British National Pleads Guilty to SIM Swapping, SMS Phishing for Crypto Theft

Executive Summary

A British national has pleaded guilty in a U.S. federal court to conspiracy to commit wire fraud for his role in a cybercrime scheme that stole at least $1 million in virtual currency. Tyler Robert Buchanan of Dundee, Scotland, participated in attacks that combined SMS phishing (smishing), corporate network intrusions, and SIM swapping to compromise victim accounts and drain cryptocurrency holdings.

Technical Analysis

According to court documents, the conspiracy involved multiple techniques to gain unauthorized access to victim accounts and corporate networks. While the specific technical vulnerabilities exploited within company networks are not detailed in the available source, the scheme's success relied on intercepting multi-factor authentication (MFA) codes. This was achieved primarily through SIM swapping, where attackers fraudulently transfer a victim's phone number to a device they control, allowing them to receive SMS-based authentication codes. The initial access for these SIM swaps was likely obtained through the SMS phishing campaigns, which tricked victims into revealing personal information. Once in control of a phone number, the conspirators could bypass MFA protections on email and financial accounts, particularly those holding cryptocurrency.

Tactics, Techniques & Procedures

The threat actors employed a multi-stage approach consistent with financially motivated cybercrime:

1. Initial Access (TA0001): Gaining footholds via SMS phishing (smishing) to harvest credentials and personal data.
2. Initial Access (TA0001): Intruding into corporate networks, though the specific initial vectors (e.g., phishing, exploited vulnerabilities) are not specified.
3. Credential Access (TA0006): Executing SIM swap attacks to hijack victim phone numbers and intercept SMS-based MFA codes.
4. Impact (TA0040): Using the compromised access to steal virtual currency from victim accounts.

Threat Actor Context

The guilty plea from Tyler Robert Buchanan indicates involvement by individual actors or a loose cybercriminal group, as opposed to a state-sponsored advanced persistent threat (APT). The focus on cryptocurrency theft via SIM swapping and smishing aligns with the tactics of financially motivated groups like Scattered Spider and other SIM-swapping crews. The international dimension, with a U.K. national prosecuted in the U.S., reflects the cross-border nature of such cybercrime and ongoing law enforcement cooperation.

Mitigations & Recommendations

While the source does not provide victim-specific mitigation advice, the techniques described warrant standard defensive measures:

• Move away from SMS-based multi-factor authentication for high-value accounts, especially cryptocurrency exchanges and email. Use authenticator apps or hardware security keys instead.
• Implement strict procedures with mobile carriers to prevent unauthorized SIM swaps, such as using a port-out PIN or account-specific password.
• Train employees and individuals to recognize and report SMS phishing attempts, which often create a sense of urgency or impersonate trusted services.
• For organizations, segment network access and enforce strong authentication for systems that manage employee or customer telecommunications data.