Scottish man pleads guilty in US phishing scheme targeting companies

Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, admitted to a phishing campaign that prosecutors say moved from stolen logins to virtual currency theft across the United States. He pleaded guilty in federal court in Santa Ana, California, to conspiracy to commit wire fraud and aggravated identity theft.

Prosecutors said the scheme ran from September 2021 through April 2023 and reached at least a dozen companies, along with individual victims nationwide. The targets spanned interactive entertainment, telecommunications, technology, business process outsourcing and information technology suppliers, cloud communications providers, and virtual currency companies.

The fraud relied on SMS phishing, with hundreds of text messages sent to employees of victim companies. Those messages impersonated a company or one of its IT or BPO suppliers and pushed recipients to fake login pages designed to capture usernames, passwords, and personal identifying information. Once the credentials were stolen, they were used to enter employee and company accounts and, in some cases, to take confidential work product, intellectual property, and other sensitive data.

Investigators said the operation was not limited to one-off account theft. The conspirators also built a phishing kit that sent captured credentials to a Telegram channel run by Buchanan and another co-conspirator. Federal filings tied to Buchanan’s arrest warrant described the case as involving wire fraud conspiracy, computer fraud-related offenses, and aggravated identity theft, and said cryptocurrency was the asset targeted in the thefts.

The case fits a pattern federal investigators have linked to Scattered Spider, a cybercrime group that has drawn scrutiny for targeting large companies and their contracted IT help desks. In a July 29, 2025 advisory, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned that the group uses social engineering, data theft for extortion, and ransomware variants including DragonForce. That warning highlights the weak point Buchanan’s case exposed: once an employee is tricked into surrendering credentials, the attacker can move from email or text message to internal systems, then to the assets most likely to produce leverage or cash.

Buchanan has been in federal custody since April 2025. His plea lands alongside another U.K.-linked cybercrime case brought by the Justice Department in September 2025 against Thalha Jubair, which involved at least 120 intrusions and extortion attacks affecting 47 U.S. entities. Together, the cases show how text-message lures, fake portals, and stolen credentials remain a durable path into corporate networks, especially where workers are pushed to act quickly and verify poorly.