Canadian teen pleads guilty after $13M crypto social engineering scam funded private jets and Lamborghinis

A Canadian teenager has pleaded guilty in the US after prosecutors said he stole more than $13 million in crypto through social engineering scams and spent part of it on private jets, luxury cars and jewelry in Miami and Los Angeles. For PSPs and exchanges, the case is another reminder that the weak point is often account access, not code.

1. US prosecutors said Trenton Richard Johnston, then 19, was charged in May over a scheme that began around January 2024. Johnston and co-conspirators allegedly impersonated Google, Trezor and other crypto firm employees to gain access to victims’ crypto.
2. In February, Johnston reportedly tricked one victim into believing their Google email and Coinbase accounts were compromised, leading to the theft of about $41,000 in Ether (ETH). Less than a month later, he and his co-conspirators allegedly posed as Google and Trezor representatives to convince another victim in California that someone was trying to access their crypto wallet, which let them drain about $13 million in Bitcoin (BTC).
3. On Tuesday, Johnston, now 20, pleaded guilty to conspiracy to commit money laundering. Prosecutors said that plea allowed him to avoid further charges that could have carried a maximum sentence of up to 40 years in prison.
4. According to court documents, about $1.2 million of the stolen crypto was spent on an “exotic lifestyle” across Miami and Los Angeles in just two months. Prosecutors said the funds went toward buying and renting luxury cars, including two BMWs and a Lamborghini Aventador SVJ, as well as a private jet, a rental house in North Miami and plane tickets for “two girls from New York.”
5. Johnston’s spending trail ended in March, when he was pulled over for speeding in a Rolls-Royce and found carrying 21 suspected amphetamine tablets. Investigators seized his computer, cellphone and handwritten notes, which allegedly tied him to the fraud scheme. He has since turned over approximately 53.16 Bitcoin and 275.23 Ether, worth $3.

The thing to note for high-risk operators is how ordinary the front end was: impersonation of Google, Trezor and Coinbase, not some headline-grabbing exploit. When the attacker only needs a few minutes of trust, the downstream loss can be immediate and hard to reverse.