Hacker Kiberphant0m is Suspected of Also Orchestrating the BSNL India Cyber Attack

• The U.S. Army soldier arrested in connection with the AT&T and Verizon data leak has been linked to the Bharat Sanchar Nigam Limited cyberattack.
• The 2024 BSNL breach saw about 278 GB of data exfiltrated and advertised as being for sale via Telegram.
• KIberphant0m used his Telegram account to discuss the sale of BSNL data for $5,000.

Hacker Cameron John Wagenius is allegedly connected to the 2024 BSNL data breach. The U.S. Army soldier was arrested last month for leaking and selling phone call records from the servers of AT&T and Verizon. 

Wagenius, 20, who uses Kiberphant0m as a darknet operator alias, tried to sell personal data from the Indian state-owned telecommunications company. Allison Nixon, chief research officer of Unit 221B, a New York-based cybersecurity firm, helped unearth that both Wagenius and Kiberphant0m were the same.

Bharat Sanchar Nigam Limited (BSNL) was in the news in May 2024 for cybersecurity incidents attributed to a hacker known only by the alias Kiberphant0m. It is suspected that it was Wagenius who stole and tried to sell the data in this cyberattack, according to press reports.

SIM card data, PIN codes, authentication keys, and International Mobile Subscriber Identity (IMSI) numbers were said to be exposed in the cyberattack, which the hacker reportedly put up for sale for $5,000 on the dark web.

He boasted of offering a special price on May 30 and 31 and shared tips on further misuse of the data for money laundering. After claiming the BSNL data breach, Wagenius asked the buyers to reach out to him on his Telegram account. 

The telegram account was run under the name cyb3rph40m and was last used on December 7, 2024.

The Union government confirmed the BSNL data leak in the parliament in July 2024. Authorities said a sample of the leaked data shared by the Indian Computer Emergency Response Team (CERT-In) matched that of a file transfer protocol (FTP) server.

Since the accused is a US soldier, the case will likely be followed by the Indian law enforcement agency filing an FIR and initiating an investigation with international treaties and international agencies.

Wagenius specifically targeted telecommunication companies in the US and India which point towards suspicious entities wanting telephone records likely for political purposes and cyberespionage. 

Kiberphant0m was recently stationed in South Korea. However, he was arrested near the Army base in Fort Hood, Texas.

He had access to records from nearly 15 other Asian telecommunication companies. He claimed he had confidential customer call records, including outgoing calls from prominent figures like the President of the U.S. Donald Trump and Vice President Kamala Harris. 

His indictment document referenced his mother, with whom he had shared that he knew Riley Moucka, AKA Judische, who was arrested in Canada in October for hacking and selling data stolen from the cloud service provider Snowflake.