A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.

Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.

As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.

The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department said Buchanan admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan was arrested by Spanish authorities in June 2024 while trying to board a flight to Italy. He was extradited to the United States and has remained in U.S. federal custody since April 2025.

Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.

Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

One of the more popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most rapacious SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard previously listed Buchanan’s hacker alias Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.

Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Justice Department, he faces a statutory maximum sentence of 22 years in federal prison. However, any sentence the judge hands down in this case may be significantly tempered by a number of mitigating factors in the U.S. Sentencing Guidelines, including the defendant’s age, criminal history, time already served in U.S. custody, and the degree to which they cooperated with federal authorities.

A little over a week ago, an unreleased version of the movie Avatar: Aang, The Last Airbender leaked online.

The Paramount Pictures production was not scheduled to come out before October, but that changed when copies of the film began spreading online.

The trouble started on April 12 when X user @ImStillDissin posted two clips from the film, misleadingly claiming that someone at Nickelodeon had “accidentally emailed me the entire Avatar Aang movie.” Both clips were taken down via DMCA notices shortly after.

The initial leaker later told the Hollywood Reporter that he actually received the film through a contact from his “hacker days.” He didn’t realize what it was until he looked it up, and decided to post the snippets online.

The clips carried a #PeggleCrew watermark, a nod to the hacking group that is allegedly behind the breach, although this remains unconfirmed.

Not long after the clips were removed, a second X user posted the full film, racking up over a million views before that too was removed. Paramount, meanwhile, remained quiet and did not issue a public statement on the leak.

Behind the scenes, however, the movie studio and its anti-piracy partners have been quite busy. Initially, they mostly dealt with copies of the film being reposted on X by different users, but their challenge was spreading elsewhere too.

DMCA Notice Whac-a-Mole

After the leak was public, the film started to spread through other platforms too. Records in the Lumen Database show that Paramount and its enforcement teams at MarkScan Digital, Marketly LLC, and Vobile Inc. all sprung into action, flagging various leaked copies.

This includes DMCA takedown requests directly targeting leaks on third-party services such as Google Drive and the video service Vimeo, both of which were swiftly taken down.

However, some takedown requests include more indirect links too. For example, a DMCA notice sent on behalf of Paramount by MarkScan on April 13, targets a 4chan discussion thread, which typically only remains online briefly. This notice also listed a file that was posted on Rootz.

While Paramount clearly tried hard to contain the leak, it appeared that the problem only became harder to enforce.

The Piracy Ecosystem Takes Over

Unlike most movie leaks, the Avatar: Aang leak did not originate from a scene or P2P group. However, it found its way into the traditional piracy ecosystem within hours, where it continues to thrive today.

Multiple copies were uploaded to torrent sites and are widely shared, making it the second most pirated movie of the past week. This includes a copy that was uploaded to The Pirate Bay by “TheRedPill,” who referenced the ongoing whac-a-mole at other platforms in the upload description.

“Found this copy on twitter of all places via a wetranfer link. Supposedly this is a webrip that was sent to someone who then leaked it online. it has been passed around all day with links going up and down,” the uploader wrote.

This wasn’t the only copy of the leak that surfaced on torrent sites, as many others appeared around the same time. Meanwhile, pirate streaming sites began indexing the leak as well, further expanding its audience by millions of people.

As shown above, torrent site 1337x currently hosts a wide variety of leaked copies. These all originate from the same source but are reported in different qualities.

Little Recourse Beyond Google

Dozens of notices posted in the Lumen database show that Paramount and its enforcement partners are also targeting these pirate sites. However, since most of these sites don’t respond to takedown notices, these sites present a persistent problem.

For these pirate sites, Paramount typically asks Google to delist the URLs from search results, which reduces discoverability but does not take the infringing content offline.

The notice below, for example, was sent to Google yesterday and targets various torrent and streaming sites. However, that’s just the tip of the iceberg.

Also, it’s worth stressing that the notices in the Lumen Database reported here are only the fraction of Paramount’s takedown efforts that’s public. Most of their efforts, including any notices sent directly to X or other platforms that do not report to Lumen, remain unknown.

In addition to taking down content, Paramount will also be interested in finding the source of the leak. According to Variety, unnamed sources said that the matter is under investigation, but the leak reportedly did not originate from within the studio.

