Overview
The cybercrime group known as Scattered Spider—also tracked as UNC3944 or Scattered Spider—has been responsible for a series of devastating social engineering attacks against major technology companies and cryptocurrency investors. Its senior member, Tyler Robert Buchanan (a.k.a. “Tylerb”), recently pleaded guilty to wire fraud conspiracy and aggravated identity theft, admitting his role in a summer 2022 SMS-based phishing campaign that compromised at least a dozen firms including Twilio, LastPass, DoorDash, and Mailchimp. This guide dissects the exact methodology used by Buchanan and his co-conspirators to steal millions in cryptocurrency, providing security professionals, incident responders, and curious readers with a detailed, step‑by‑step walkthrough of the attack chain.
Prerequisites for the Attack
Before launching the campaign, Scattered Spider assembled a specific set of skills and tools:
- Social engineering expertise – Ability to impersonate employees or contractors convincingly, often using publicly available information from LinkedIn, corporate websites, and previous data breaches.
- Bulk SMS sending infrastructure – A service or script capable of sending tens of thousands of text messages quickly, with a spoofed or legitimate sender ID (e.g., “IT Support”).
- Phishing domain registration – Access to domain registrars like NameCheap for creating lookalike domains (e.g., twilio‑secure.com) that mimic legitimate login pages.
- SIM swap capability – Relationships with corrupt telecom employees or use of social engineering to trick carrier support into transferring a victim’s phone number to a new SIM card.
- Cryptocurrency laundering channels – Mixers, peer‑to‑peer exchanges, or decentralized platforms to convert stolen assets into clean funds.
Step‑by‑Step Execution
Step 1: Target Reconnaissance
Scattered Spider identified two types of victims:
- Corporate employees at technology companies – They gathered names, job titles, and contact details of IT helpdesk staff and high‑value users via OSINT (open‑source intelligence).
- Cryptocurrency investors – They scraped social media, forums, and blockchain analytics to find individuals with large wallets.
Step 2: Phishing Domain Setup
Buchanan and his team registered dozens of lookalike domains. According to the FBI, the same username and email address were used to register the domains, and NameCheap logs showed a login from a UK IP address leased to Buchanan weeks before the campaign. Example domains might have been:
twilio‑auth.comlastpass‑verify.netdoor‑dash‑secure.com
Step 3: SMS Phishing Wave
In summer 2022, the group sent tens of thousands of SMS messages claiming to be from the target company’s IT department, warning of “suspicious login attempts” or “account verification required.” Each message contained a link to the fraudulent domain. A typical message read:
“Twilio: Unusual sign‑in detected. Verify your identity now: [http://twilio‑auth.com/verify]”
When the recipient clicked the link, they were presented with a replica of the company’s login page. Entering credentials sent them directly to the attackers.
Step 4: Corporate Account Takeover
With stolen credentials, Scattered Spider logged into corporate systems (e.g., Twilio’s customer portal or LastPass’s admin panel). They then:
- Extracted stored API keys, customer databases, and internal tools.
- Gathered additional employee PII (personally identifiable information) to use in the next stage.
Step 5: SIM Swapping
The data stolen from corporations enabled the gang to perform SIM‑swapping attacks against individual cryptocurrency investors. The process:
- Collect victim’s phone number and personal details (from corporate breaches or third‑party leaks).
- Contact the victim’s mobile carrier (e.g., T‑Mobile, Verizon) pretending to be the victim, claiming they lost their SIM card.
- Provide verification info – Using the stolen data to answer security questions (mother’s maiden name, last 4 digits of SSN, etc.).
- Carrier activates new SIM – The attacker’s device now receives all SMS and calls for the victim’s number.
Step 6: Cryptocurrency Theft
With control over the victim’s phone number, the attackers:
- Reset passwords on cryptocurrency exchange accounts (e.g., Coinbase, Binance) using SMS password‑reset links.
- Bypass 2FA – SMS‑based two‑factor authentication codes now arrive on the attacker’s phone.
- Drain wallets – Transfer all funds to attacker‑controlled wallets.
Buchanan admitted to stealing at least $8 million in virtual currency from victims across the United States.
Common Mistakes
Mistakes Made by Scattered Spider
- Reusing accounts for domain registration – The FBI traced the phishing domains to a single NameCheap account, which had a login IP address linked to Buchanan.
- Using a residential ISP – Buchanan logged in from his own home IP address in the UK, which police easily tied to his lease records.
- Leaving digital fingerprints – The same username/email was used repeatedly, enabling investigators to connect the domains to a single person.
Mistakes Made by Victims
- Clicking links in unsolicited SMS – Even tech‑savvy employees fell for urgent‑sounding messages.
- Using SMS for 2FA – SIM swapping exploits the vulnerability of SMS‑based authentication; hardware tokens (e.g., YubiKey) or app‑based authenticators are far safer.
- Weak carrier verification – Mobile carriers often accept easily guessed answers to security questions. Using a PIN or port‑out lock can help.
Summary
The Scattered Spider operation demonstrated a textbook hybrid attack: phishing corporations for data, then pivoting to SIM swaps to drain cryptocurrency. Their downfall came from poor operational security (reusing accounts, using home IPs). Tyler Buchanan now faces over 20 years in prison. For defenders, the key takeaways are: never rely on SMS as a sole authentication method, implement phishing‑resistant MFA, and educate employees to verify suspicious messages through a separate channel. The playbook is public now—but so are the lessons to stop it.