How Scattered Spider Pulled Off a Major SMS Phishing and SIM Swapping Scheme: A Step-by-Step Breakdown
Introduction
In the summer of 2022, the cybercrime group known as Scattered Spider executed a devastating series of attacks that targeted major technology companies and cryptocurrency investors. At the heart of the operation was Tyler Robert Buchanan (alias "Tylerb"), a 24-year-old British national who recently pleaded guilty to wire fraud conspiracy and aggravated identity theft. This guide breaks down the exact steps Scattered Spider used to steal tens of millions of dollars—and how their trail of digital evidence eventually led to Buchanan’s capture.
What You Need (Prerequisites for the Attack)
To replicate this kind of cybercrime (for educational understanding only), the attackers required:
- Phishing domains – registered with a service like NameCheap, using fake or stolen identities.
- SMS gateway access – to send thousands of text messages pretending to be from legitimate companies.
- Social engineering scripts – impersonating employees or contractors to trick help desks.
- SIM-swapping tools – ability to transfer a victim’s phone number to a device under attacker control.
- Cryptocurrency wallets – to receive and launder stolen funds.
- Operational security – using VPNs, throwaway accounts, and non‑attributable IP addresses.
The Steps of the Attack
Step 1: Domain Registration and Reconnaissance
Less than a month before the phishing spree began, Buchanan logged into a NameCheap account from a U.K. internet address leased to him. He registered multiple domains that mimicked trusted services, such as twilio-support.com or lastpass-reset.com. These domains would later host convincing login pages.
Step 2: Launching SMS Phishing Attacks
Using the registered domains, the group crafted SMS messages that appeared to come from the target companies. The texts warned of account issues, password resets, or security alerts, and included a link to a fake login page. Over tens of thousands of these messages were sent in 2022, hitting employees at Twilio, DoorDash, LastPass, and Mailchimp.
Step 3: Gaining Access via Social Engineering
When employees clicked the link and entered their credentials, Scattered Spider immediately captured them. But the group didn’t stop there. They often called the company’s IT help desk, pretending to be the very same employees whose passwords they’d just stolen. By using personal details gleaned from the phishing page, they convinced support staff to approve multifactor authentication (MFA) resets or grant VPN access.
Step 4: Data Exfiltration from Corporate Networks
Once inside a company’s network, the attackers moved laterally to extract sensitive customer data. From Twilio they obtained two‑factor authentication codes; from LastPass they grabbed password vault backups; from DoorDash they pulled driver and order information. This stolen data became the fuel for the next step.
Step 5: SIM‑Swapping Individual Victims
With corporate data in hand, Scattered Spider identified high‑value cryptocurrency investors. They then executed SIM‑swap attacks: by calling mobile carriers and impersonating the victim using stolen personal information, they transferred the victim’s phone number to a SIM card controlled by the group. This allowed them to intercept one‑time passcodes sent via SMS and reset passwords on crypto exchange accounts.
Step 6: Stealing Cryptocurrency
Once the victim’s phone number was hijacked, the attackers drained exchange accounts and private wallets. Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States. The funds were quickly laundered through mixing services and converted to untraceable assets.
The Aftermath and Consequences
Buchanan’s operation unraveled when FBI investigators tied his online alias to the phishing domains. After a rival gang attacked his home in the U.K., he fled to Spain, but was detained by airport authorities. He now faces more than 20 years in a U.S. prison. His guilty plea in 2025 marked a major victory for law enforcement against the Scattered Spider group.
Tips to Protect Yourself from Similar Attacks
- For Individuals: Never click links in unsolicited SMS messages. Always verify by calling the company directly. Use an authenticator app instead of SMS for two‑factor authentication.
- For Companies: Train employees to recognize phishing texts. Implement number porting locks with mobile carriers to prevent unauthorized SIM swaps.
- For IT Security: Monitor for bulk domain registrations similar to your brand. Require in‑person verification for help desk password resets.
- For Cryptocurrency Holders: Use hardware wallets and never store large balances on exchange accounts with SMS‑based security.
By understanding how Scattered Spider operated, you can better defend against the next wave of social engineering attacks. Stay vigilant, question unexpected requests, and never underestimate the power of a simple text message.