WHAT HAPPENED
On April 17, 2026, Tyler Robert Buchanan, 24, of Dundee, Scotland, pleaded guilty in federal court in Santa Ana, California to one count of conspiracy to commit wire fraud and one count of aggravated identity theft. The scheme involved hacking into at least a dozen companies and stealing at least $8 million in virtual currency from individual victims across the United States. Buchanan and his co-conspirators were members of a cybercrime group known as Scattered Spider. Buchanan has been in federal custody since April 2025. Sentencing is scheduled for August 21, 2026. He faces a statutory maximum of 22 years — 20 years for the wire fraud conspiracy and a mandatory 2 years consecutive for aggravated identity theft. Three co-conspirators still face pending criminal charges. A fourth, Noah Michael Urban, 21, of Palm Coast, Florida, is already serving 10 years and was ordered to pay $13 million in restitution.
WHY IT MATTERS
Twenty-five years of prosecuting federal cases teaches you something. The victims who haunt you aren’t always the ones who lost the most money. They’re the ones who did everything right — used strong passwords, enabled two-factor authentication, followed every best practice they’d ever read — and still got cleaned out. This case is about exactly that kind of victim.
Before getting into how the attack worked, there is a threshold point worth making. Buchanan was not charged under any cryptocurrency-specific statute. No novel legal theory. No complex regulatory framework. Wire fraud and aggravated identity theft — two of the most basic and well-worn tools in the federal prosecutor’s toolkit. Wire fraud has been around since 1952. Aggravated identity theft since 2004. As we noted in Alert 007, the government didn’t need anything fancy to put Robert Dunlap away for 23 years for the Meta-1 Coin fraud either — just mail fraud, a statute from 1872. The pattern holds here. Federal prosecutors do not need sophisticated legal machinery to put crypto criminals in prison for decades. The most basic statutes in the federal toolkit are sufficient. They always have been.
Buchanan and his crew didn’t need sophisticated hacking tools or blockchain exploits either. They sent text messages. That’s it. Carefully crafted SMS phishing messages that looked like legitimate communications from a victim’s employer or IT provider. An employee clicks a link, enters their credentials, and it’s over. The attackers are inside the corporate network before anyone knows what happened.
From there they worked methodically. Stolen corporate credentials led to harvested personal data — names, phone numbers, email addresses, account information. They used that data to identify individuals holding significant cryptocurrency. Then came the SIM swap.
If you don’t know what a SIM swap is, pay attention — because this is the vulnerability that breaks the security model most crypto investors are relying on.
Your phone number is assigned to a physical SIM card in your device by your mobile carrier. A SIM swap attack tricks your carrier into reassigning that number to a SIM card the attacker controls. It usually happens through social engineering — someone calls your carrier pretending to be you, provides enough personal information to be convincing, and walks away with your phone number. From that moment forward every call and text meant for you goes to them. Including the two-factor authentication codes your crypto exchange sends to verify your identity.
Here is the part most people miss: your exchange thinks it’s talking to you. The code went to the right number. The login looks legitimate. There is no alert, no flag, no warning. The account gets drained and the victim finds out when they try to log in themselves.
SMS-based two-factor authentication is better than nothing. But it has a fundamental vulnerability — the security of an account is only as strong as the security of the phone number attached to it. And that phone number is controlled by a carrier, not by the account holder.
WHO SHOULD PAY ATTENTION
Every crypto investor using SMS-based two-factor authentication needs to understand this case. A strong password doesn’t protect against a SIM swap. The authentication code an exchange just sent to a phone number may be going to someone else.
If you have ever received unexpected text messages purporting to be from your employer, your IT department, or a technology provider — treat them as hostile until proven otherwise. Click nothing. Call the sender directly using a number you already have.
Employees at technology companies, telecommunications providers, and cryptocurrency exchanges are high-value targets. Access to their corporate systems gives attackers everything they need to execute downstream crypto thefts against individual account holders. If you work at one of these companies and have received any unusual contact from investigators or noticed any anomalies in your corporate systems, take it seriously.
DEFENSE NOTE
If you have received any communication from federal investigators in connection with unauthorized computer access, SIM swapping, SMS phishing, or virtual currency theft — whether as a target, a witness, or someone who provided services to individuals later charged — consult with a federal criminal defense attorney before responding. Federal prosecutors pursuing cases like this cast a wide net. Peripheral participants face real exposure. I have seen it happen. This includes employees of mobile carriers who may have processed SIM swap requests, individuals who received or transferred cryptocurrency that originated from these attacks, and anyone who provided personal information about a potential victim to someone later charged in a scheme like this one. Zerillo Law Firm handles federal crypto matters — contact us at zerillolaw.com.
Source: U.S. Department of Justice, April 17, 2026
About the Author
Michael J. Conley is a former federal prosecutor with nearly 25 years in federal law enforcement. He served as an Assistant U.S. Attorney in the District of Maine and as Chief of the Criminal Division for the U.S. Attorney’s Office in the U.S. Virgin Islands. He secured one of the first federal convictions in the country for operating an unlicensed Bitcoin money service business — a landmark prosecution that helped establish Bitcoin as money under federal law at a time when that legal question remained largely unsettled. He is Of Counsel at Zerillo Law Firm, where he focuses on federal cryptocurrency criminal defense. Contact the firm at zerillolaw.com