Case-by-case look at indictments accusing individuals of wallet intrusions, asset theft, and the evolving use of traceability in prosecutions.
WASHINGTON, DC, April 17, 2026
For years, crypto wallet theft was marketed to the public as a crime almost too fluid, too borderless, and too technically slippery for ordinary law enforcement to tame, because the stolen assets could move in seconds, the perpetrators could operate under aliases, and the blockchain itself seemed to promise both speed and obscurity.
The Justice Department’s recent cases tell a very different story, because federal prosecutors are now laying out wallet-hack investigations as step-by-step narratives that start with phishing, SIM swaps, database theft, or account takeover, then move through the theft itself, and finally end with traceability, seizure, forfeiture, restitution fights, and long prison exposure.
That change matters because the government is no longer speaking about stolen cryptocurrency in vague technological language, but in concrete criminal terms that juries understand immediately, with charging papers that describe impersonation, fraud, unauthorized access, stolen seed phrases, laundered proceeds, and victim losses in language that strips away much of crypto’s old mystique.
The Buchanan case shows how phishing and SIM swaps now directly feed into wallet-theft charges.
The clearest fresh example came on April 17, 2026, when federal prosecutors in California announced that British national Tyler Robert Buchanan pleaded guilty after admitting his role in a conspiracy that used SMS phishing attacks, credential harvesting, and SIM swapping to steal at least $8 million in virtual currency from victims across the United States.
As described in the latest DOJ plea announcement, Buchanan and others allegedly sent phishing messages to employees, used fake company login pages to collect credentials, leveraged the intrusions to identify victims with cryptocurrency holdings, and then bypassed two-factor protections by fraudulently taking control of victims’ phone numbers.
What makes the case especially revealing is the way prosecutors describe the wallet intrusion itself, because they say Buchanan and his co-conspirators used information stolen from company systems and online accounts to identify and gain access to virtual currency accounts and wallets belonging to individual victims, then used SIM swaps to intercept authentication codes and unlock the assets.
The government further said that a device found at Buchanan’s residence contained victim names, addresses, and a text file with cryptocurrency seed phrases and login details for one victim, a detail that turns the case from a generalized cyber intrusion into a deeply personal wallet-access prosecution centered on the keys and recovery data that make digital assets movable.
That matters for deterrence because the legal story no longer begins at the moment coins leave a wallet, but much earlier, when a phishing text lands on a phone, an employee enters credentials on a fake page, or a carrier is tricked into reassigning a mobile number that will later serve as the gateway to somebody else’s holdings.
The Noah Urban sentencing turned wallet hacking into a straightforward theft-and-restitution case.
Buchanan’s co-conspirator, Noah Michael Urban, had already provided one of the strongest examples of how prosecutors now package wallet intrusions for court, because in August 2025, a federal judge in Florida sentenced him to 10 years in prison after he pleaded guilty to conspiracy to commit wire fraud, wire fraud, and aggravated identity theft.
According to the DOJ, Urban and others stole cryptocurrency from at least 59 victims between August 2022 and March 2023 by carrying out SIM swaps, obtaining victims’ personal information, hacking into cryptocurrency accounts online, and draining the assets after gaining control of the authentication process.
The case is important not merely because of the prison term, but also because investigators found evidence on Urban’s computer linking him to victims’ email accounts and cryptocurrency wallets, along with approximately $4.8 million in cryptocurrency from stolen accounts, leading to asset forfeiture and restitution of $13 million.
That sequence captures the new prosecutorial model with unusual clarity, because phishing and identity abuse create the opening, wallet access creates the loss, devices and account artifacts create the evidentiary bridge, and blockchain-linked assets found in a defendant’s possession help turn a complicated digital case into something that looks very much like traditional stolen-property litigation.
The Washington social-engineering ring showed that wallet hacking is often a team sport.
Another major shift in the DOJ playbook has been the recognition that many wallet intrusions are not the work of a lone keyboard operator, but of loose criminal enterprises in which separate actors gather data, identify wealthy targets, impersonate helpers, move funds, and sometimes even commit physical break-ins to obtain hardware wallets.
That structure was laid out dramatically in the District of Columbia case unsealed in 2025, in which prosecutors charged additional defendants in a RICO conspiracy, alleging more than $263 million in cryptocurrency thefts, money laundering, and home invasions tied to a cyber-enabled enterprise operating across the United States and abroad.
The indictment alleged that some members hacked or bought databases, some organized target files, some cold-called victims and convinced them their accounts were under attack, some laundered the proceeds, and some carried out residential break-ins aimed at stealing hardware virtual currency wallets from victims believed to control large amounts of digital assets.
One of the most startling allegations involved a July 2024 New Mexico burglary in which a defendant allegedly stole a hardware wallet while another conspirator monitored the victim’s location by accessing the victim’s iCloud account, a detail that shows how digital and physical intrusion now overlap in the wallet-theft ecosystem.
This case matters because it widens the legal lens, turning wallet hacking from a narrow story about compromised credentials into a broader enterprise case in which database theft, social engineering, device intrusion, hardware theft, laundering, and luxury spending all become parts of one narrative that prosecutors can present to a jury as organized predation.
The SIM swap forfeiture action highlighted how traceability now drives recovery, not just charging decisions.
