A Scottish cyber criminal linked to devastating supermarket attacks that left British shelves empty for weeks is facing more than two decades imprisonment after admitting his role in a sophisticated international fraud operation targeting major corporations.
Tyler Buchanan, 24, from Dundee, entered guilty pleas to conspiracy to commit wire fraud and aggravated identity theft following his extradition to face American prosecutors, with sentencing scheduled for 21 August at a US federal court.
The hacker has been held in American custody since April 2025 after his arrest in Spain whilst travelling to Italy, with authorities uncovering evidence at his Scottish residence including victim names, addresses and cryptocurrency account credentials stored on seized devices.
US Department of Justice prosecutors outlined how Buchanan operated within a criminal network deploying text message phishing campaigns to deceive company employees into surrendering login details, granting hackers access to corporate computer systems containing millions in virtual currency.
Between September 2021 and April 2023, the conspiracy targeted telecommunications firms, IT suppliers, cloud communications platforms and cryptocurrency companies through fraudulent messages impersonating legitimate businesses or contracted suppliers, according to plea agreement admissions.
“The conspirators created a phishing kit that captured login credentials entered into the fraudulent phishing websites by a victim company’s employees,” the DOJ stated, noting stolen details were transmitted via an online Telegram channel Buchanan helped administer.
Investigators have connected the Scottish national to Scattered Spider, a notorious hacking collective believed responsible for crippling M&S and Co-op during spring and summer 2025. The attacks forced M&S to suspend all online transactions whilst leaving supermarket shelves depleted for extended periods.
The group, reportedly comprising approximately 1,000 predominantly British and American young men, has achieved notoriety through high-profile breaches of major brands, typically demanding substantial ransoms for system restoration. The National Crime Agency identified Scattered Spider as a primary investigation focus last May.
Buchanan allegedly participated in 2023 attacks on Las Vegas casino operators Caesar’s Entertainment and MGM Resorts International, with prosecutors claiming involvement in a £9 million cryptocurrency fraud scheme directing victims to authentic-appearing websites that harvested personal information.
Co-conspirator Noah Michael Urban received a 10-year sentence in April 2025 after pleading guilty to three fraud-related charges, with courts ordering £5.9 million restitution payment.
Three additional American defendants await trial, whilst Police Scotland provided FBI investigative assistance according to the DOJ.
The maximum 22-year sentence reflects the severity of transnational cybercrime targeting critical commercial infrastructure.
