US Army Soldier ‘Kiberphant0m’ Arrested for AT&T and Verizon Extortion in Snowflake Incident

• The notorious hacker authorities have been trying to identify in the last year was finally apprehended.
• 'Kiberphant0m' was revealed to be a 20-year-old U.S. Army communications specialist.
• The individual is accused of selling and leaking AT&T and Verizon call records stolen via the Snowflake data breach. 

Federal authorities have arrested Cameron John Wagenius, a 20-year-old U.S. Army communications specialist stationed at Fort Hood, Texas, who allegedly operated under the alias "Kiberphant0m."

The individual is accused of selling and leaking sensitive call records stolen from telecommunications giants AT&T and Verizon. His arrest follows a federal indictment on two counts of unlawfully transferring confidential phone records.

The investigation revealed that Wagenius was linked to Canadian cybercriminal Connor Riley Moucka, also known as "Judische," who was arrested in October for extorting numerous companies, including those utilizing cloud service Snowflake. 

Moucka reportedly collaborated with individuals like Kiberphant0m to sell stolen data rather than monetizing it himself. 

Kiberphant0m proclaimed responsibility for breaching at least 15 telecommunications companies, as shared via posts on Telegram. These claims were corroborated following extensive research by security journalist Brian Krebs, who first reported the suspect’s identity in late November, identifying him as a U.S. Army soldier stationed in South Korea at the time.

Before his arrest, Kiberphant0m posted what he claimed were AT&T call logs belonging to high-profile figures like President-elect Donald J. Trump and Vice President Kamala Harris. 

Threatening to leak sensitive governmental data unless contacted by AT&T, Kiberphant0m also claimed to have obtained data schematics from the U.S. National Security Agency. 

Subsequent posts included selling call logs of Verizon’s Push-to-Talk (PTT) services, predominantly used by U.S. government personnel and first responders, and advertising SIM-swapping services targeting PTT customers.

The arrest is also tied to prior activities where the suspect sold remote access to a U.S. defense contractor’s network and allegedly maintained a large botnet for launching distributed denial-of-service (DDoS) attacks.

Wagenius was arrested near Fort Hood on December 20. The two-page federal indictment did not explicitly provide details of his hacking activities or the victims impacted.

The attacks first surfaced when hackers accessed sensitive customer data stored on Snowflake accounts that lacked adequate protection, such as multi-factor authentication. By exploiting these vulnerabilities, the cybercriminals raided data repositories from industry giants, including AT&T, which reported major breaches earlier this year.