Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies
U.S. authorities say a 21-year-old U.S. Army soldier attempted to sell stolen sensitive information to a foreign intelligence service as part of a broader effort to extort victims and leak call records of high-ranking public officials.
In November while on active duty, Cameron Wagenius made multiple attempts to extort $500,000 from a major telecommunications company while threatening to leak additional phone records belonging to the same high-ranking officials, according to court documents filed Wednesday in the U.S. District Court for the Western District of Washington.
Authorities did not name Wagenius’ alleged victims in court filings, but Allison Nixon, chief research officer at Unit 221B, confirmed to CyberScoop that AT&T is the telecom company he tried to extort for ransom. Wagenius previously filed a notice of intent to plead guilty to unlawfully posting and transferring confidential phone records.
The criminal activities alleged against Wagenius underscore the bold actions cybercriminals will take to extort victims and evade capture.
Throughout most of November, Wagenius communicated with an email address he believed belonged to a foreign intelligence service in an attempt to sell stolen data, prosecutors allege. Soon after this communication stopped, he allegedly queried a search engine for “can hacking be treason.”
Wagenius conducted multiple online searches in October, indicating a desire to flee the United States and defect to Russia, according to court documents. Wagnenius is also accused of searching for “where can I defect the U.S. government military which country will not hand me over.”
Authorities didn’t identify the nation in the court filing, but said Wagenius searched for information about defecting to the same country he attempted to sell stolen information to in November.
“While financially motivated cybercriminals have always been opportunistic and sought to evade capture, this case shows potential crossover into national security threats,” Austin Larsen, principal threat analyst at Google Threat Intelligence Group, said in an email. “The alleged attempt to sell data to a foreign intelligence service isn’t just about financial gain — it indicates a willingness to engage with state-level actors, blurring the lines with espionage.”
Wagenius’ alleged actions “reveals how financially motivated cybercrime can directly intersect with and undermine national security interests,” Larsen said.
Some of the records allegedly in Wagenius’ possession were stolen last year in an attack spree targeting as many as 165 organizations that stored data on Snowflake, according to cybercrime researchers. Wagenius’ alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies.
AT&T in July confirmed cybercriminals accessed the company’s Snowflake environment in April and stole six months of phone and text records of “nearly all” of its customers.
“It was all part of the same criminal conspiracy, and they worked together to abuse data for commercial gain,” Nixon said.
“This case further underscores the need to recognize this online gang culture — ‘The Com’ — that’s springing up right under our noses. It’s not only an external security threat, but an insider threat,” she added. “This Army soldier effectively had gang affiliations, which is a huge risk for the special access he had.”
Wagenius, who identified himself as kiberphant0m and cyb3rph4nt0m on online criminal forums, has conducted extensive malicious cyber activity for years, prosecutors allege in the court filing arguing for his continued detention. Wagenius “presents a serious risk of flight, has the means and intent to flee, and is aware that he will likely face additional charges,” prosecutors said in the filing.
Federal law enforcement seized Wagenius’ devices Dec. 4 and later found evidence indicating he had access to thousands of stolen identification documents and large amounts of cryptocurrency. Days later, Wagenius purchased a new laptop, against his commanding officer’s order, and used it every day over a five-day period in the barracks at Fort Cavazos in Texas with VPN software to hide his identity and location, according to court documents.
“There has been a historical lack of deterrence against cybercrime, from a combination of low arrest rates and courts failing to take victims seriously. This is why they escalate,” Nixon said. “I don’t think cybercriminals understand the blowback that’s coming because of their escalation.”
