From Phishing to Prison: A Technical Dissection of the Scattered Spider SIM-Swap and Wire Fraud Operations

Overview

In the summer of 2022, a highly coordinated cybercrime campaign led by the English-speaking group known as Scattered Spider targeted major technology companies and individual cryptocurrency investors. At the center of this operation was Tyler Robert Buchanan, a 24-year-old British national operating under the handle "Tylerb." He pleaded guilty to wire fraud conspiracy and aggravated identity theft, facing more than 20 years in prison. This tutorial dissects the technical steps and criminal tactics used in the operation, from SMS phishing to SIM swapping and cryptocurrency theft, while highlighting the vulnerabilities exploited and the mistakes that led to the attacker's capture.

From Phishing to Prison: A Technical Dissection of the Scattered Spider SIM-Swap and Wire Fraud Operations — Source: krebsonsecurity.com

Prerequisites

To fully understand this guide, you should have:

Basic familiarity with phishing attacks and social engineering.
An understanding of SIM swapping and its goal of intercepting SMS-based authentication.
Knowledge of cryptocurrency wallets and how funds are transferred.
Familiarity with domain registration and DNS concepts.

Step-by-Step Instructions: How the Operation Unfolded

1. Reconnaissance and Target Selection

Scattered Spider focused on technology companies and high-value cryptocurrency investors. The group identified employees and contractors of companies like Twilio, LastPass, DoorDash, and Mailchimp as initial targets. They also scoured social media and public databases for information about potential investors who held large crypto balances.

2. Crafting SMS Phishing Messages

In mid-2022, Buchanan and his accomplices launched tens of thousands of SMS-based phishing attacks. These messages impersonated company IT help desks or security teams, urging recipients to click on a link to verify their account credentials due to a "security incident." A typical message might read:

"[Company] Security Alert: Unauthorized login attempt detected. Verify your account now to prevent suspension: [malicious link]"

The links pointed to fake login pages that harvested usernames, passwords, and one-time passcodes (OTPs).

3. Infrastructure Setup: Registering Phishing Domains

To host the phishing pages, Buchanan registered numerous domains using the same username and email address at NameCheap. The account was logged into from a UK-based IP address that law enforcement later traced to him. This was a critical operational security mistake. In a more secure setup, attackers would use separate accounts, anonymized payment methods, and VPNs to avoid linking domains.

4. Gaining Initial Access

Once employees of the targeted companies submitted their credentials and OTPs, the group used them to log into corporate VPNs, email systems, and internal tools. For instance, they compromised Twilio's internal portals, which allowed them to reset passwords and access customer data, including authentication tokens for crypto exchanges.

5. Data Theft and Profit

Stolen data included corporate secrets, customer lists, and most critically, the phone numbers and carrier details of cryptocurrency investors. This data was then used to execute SIM-swapping attacks.

6. Executing SIM Swaps

The attackers contacted mobile carriers, impersonating the victims or providing stolen identity information to request a SIM transfer to a device under their control. Once the SIM was activated, they intercepted all SMS messages sent to the victim's number. This gave them access to one-time passcodes for password reset links and two-factor authentication codes for cryptocurrency wallets and exchange accounts.

For example, a victim might receive a password reset email from a crypto exchange. The attacker would trigger the reset, and the SMS code would be received on their controlled device. They could then log in and initiate transfers to their own wallets.

7. Cryptocurrency Exfiltration

Over the course of the campaign, Buchanan admitted to stealing at least $8 million in virtual currency from individual victims across the United States. The funds were quickly laundered through mixers and peer-to-peer exchanges to obscure the trail.

8. Aftermath and Legal Consequences

Buchanan fled the UK in early 2023 after a rival gang attacked his home. He was eventually arrested in Spain and extradited to the U.S. His guilty plea covers wire fraud conspiracy and aggravated identity theft, with a potential sentence exceeding 20 years.

Common Mistakes

Attacker Mistakes

Reusing credentials and accounts: Using the same username and email to register multiple phishing domains created a direct link for investigators.
Ignoring IP tracking: Logging into the domain registrar from a residential IP address in the UK gave law enforcement a concrete lead.
Poor operational security: Failing to fully anonymize the phishing infrastructure allowed the FBI, with help from NameCheap and Scottish police, to identify Buchanan within weeks.

Victim Mistakes

Over-reliance on SMS-based authentication: SMS OTPs are vulnerable to SIM swapping. Using authenticator apps or hardware tokens would have prevented interception.
Clicking on unsolicited links: Employees who clicked phishing links and entered credentials enabled the entire attack chain.
Weak verification by mobile carriers: SIM swap requests were often approved with minimal identity verification, allowing attackers to take over numbers easily.

Summary

The Scattered Spider case demonstrates the destructive potential of combining social engineering, SIM swapping, and cryptocurrency theft. Technical mistakes during domain registration and the exploitation of weak mobile carrier verification allowed the FBI to dismantle the group. To protect against such attacks, organizations should enforce phishing-resistant MFA (e.g., FIDO2 or app-based tokens), monitor for unusual domain registrations, and train employees to recognize social engineering. For individuals, using email or app-based 2FA instead of SMS, and maintaining strong account security practices, can reduce the risk of SIM swap attacks.

Tags: