Breakdown
Introduction
In the summer of 2022, the cybercrime group Scattered Spider orchestrated a devastating series of attacks that netted tens of millions of dollars in cryptocurrency. One of its senior members, Tyler Robert Buchanan (handle “Tylerb”), pleaded guilty to wire fraud conspiracy and aggravated identity theft. This guide breaks down the group’s tactics step by step, based on court documents and incident reports, so you can understand exactly how they operated.
What You Need (for a Scattered Spider–style Attack)
- Phishing message templates – designed to impersonate a company’s IT department or trusted vendor.
- Bulk SMS service – to send thousands of text messages quickly (often via compromised accounts or sim farms).
- Phishing domains – registered with anonymous credentials and hosted on bulletproof servers.
- Social engineering scripts – to deceive help desk staff into granting access or resetting credentials.
- SIM swap capability – insider at a telecom company or access to SIM swapping tools.
- Cryptocurrency wallets and mixing services – to launder stolen funds.
Step-by-Step Execution
Step 1: Gather Intelligence and Craft the Lure
Scattered Spider operators spent weeks profiling employees of major tech companies. They scraped LinkedIn, corporate websites, and data broker sites to build a picture of each target’s role, department, and communication style. Buchanan used his own online activity to identify which employees would be most receptive to SMS phishing—often those in IT support or finance.
Once intelligence was collected, the group created text messages that appeared to come from the company’s own security team, warning the target about a “compromised password” and urging them to click a link to verify their account.
Step 2: Register Phishing Domains
Buchanan registered dozens of lookalike domains (e.g., twilio-secure[.]com, lastpass-verify[.]net) using a single email address and username. FBI investigators later traced these registrations to Buchanan’s home IP address in the UK, leased to him throughout 2022. The domains were set up just weeks before the massive phishing campaign began.
Step 3: Launch Tens of Thousands of SMS Phishing Attacks
In the summer of 2022, the group sent out massive waves of SMS messages—tens of thousands in total—targeting employees at companies like Twilio, LastPass, DoorDash, and Mailchimp. Each message included a link to one of the malicious domains, which displayed a fake login page perfectly mimicking the real company portal.
Step 4: Exploit Help Desk for Access
When a target entered their credentials on the phishing page, Scattered Spider immediately used them to call the company’s help desk. Posing as the newly “locked out” employee, they asked for a password reset or a one-time passcode sent to their own phone. This social engineering trick—known as vishing (voice phishing)—bypassed MFA and gave the attackers a foothold inside the corporate network.
Step 5: Move Laterally and Extract Data
Once inside, the group used standard tools (e.g., PowerShell, RDP) to move laterally across the network. They stole customer databases, session tokens, and API keys. At Twilio, they extracted internal tools used for SMS verification—a key asset for their next phase. Data stolen from multiple tech companies was then combined to create a powerful arsenal for SIM swapping.
Step 6: Launch Targeted SIM Swaps
With access to telecom APIs and customer records, Scattered Spider initiated SIM swap attacks on high-value cryptocurrency investors. Using the stolen data, they convinced mobile carriers to transfer the victim’s phone number to an attacker-controlled device. This allowed them to intercept SMS-based one-time passwords and password reset links.
Step 7: Drain Cryptocurrency Wallets
With phone numbers under their control, the group reset passwords on crypto exchange accounts and wallet services. They then transferred funds to their own wallets, eventually moving them through mixers and exchanges to launder the money. Buchanan alone admitted stealing at least $8 million in virtual currency from U.S. victims.
Step 8: Evade Arrest—Until It Catches Up
After the attacks, Buchanan fled the UK in February 2023 following a violent incident where a rival gang assaulted his mother and threatened him. He was later arrested by Spanish authorities and extradited to the U.S. He now faces more than 20 years in prison.
Tips to Protect Your Organization
- Implement hardware-based MFA: Relying on SMS for two-factor authentication is risky. Use security keys or authenticator apps instead.
- Train staff to recognize vishing: Teach employees to verify any help desk call by hanging up and calling back on a known number.
- Monitor domain registrations: Watch for lookalike domains that mimic your company name, and take them down quickly.
- Segment networks: Limit lateral movement by restricting VPN access and using strong endpoint detection and response (EDR) tools.
- Work with carriers to prevent SIM swaps: Encourage employees to set up PIN codes with their mobile provider and to be cautious about port-out requests.
By understanding each step Scattered Spider took, you can build stronger defenses against these increasingly common attacks. Stay vigilant—the next “Tylerb” might already be planning their campaign.