You think your crypto is safe because you have a complex password and two-factor authentication (2FA) turned on. Tyler Robert Buchanan proved that’s just a comforting lie. The 24-year-old from Dundee, Scotland, just pleaded guilty in a California federal court to a massive hacking spree that drained $8 million from unsuspecting victims. He didn’t use some high-tech "Brute Force" software you see in movies. He used a phone and a bunch of deceptive text messages.
Buchanan and his crew ran this operation for about two years. They targeted over a dozen companies, ranging from cloud providers to gaming firms. They weren't just after corporate data; they wanted the keys to the kingdom. Specifically, your virtual currency. The Department of Justice (DOJ) finally caught up with him, and now he’s looking at a potential 22 years in a US prison. For a deeper dive into similar topics, we suggest: this related article.
The Phishing Kit and the Telegram Nerve Center
Most hackers don't start by breaking through a firewall. They start by asking you to open the door. Buchanan and his co-conspirators sent hundreds of SMS phishing messages to employees of big tech and telecom firms. These texts looked official. They claimed to be from the company’s IT department or a trusted supplier. "Your account is about to be deactivated," the message would warn. Panic is a great motivator.
Once a victim clicked the link, they were sent to a fake website that looked exactly like their internal company portal. They entered their login details, and Buchanan's team caught every keystroke. They built a custom "phishing kit" for this exact purpose. The stolen credentials didn't just sit in a database. They were funneled directly into a Telegram channel that Buchanan managed. It was a streamlined, high-speed assembly line for identity theft. For additional context on the matter, extensive reporting can also be found on The Washington Post.
Why Two Factor Authentication Failed
We’ve been told for years that 2FA is the gold standard of security. Buchanan proved it has a glaring weakness: the SIM swap. Once he had an employee's credentials, he could get into corporate systems. From there, he found information on individual crypto holders.
To get past those pesky 2FA codes, the group performed SIM swaps. They'd trick a mobile carrier into porting a victim's phone number to a device they controlled. Suddenly, those "secure" codes weren't going to the victim; they were going straight to the hackers. Buchanan admitted that this was how they bypassed security to drain wallets. When investigators raided his home in Scotland, they found a digital goldmine. One text file alone contained the seed phrases and login info for a victim's crypto account.
The Network of Co Conspirators
Buchanan didn't act alone. This was a global effort with a heavy American presence.
- Noah Michael Urban: Known as "Sosa," this 21-year-old from Florida is already serving 10 years and owes $13 million in restitution.
- Ahmed Hossam Eldin Elbadawy: A 24-year-old from Texas, currently facing charges.
- Evans Onyeaka Osiebo: Another Texan, aged 21, also facing the music.
- Joel Martin Evans: Known as "joeleoli" from North Carolina.
The sheer scale of the operation shows that this wasn't just a "bored kid in a bedroom" scenario. This was organized crime in a digital wrapper. They hit at least 45 companies globally, including firms in Canada, India, and the UK.
The August Sentencing Deadline
Buchanan has been in US custody since April 2025. His guilty plea covers conspiracy to commit wire fraud and aggravated identity theft. While the wire fraud charge is the heavy hitter, the identity theft charge carries a mandatory two-year sentence that has to run consecutively to any other time he gets.
US District Judge John W. Holcomb has set the sentencing for August 21. If the judge decides to throw the book at him, Buchanan could be in his mid-40s by the time he sees the outside of a prison cell.
How You Protect Your Digital Assets
If an $8 million theft tells us anything, it’s that we’re far too trusting of our mobile devices. You can't rely on the "default" security settings anymore.
- Stop using SMS for 2FA. If a hacker can swap your SIM, they own your accounts. Move to an app-based authenticator like Google Authenticator or, better yet, a physical security key like a YubiKey.
- Audit your "Seed Phrases." Never, under any circumstances, store your crypto seed phrases in a "notes" app, a text file, or your email. Buchanan found exactly that on a victim's device. Use a physical cold storage device and keep the recovery words on paper in a safe.
- Trust nothing. If you get a text message about an account deactivation or a login issue, don't click the link. Open your browser, type the website address in manually, and log in that way.
The FBI reported that cyber-enabled crime cost Americans nearly $21 billion in 2025 alone. Buchanan is just one piece of a massive, expensive puzzle. Don't let your data be the next piece he—or someone like him—picks up. Move your security away from your phone number immediately.
