From Dundee to Federal Custody: UK Man Stole $8M via SMiShing and SIM Swaps
When we talk about cyber intrusions, we often think of complex code or zero-day exploits. However, as the recent case of Tyler Robert Buchanan illustrates, sometimes the most devastating attacks rely on a mix of sophisticated social engineering and specific technical manipulation of mobile infrastructure. Buchanan, a 24-year-old from Dundee, Scotland, recently entered a guilty plea that lays bare a $8 million heist targeting American individuals and corporate entities.
Buchanan has been in federal custody since April 2025, pleading guilty to conspiracy to commit wire fraud and aggravated identity theft. According to his plea agreement, the operation was not a one-man show but a coordinated conspiracy spanning from September 2021 to April 2023.
The Mechanics of the Intrusion
The attack vector used by Buchanan and his co-conspirators was a variant of Short Message Service (SMS) phishing, often referred to as SMiShing. This isn’t your standard spam email; it is highly targeted. The group sent hundreds of SMS messages to the mobile telephones of employees at victim companies—ranging from interactive entertainment firms and cloud communications providers to BPOs and IT suppliers.
The messages were crafted to deceive. They purported to come from the victim company or a contracted third-party IT service, luring employees into clicking links to fraudulent websites. These sites were designed to look identical to legitimate corporate portals, forcing victims to surrender Personal Identifying Information (PII) and account credentials.
Once the credentials were captured, the conspirators didn’t just stop at corporate espionage. They used the stolen usernames and passwords to access employee accounts, exfiltrating confidential work product, intellectual property, and PII.
Bypassing Security: SIM Swapping
The true technical brilliance—and danger—of this scheme lay in the crypto theft phase. To access individual victims’ virtual currency wallets without triggering Multi-Factor Authentication (MFA) alerts, Buchanan utilized a technique known as Subscriber Identity Module (SIM) swapping.
Here is the technical breakdown: SIM swapping involves a fraudster persuading a mobile carrier to reassign a cell phone number from the legitimate subscriber’s SIM card to a SIM card controlled by the fraudster. Because modern crypto exchanges rely on SMS-based codes for verification, once the number is transferred, the criminals can intercept the codes and seize the assets.
Buchanan admitted to possessing files from numerous victims, including specific text files containing cryptocurrency seed phrases and login credentials. This data was likely used to drain millions of dollars in virtual currency assets from victims across the United States.
The Verdict and Fallout
The gravity of the situation is underscored by the sentencing timeline. United States District Judge John W. Holcomb has scheduled an August 21 sentencing hearing, where Buchanan faces a statutory maximum of 22 years in federal prison.
It is worth noting that Buchanan was not operating alone. He was part of a larger network. His co-conspirator, Noah Michael Urban (aka “Sosa” or “Elijah”), 21, of Palm Coast, Florida, has already been sentenced to 10 years in prison and ordered to pay $13 million in restitution.
While three other defendants remain at large, Buchanan’s admission provides a chilling look into the resourcefulness of cybercriminals, blending phishing with carrier manipulation to bypass the very security measures designed to protect our digital lives.