If Buchanan and Urban show how investigators prove access and theft, the Justice Department’s September 2025 civil forfeiture case over more than $5 million in bitcoin stolen in SIM swap attacks shows how prosecutors are using blockchain forensics to connect victim wallets, intermediary hops, consolidation addresses, and later laundering behavior in a way that supports recovery as well as prosecution.
The department alleged that the bitcoin was traceable to thefts from five victims between October 2022 and March 2023, and said the perpetrators moved the stolen funds through multiple cryptocurrency wallets before ultimately consolidating them into one wallet that funded an account at the online casino Stake.com.
DOJ said many of the transactions were circular and included repeated deposits and withdrawals designed to make the larger balance appear connected to legitimate business activity, which is important because it shows prosecutors are not merely following a straight chain from one wallet to another, but analyzing the behavioral pattern of transactions to argue that the movement itself was laundering.
That is one of the most consequential developments in this field, because traceability is no longer just a slogan about blockchain transparency, but a courtroom tool that lets the government explain why a complicated path of transactions still points back to a theft victim and forward to a recoverable pool of proceeds.
Bitfinex remains the deepest illustration of what traceability can eventually become.
The most famous example is still the Bitfinex matter, where the 2016 hack enabled years of laundering activity, thousands of transactions, and one of the largest financial seizures in the department’s history, eventually leading to guilty pleas and a 2024 sentence for Ilya Lichtenstein in connection with the laundering conspiracy.
According to the DOJ, Lichtenstein hacked into Bitfinex’s network, fraudulently authorized more than 2,000 transactions transferring about 119,754 bitcoins into a wallet under his control, and then took steps to cover his tracks by deleting credentials and logs that might have exposed the original intrusion more quickly.
The reason Bitfinex still matters in 2026 is that it proved a point investigator keep making more confidently every year, which is that even where criminals use fictitious identities, chain hopping, darknet services, exchanges, business accounts, and mixers, the combined use of on-chain analysis and off-chain records can still rebuild the path with enough precision to support seizure and conviction.
That lesson has not only influenced prosecutors but has also affected the unresolved question of investor recovery, because, as Reuters reported in its examination of the restitution fight surrounding recovered Bitfinex assets, the hardest issue after successful tracing can become deciding who actually receives the recovered value.
That restitution question matters for wallet-hack cases more broadly, because successful forensics do not always end the legal dispute, and in major incidents, courts may still need to decide whether the exchange, the wallet holder, or some broader class of affected users should count as the real economic victims.
The Medjedovic indictment widened the theory of wallet intrusion beyond pure account takeover.
Not every modern wallet-hack prosecution looks like a classic phishing or SIM swap case, and one reason the February 2025 indictment of Andean Medjedovic remains important is that it demonstrates how prosecutors can describe on-chain exploitation itself as a form of fraudulent intrusion that drains investor value even without the familiar fact pattern of stolen login credentials.
DOJ alleged that Medjedovic exploited vulnerabilities in the automated smart contracts used by KyberSwap and Indexed Finance, borrowed hundreds of millions in digital tokens, caused the protocols’ internal calculations to misfire through deceptive trading, withdrew millions of dollars at artificial prices, and later tried to conceal the proceeds through bridging transactions, swap activity, and a mixer.
Even though the assets at issue moved through decentralized systems rather than ordinary web-account wallets, the case still fits the evolving pattern because the government is treating manipulated access to digital asset control as a prosecutable taking, then using transactional analysis to map how the proceeds were moved and concealed afterward.
That means the legal distinction between a wallet hack, a protocol exploit, and a fraudulent digital-asset intrusion may matter less than many people in the industry once believed, because prosecutors increasingly focus on whether a victim lost control of value through deception, unauthorized interference, or manipulated system behavior that the defendant knew would produce a false outcome.
What these cases say about the new forensic posture.
Taken together, these cases show that DOJ investigations into crypto wallet hacks now move through a recognizable sequence that starts with human weakness or code weakness, develops through unauthorized access and asset transfer, and ends with a reconstruction effort that combines digital devices, telecom records, cloud-account evidence, exchange data, blockchain analysis, and forfeiture tools.
In older cybercrime narratives, the dramatic question was whether police could ever find the person behind the keyboard, but in modern wallet-hack cases, the better question is whether prosecutors can tell a coherent story that links the first phish, the first stolen credential, the first intercepted code, the first wallet drain, and the final laundering route into one legally persuasive chain.
Increasingly, the answer appears to be yes, and that is exactly why the government keeps emphasizing seed phrases found on devices, login records, Telegram channels, peel chains, bridging, circular transactions, and consolidation wallets, because each one helps translate a seemingly chaotic digital theft into a prosecutable timeline with identifiable actors and traceable proceeds.
For firms, executives, and investors confronting the fallout from a serious digital-asset theft, especially where multi-jurisdiction exposure, seizure risk, or travel complications begin to emerge, many review Amicus International Consulting and its analysis of cross-border extradition risk to understand how cybercrime cases can grow into broader enforcement problems once tracing, international cooperation, and asset recovery efforts accelerate.
The bottom line is that DOJ’s wallet-hack investigations are no longer built around the idea that crypto is too fast or too obscure for meaningful accountability, because the department is now showing, case by case, that phishing can be followed, seed phrases can be found, stolen wallets can be linked to real people, laundering trails can be reconstructed, and digital theft can be prosecuted with a level of evidentiary detail that keeps getting sharper.
