Hacker pleads guilty in $8 million phishing and crypto theft case

Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, pleaded guilty in federal court in Santa Ana, California, on April 17, 2026, to conspiracy to commit wire fraud and aggravated identity theft in a long-running phishing and cryptocurrency theft scheme.

What happened

According to the U.S. Department of Justice and Buchanan’s plea agreement, the conduct ran from about September 2021 through April 2023 and targeted at least a dozen companies, their employees, and individual victims across the United States. Prosecutors say Buchanan and his co-conspirators sent hundreds of SMS phishing messages to employees that appeared to come from the victim company itself or from a contracted IT or business process outsourcing supplier.

Those texts pushed victims to phishing websites designed to look legitimate, where employees entered usernames, passwords, and other sensitive information. Buchanan and the others then used the stolen credentials to access employee accounts and company systems, stealing confidential business information and personal identifying information. The plea agreement also says the group used information taken during company intrusions to identify and access victims’ cryptocurrency wallets and accounts and, in some cases, carried out SIM swaps to bypass two-factor authentication.

On a device seized from Buchanan’s residence in Scotland in April 2023, investigators found names and addresses of victims, along with a file containing cryptocurrency seed phrases and login information for one victim’s account. Buchanan admitted the scheme stole at least $8 million in virtual currency. He has been in federal custody since April 2025, and sentencing is set for August 21, 2026.

What was said

According to the Criminal Complaint released 25 May 2024, “One of Buchanan’s devices was found to contain a phishing kit. Based on my review, I believe that this phishing kit was a software program designed to capture information coming into a phishing website (like usernames and passwords) and then transmit that information to another database that could be accessed by the attackers. I analyzed the phishing kit found on BUCHANAN’s device and determined that it was designed specifically to transmit the captured information to a Telegram channel.”

Why it matters

Buchanan’s case shows how damaging cybercrime now often starts with something that looks ordinary instead of something obviously malicious. A routine text, a familiar login page, or a message that appears to come from IT can lead to much larger losses. In another case, Cloudflare reported a near-identical campaign that sent employees to a fake Okta page and would likely have breached most organizations without stronger authentication controls.

Caesars later told investors that its 2023 incident resulted from a social engineering attack on an outsourced IT support vendor, and MGM disclosed that its September 2023 cyber incident caused an approximately $100 million negative impact in that month alone. Federal authorities then warned in July 2025 that Scattered Spider was still targeting large companies and their IT help desks, using increasingly sophisticated social engineering, SIM swaps, MFA abuse, and data-theft extortion.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What does bypassing two-factor authentication mean?

It means an attacker gains access to an account even though a second verification step is turned on.

Does bypassing two-factor authentication mean the security feature is broken?

Not always. Many attacks work by tricking the person, stealing a session, or taking over the device or phone number linked to the account rather than cracking the authentication system itself.

Can phishing still work when two-factor authentication is enabled?

Yes. A fake login page, push prompt, or urgent message can still trick someone into giving away credentials or approving a login.