Scattered Spider's Tyler Buchanan: Inside the Hacking Techniques Behind the M&S, Co-op, and US Corporate Breaches

Introduction: When Social Engineering Becomes a Multi-Million Dollar Crime

Most cybersecurity professionals have accepted that technical controls alone won't stop a determined attacker. The case of Tyler Buchanan — a 24-year-old from Dundee, Scotland — is a masterclass in why that's true. Buchanan, believed to be a key member of the notorious Scattered Spider threat group, has pleaded guilty to hacking into US companies and attempting to steal at least £5.9 million in cryptocurrency. He now faces up to 22 years in federal prison.

This isn't a story about zero-days or nation-state malware. It's about teenagers and young adults weaponizing phone calls, SIM swaps, and identity impersonation to bypass billion-dollar enterprise security stacks. The attacks linked to Buchanan and Scattered Spider hit major UK retailers including Marks & Spencer and Co-op, causing significant operational disruption and reputational damage. Understanding how these attacks unfolded — technically, operationally, and psychologically — is essential for any SOC analyst or security architect responsible for defending modern environments.

Technical Overview: What Is Scattered Spider?

Scattered Spider (also tracked as UNC3944, Starfraud, and Muddled Libra by various threat intel vendors) is a loosely organized, primarily English-speaking cybercriminal collective. Unlike Russian APT groups that operate with military-like discipline, Scattered Spider recruits members through Telegram channels, Discord servers, and cybercrime forums. Many of its members are native English speakers aged 16–25, which gives them a dangerous edge: they can impersonate IT helpdesk staff convincingly.

The group's primary attack vectors include:

• SIM Swapping: Convincing mobile carriers to transfer a victim's phone number to an attacker-controlled SIM, enabling MFA bypass.
• Vishing (Voice Phishing): Calling corporate helpdesks while impersonating employees to reset credentials or disable MFA.
• Phishing via SMS (Smishing): Sending fake Okta or Azure AD login portals to harvest credentials.
• Insider Recruitment: In some cases, bribing employees to install remote access tools or provide credentials directly.

Once inside a network, the group pivots aggressively — targeting identity providers, password managers, and cloud environments to maximize data exfiltration and financial theft.

Deep Technical Breakdown: How the Attack Chain Works

Phase 1: OSINT and Target Profiling

Before a single phone call is made, Scattered Spider operators conduct extensive open-source intelligence gathering. LinkedIn is used to identify IT helpdesk staff, HR personnel, and VIP employees. Tools like Hunter.io and corporate directories expose email formats. Public breach databases provide credential pairs for credential stuffing. The group also uses leaked employee data to answer security questions or construct believable cover stories during vishing calls.

Phase 2: SIM Swap and MFA Defeat

SIM swapping is the linchpin of many Scattered Spider operations. The attacker contacts the victim's mobile carrier — often with forged ID documents or insider assistance — and requests a SIM transfer. Once successful, any SMS-based one-time passwords (OTPs) are rerouted to the attacker. This effectively neutralizes SMS-based MFA, which is still widely deployed across enterprises despite well-known weaknesses.

For organizations using app-based authenticators or hardware tokens, the group pivots to MFA fatigue attacks — bombarding users with push notification approvals until the victim, exhausted and confused, accepts one. Alternatively, they use real-time phishing proxies (tools like Evilginx2 or Modlishka) that sit between the victim and the legitimate login portal, capturing session tokens as the user authenticates.

Phase 3: Identity Provider Compromise

With valid credentials and a bypassed MFA, Scattered Spider targets the identity provider (IdP) — typically Okta or Azure AD. Owning the IdP is equivalent to owning the entire organization's access layer. From here, attackers can create new privileged accounts, disable existing MFA policies, and generate federation tokens that grant access to downstream SaaS applications, cloud environments (AWS, Azure, GCP), and internal tools.

