From SMS Phishing to SIM Swapping: How 'Scattered Spider' Executed a Multi-Million Dollar Crypto Heist – and How to Stop It

Introduction

In 2022, a cybercrime group known as Scattered Spider pulled off a series of devastating attacks that stole tens of millions of dollars in cryptocurrency. Their method? A two-step assault: first, SMS phishing messages tricked employees at major tech companies into granting access; second, the stolen credentials fueled SIM-swapping attacks that drained investors' crypto wallets. One of the group's senior members, 24-year-old Tyler Buchanan (alias "Tylerb"), recently pleaded guilty to wire fraud conspiracy and aggravated identity theft. This guide breaks down exactly how the attack unfolded – step by step – and offers practical tips to defend against similar threats.

What You Need (If You're Researching This Attack or Defending Against It)

To understand or replicate the method (for educational or defensive purposes), you would need:

• Phishing domain infrastructure – A domain name and hosting to create convincing login pages.
• SMS sending tools – Services that can send bulk text messages from spoofed numbers.
• Target list – Phone numbers or email addresses of employees at specific tech companies.
• SIM swap capability – Insider help or social engineering skills to convince a mobile carrier to transfer a victim's number.
• Cryptocurrency wallet management – Tools to sweep stolen coins quickly.
• Anonymity tools – VPNs, proxies, and compromised accounts to stay hidden.

Step 1: Build a Phishing Campaign

The first move was to register lookalike domains. Buchanan used the same username and email address to register numerous domains that mimicked the services of companies like Twilio, LastPass, DoorDash, and Mailchimp. These domains were then used to host fake login pages that would capture employees' credentials and one-time passwords (OTPs). The group prepared thousands of SMS messages that appeared to come from the target's own IT department or a trusted vendor, warning of a security update or urging immediate action.

Step 2: Launch SMS Phishing Attacks

With the infrastructure ready, the Scattered Spider members sent tens of thousands of text messages. These SMS messages typically contained a link to the fake login page. Employees who clicked and entered their credentials unwittingly handed over access. The group specifically targeted tech companies known to store large volumes of user data or cryptocurrency-related assets. The summer 2022 campaign hit Twilio (a cloud communications platform), LastPass (a password manager), DoorDash (food delivery), and Mailchimp (email marketing). Once inside, they stole authentication tokens, customer lists, and internal credentials.

Step 3: Use Stolen Data for SIM Swapping

With the data from the tech company breaches, the group identified individual cryptocurrency investors. They then performed SIM-swapping attacks: contacting mobile carriers and tricking them into transferring the victim's phone number to a new SIM card controlled by the attackers. This allowed them to intercept SMS-based two-factor authentication codes and password reset links. They drained cryptocurrency wallets – Buchanan alone admitted to stealing at least $8 million in virtual currency from U.S. victims.

Step 4: Cover Your Tracks

To avoid detection, Buchanan registered phishing domains using a pseudonymous account. However, the FBI found that less than a month before the attacks, the account was logged in from a U.K. IP address tied to Buchanan's home internet connection. After the attacks, Buchanan fled the United Kingdom in February 2023 when a rival gang attacked his home, assaulted his mother, and threatened him with a blowtorch. He was eventually arrested in Spain and extradited to the U.S.

Step 5: Face Consequences

Buchanan's guilty plea to wire fraud conspiracy and aggravated identity theft means he now faces up to 20 years in prison. This case underscores that cybercriminals are not untouchable – the digital trail (email accounts, IP addresses, domain registrations) can lead law enforcement directly to them.

Tips to Protect Yourself from SMS Phishing and SIM Swapping

• Never click links in unsolicited SMS messages. Even if the message appears to be from a known company, open a browser and navigate to the official website directly.
• Use hardware security keys (like YubiKeys) for multi-factor authentication instead of SMS codes. Hardware keys are immune to SIM swapping.
• Enable a SIM PIN or port-out lock with your mobile carrier. This prevents anyone from transferring your number without your explicit permission.
• Monitor your accounts regularly. Set up alerts for any changes to your phone number or email address.
• Educate employees in your organization about social engineering tactics. Scattered Spider often impersonated employees or contractors to trick help desks.
• Use a password manager – it will never be tricked into entering credentials on a fake site.
• Report suspicious messages to your IT team or the company being impersonated.

Conclusion

The Scattered Spider case is a powerful reminder of how a well-planned SMS phishing attack can cascade into devastating SIM-swapping thefts. By learning how these cybercriminals operated – from domain registration to number porting – you can implement stronger defenses. Whether you're an individual investor or a business owner, taking the steps above will significantly reduce your risk. Buchanan's guilty plea shows that justice can catch up, but prevention is always better than a recovery.