For now, Avatar: Aang, The Last Airbender remains on course for its October 9 premiere on Paramount+. By then, most of its target audience has already had the opportunity to watch an early, perhaps unfinished, version of the film for free.

From: TF, for the latest news on copyright battles, piracy and more.

A little over a week ago, an unreleased version of the movie Avatar: Aang, The Last Airbender leaked online.

The Paramount Pictures production was not scheduled to come out before October, but that changed when copies of the film began spreading online.

The trouble started on April 12 when X user @ImStillDissin posted two clips from the film, misleadingly claiming that someone at Nickelodeon had “accidentally emailed me the entire Avatar Aang movie.” Both clips were taken down via DMCA notices shortly after.

The initial leaker later told the Hollywood Reporter that he actually received the film through a contact from his “hacker days.” He didn’t realize what it was until he looked it up, and decided to post the snippets online.

The clips carried a #PeggleCrew watermark, a nod to the hacking group that is allegedly behind the breach, although this remains unconfirmed.

Not long after the clips were removed, a second X user posted the full film, racking up over a million views before that too was removed. Paramount, meanwhile, remained quiet and did not issue a public statement on the leak.

Behind the scenes, however, the movie studio and its anti-piracy partners have been quite busy. Initially, they mostly dealt with copies of the film being reposted on X by different users, but their challenge was spreading elsewhere too.

DMCA Notice Whack-a-Mole

After the leak was public, the film started to spread through other platforms too. Records in the Lumen Database show that Paramount and its enforcement teams at MarkScan Digital, Marketly LLC, and Vobile Inc. all sprung into action, flagging various leaked copies.

This includes DMCA takedown requests directly targeting leaks on third-party services such as Google Drive and the video service Vimeo, both of which were swiftly taken down.

However, some takedown requests include more indirect links too. For example, a DMCA notice sent on behalf of Paramount by MarkScan on April 13, targets a 4chan discussion thread, which typically only remains online briefly. This notice also listed a file that was posted on Rootz.

While Paramount clearly tried hard to contain the leak, it appeared that the problem only became harder to enforce.

The Piracy Ecosystem Takes Over

Unlike most movie leaks, the Avatar: Aang leak did not originate from a scene or P2P group. However, it found its way into the traditional piracy ecosystem within hours, where it continues to thrive today.

Multiple copies were uploaded to torrent sites and are widely shared, making it the second most pirated movie of the past week. This includes a copy that was uploaded to The Pirate Bay by “TheRedPill,” who referenced the ongoing whack-a-mole at other platforms in the upload description.

“Found this copy on twitter of all places via a wetranfer link. Supposedly this is a webrip that was sent to someone who then leaked it online. it has been passed around all day with links going up and down,” the uploader wrote.

This wasn’t the only copy of the leak that surfaced on torrent sites, as many others appeared around the same time. Meanwhile, pirate streaming sites began indexing the leak as well, further expanding its audience by millions of people.

As shown above, torrent site 1337x currently hosts a wide variety of leaked copies. These all originate from the same source but are reported in different qualities.

Little Recourse Beyond Google

Dozens of notices posted in the Lumen database show that Paramount and its enforcement partners are also targeting these pirate sites. However, since most of these sites don’t respond to takedown notices, these sites present a persistent problem.

For these pirate sites, Paramount typically asks Google to delist the URLs from search results, which reduces discoverability but does not take the infringing content offline.

The notice below, for example, was sent to Google yesterday and targets various torrent and streaming sites. However, that’s just the tip of the iceberg.

Also, it’s worth stressing that the notices in the Lumen Database reported here are only the fraction of Paramount’s takedown efforts that’s public. Most of their efforts, including any notices sent directly to X or other platforms that do not report to Lumen, remain unknown.

In addition to taking down content, Paramount will also be interested in finding the source of the leak. According to Variety, unnamed sources said that the matter is under investigation, but the leak reportedly did not originate from within the studio.

For now, Avatar: Aang, The Last Airbender remains on course for its October 9 premiere on Paramount+. By then, most of its target audience has already had the opportunity to watch an early, perhaps unfinished, version of the film for free.

From: TF, for the latest news on copyright battles, piracy and more.