Tyler Robert Buchanan, the 24-year-old Scottish national operating under the handle “Tylerb,” has pleaded guilty in a US federal court in California to one count of conspiracy to commit wire fraud and one count of aggravated identity theft, per Krebs on Security and corroborating reporting from The Register on April 20, 2026. He becomes the second senior Scattered Spider figure to enter a plea in US courts, and his case is the cleanest documentary record yet of how the crew operated during the 2022 spree that earned it a name.
What the plea actually covers
The charges trace back to a text-message phishing campaign in the summer of 2022 that, per the underlying indictment cited by both outlets, hit at least a dozen major US technology companies. Inside those tenants, the group pivoted to SIM-swap operations against high-value cryptocurrency holders. The Department of Justice statement quoted in The Register says Buchanan “and several co-conspirators used the information stolen from company intrusions to identify and gain access to virtual currency accounts.” Buchanan personally admitted to stealing at least $8 million in virtual currency from individual victims, with the broader conspiracy moving roughly $11 million in the eighteen months between September 2021 and April 2023.
Beyond “Tylerb,” Buchanan operated under aliases including “Dread Pirate Roberts” and “Evefan.” Krebs notes that Tylerb appeared at #65 on a long-running internal leaderboard maintained by SIM-swappers ranking each other by total cryptocurrency theft, a small but useful detail for anyone modelling crew structure: the operators ranked each other, and the rankings survived the law-enforcement campaign against them.
How the case got here
The procedural timeline is notable. Buchanan was arrested at Palma airport in Mallorca in June 2024, extradited to the United States in April 2025, and reached a plea twelve months later. His sentencing hearing is scheduled for August 21, 2026, with a statutory maximum of 22 years in federal prison. He follows Noah Michael Urban, the first Scattered Spider member to plead guilty, who received a 10-year sentence in August 2025.
Three other senior figures — Ahmed Hossam Eldin Elbadawy, 24; Evans Onyeaka Osiebo, 21; and Joel Martin Evans, 26 — remain charged in the same case and have not yet entered pleas, per The Register’s reporting. Two convictions and three pending defendants is a relatively narrow law-enforcement footprint against a crew that in 2023–2024 was, by IR-vendor consensus, behind some of the year’s largest ransomware-adjacent intrusions across hospitality, retail, and insurance.
What this means
For defenders, “Tylerb” is more interesting as a procedural milestone than as a tactical update. The TTPs at issue — text-message phishing into help-desk social engineering, lateral movement into identity providers, then SIM-swap monetization — are the same TTPs the crew is still using. Two convictions in nine months is meaningful pressure on the named operators but does not retire the playbook, and the durability of a crew like Scattered Spider has historically tracked the durability of its tooling and its access to compromised carrier insiders rather than the freedom of any individual member. For the practitioner, the read is to keep treating help-desk social engineering as a primary inbound vector regardless of who is currently in custody.