Phase 4: Cryptocurrency Theft and Data Exfiltration

In Buchanan's case, the primary financial objective was cryptocurrency theft. After compromising corporate environments, attackers access internal systems to locate employee crypto wallets, identify custodial accounts, or manipulate payroll and vendor payment systems. Data exfiltration often runs in parallel — customer PII, internal communications, and proprietary business data are harvested for extortion leverage.

Attack Flow: Step-by-Step Execution

1. Reconnaissance: OSINT gathering via LinkedIn, breach databases, and public directories to identify targets and build cover stories.
2. SIM Swap / Credential Phishing: Carrier social engineering or real-time phishing proxy deployment to capture credentials + session tokens.
3. MFA Bypass: SIM swap for OTP interception, MFA fatigue attacks, or adversary-in-the-middle phishing.
4. Helpdesk Vishing: Calling IT support impersonating the compromised employee to reset accounts or disable security controls.
5. IdP Takeover: Logging into Okta/Azure AD to create backdoor accounts and expand access laterally.
6. Cloud and SaaS Pivot: Using federated access to move into AWS, M365, Salesforce, or other business-critical platforms.
7. Cryptocurrency Exfiltration: Locating and transferring crypto holdings; manipulating payment systems.
8. Extortion / Ransomware Deployment: In some Scattered Spider operations, ransomware (such as ALPHV/BlackCat) is deployed as a final-stage pressure tactic.

Real-World Example: The M&S and Co-op Incidents

The UK retail sector bore the brunt of Scattered Spider's aggression in a significant campaign that disrupted operations at Marks & Spencer and Co-op. While full technical forensics from these incidents remain partially undisclosed, the attack pattern is consistent with the group's known TTPs. M&S experienced severe disruption to its online ordering systems, contactless payment infrastructure, and supply chain logistics — reportedly caused by ransomware deployment following an initial identity compromise.

Co-op was also targeted, with attackers reportedly attempting to exfiltrate large volumes of customer and employee data. The group's use of compromised Okta sessions — a hallmark of Scattered Spider — allowed lateral movement through cloud environments without triggering traditional endpoint detection tools, since the activity appeared as legitimate authenticated access.

Tyler Buchanan's guilty plea connects him to the cryptocurrency theft operations against US companies that ran in parallel to these UK campaigns, reinforcing the group's cross-border, multi-target operational model.

Detection: What SOC Teams Should Be Looking For

Identity and Authentication Anomalies

• MFA push notifications accepted outside normal working hours or from unusual geolocations.
• Rapid successive MFA failures followed by a successful authentication (MFA fatigue signature).
• New privileged accounts created within hours of a credential reset event.
• Okta or Azure AD admin activity from previously unseen IP addresses or ASNs.

Network and Infrastructure Signals

Monitor for authentication attempts originating from residential VPN infrastructure, hosting providers, or Tor exit nodes. Use a tool like the IP/URL Threat Scanner to quickly assess whether source IPs used in login attempts are flagged in threat intelligence feeds — this is particularly useful during live incident triage when speed matters.

Additionally, examine DNS query patterns for newly registered domains that mimic internal tooling (e.g., okta-helpdesk-company[.]com). Scattered Spider frequently registers lookalike domains days before an attack. The DNS Intelligence tool can surface passive DNS history and registration anomalies for domains observed in phishing lures or suspicious redirects.

SIEM and EDR Rules

• Alert on: New Okta admin role assigned within 24hrs of password reset
• Alert on: AWS IAM user created from non-corporate ASN
• Alert on: Mass download from SharePoint/OneDrive by single user within 1-hour window
• EDR: Flag remote monitoring tools (AnyDesk, Ngrok, Twingate) installed outside software deployment pipelines

