Scattered Spider's $27M Hacker Got Caught Reusing His Username | 2 Minute Drill With Drex DeFord

The two‑minute drill highlighted the arrest of Tyler Buchanan, a senior member of the Scattered Spider cyber‑crime group, who was caught after Spanish authorities seized $27 million in cash in June 2024. Investigators traced him back to Dundee, Scotland, where he grew up, and linked his online activities to a single reused username.

Buchanan’s operation relied on simple SMS phishing: messages masquerading as IT alerts directed employees at companies such as Target, Twilio, LastPass, Mailchimp and DoorDash to a counterfeit login page. He captured usernames, passwords and one‑time 2FA codes, using a real‑time tool to redeem the tokens before they expired, stealing at least $8 million from the victims.

The investigation hinged on domain registrations that repeatedly used the same handle and email address across the criminal infrastructure. This pattern led investigators to a UK IP address and ultimately to Buchanan’s arrest. He pleaded guilty and faces up to 22 years in prison, with sentencing slated for August.

The case underscores the danger of credential reuse and the growing sophistication of phishing attacks, especially in high‑urgency environments like healthcare. Organizations must reinforce multi‑factor authentication, employee training, and monitoring for anomalous login behavior to mitigate similar threats.