Prevention & Mitigation: Building Resilience Against Social Engineering

• Eliminate SMS-based MFA: Migrate to FIDO2 hardware keys (YubiKey) or passkeys. SMS OTP is fundamentally broken against SIM swap attacks.
• Helpdesk Identity Verification: Implement callback verification procedures with a registered number — not the number the caller provides. Use video verification for high-privilege requests.
• Conditional Access Policies: Enforce device compliance, geolocation restrictions, and risk-based authentication in Okta, Azure AD, or your IdP of choice.
• Privileged Account Monitoring: Any privileged account created or modified outside a documented change window should trigger immediate investigation.
• Phishing-Resistant Email Controls: Deploy DMARC, DKIM, and SPF across all domains. Verify your configuration using the Email Security Diagnostics tool to identify gaps that could allow spoofed helpdesk or HR impersonation emails to reach employees.
• SSL and Domain Monitoring: Monitor for lookalike domain certificates being issued. Use the SSL Certificate Checker to inspect certificates on suspicious domains that may be impersonating your login portals.
• Carrier PIN Locks: Work with your mobile carrier partners to enforce account PINs and flag SIM change requests involving corporate-assigned numbers.
• Tabletop Exercises: Simulate vishing attacks against your helpdesk. Most organizations discover their procedures are inadequate only when tested.

Practical Use Cases: Where This Matters

This threat model is directly relevant to any organization that relies on cloud-based identity providers, uses SMS MFA, or operates a corporate helpdesk that handles password resets. Financial services, retail, and technology companies are prime targets given the combination of large employee headcounts (increasing vishing success rates) and valuable data or financial systems. MSPs and MSSPs are also high-value targets because compromising one yields access to dozens of downstream clients.

For SOC teams, this case highlights the need to treat identity telemetry — Okta logs, Azure AD sign-in logs, and MFA event streams — as primary threat detection data sources, not secondary noise. The perimeter is the identity layer now, and it demands the same rigor as network traffic analysis.

Key Takeaways

• Scattered Spider's attacks succeed primarily through social engineering, not technical exploits — making human and process controls as important as technical ones.
• SIM swapping remains a critical attack vector; SMS-based MFA offers false security against motivated attackers.
• Compromising an identity provider (Okta, Azure AD) gives attackers keys to the entire kingdom — monitor IdP admin activity obsessively.
• MFA fatigue attacks are a real and documented bypass technique; push-based authentication should require number matching at minimum.
• DNS and IP intelligence are frontline tools during triage — suspicious login sources and lookalike domains are detectable before damage occurs.
• Tyler Buchanan's guilty plea is a rare criminal accountability outcome; most Scattered Spider activity goes unprosecuted, making defensive investment essential.

FAQ

Who is Tyler Buchanan and what did he admit to?

Tyler Buchanan is a 24-year-old British national from Dundee, Scotland, believed to be a member of the Scattered Spider cybercriminal group. He pleaded guilty to hacking into US companies and attempting to steal at least £5.9 million in cryptocurrency. He faces up to 22 years in federal prison.

What is SIM swapping and how does it enable these attacks?

SIM swapping is when an attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card the attacker controls. This intercepts any SMS-based one-time passwords sent to that number, effectively bypassing SMS multi-factor authentication and enabling account takeover even when the attacker only has a password.

How can organizations detect MFA fatigue attacks in their SIEM?

Look for patterns of repeated MFA push denials followed by a single approval, especially outside business hours or from anomalous geolocations. Most modern SIEMs can correlate Okta or Azure AD authentication logs to flag this pattern. Setting thresholds — e.g., more than five push denials in 10 minutes — as a high-priority alert is a practical starting point.

Why did Scattered Spider target cryptocurrency specifically?

Cryptocurrency is attractive to cybercriminals because transfers are irreversible, pseudonymous, and can cross borders instantly without banking intermediaries. Once cryptocurrency is moved to attacker-controlled wallets and mixed through privacy services, recovery becomes extremely difficult, making it a preferred financial target over traditional bank fraud.

Are UK organizations at higher risk from Scattered Spider?

Recent incidents suggest UK retail and financial organizations have been actively targeted. The M&S and Co-op incidents demonstrate the group's willingness to operate internationally. Any large organization with a public-facing helpdesk, cloud-based identity infrastructure, and employees with cryptocurrency holdings should consider themselves within scope of this threat actor's targeting criteria.

Source: Daily Mail Online — British hacker 'behind M&S and Co-op cyber attacks' faces 22 years in jail