Former Army soldier pleads guilty to widespread attack spree linked to AT&T, Snowflake and others
A 21-year-old former Army soldier pleaded guilty Tuesday to charges stemming from a series of attacks and extortion attempts last year on telecommunications companies, including AT&T.
Cameron John Wagenius, who identified himself as “kiberphant0m” and “cyb3rph4nt0m” on online criminal forums, conducted extensive malicious activity for years, including while he was on active duty, the Justice Department said.
Wagenius pleaded guilty to conspiring to commit wire fraud, extortion in relation to computer fraud and aggravated identity theft. He faces a maximum of 27 years in prison for the charges and is scheduled for sentencing on Oct. 6. Wagenius previously pleaded guilty to two counts of unlawful transfer of confidential phone records information in connection with this conspiracy, the Justice Department said.
“This is one of the most significant wins in the fight against cybercrime,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. “The cybersecurity workers helping the victims through a storm, federal law enforcement with the fastest federal arrest I have ever witnessed, and the prosecutors now destroying them in court — all brought their A game and they deserve to celebrate tonight.”
Details prosecutors shared about Wagenius as part of their ongoing investigation underscore the bold actions cybercriminals take to extort multiple victims at scale and evade capture. Prior to his arrest in December, Wagenius attempted to sell stolen information to a foreign intelligence service as part of a broader attempt to defect to Russia or another country that he believed would allow him to avoid arrest.
Officials said Wagenius and co-conspirators attempted to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ networks. In November, Wagenius made multiple attempts to extort $500,000 from a major telecommunications company while threatening to leak call records of high-ranking public officials, according to court documents filed in February.
“[Wagenius’] greatest significance is in how absolutely destroyed he’s getting,” Nixon said, adding that he was part of a gang that made threats against Nixon and Unit221B, which specializes in breaking the anonymity of English-speaking cybercriminals.
“He was in the Army, living on base in Texas, when he leaked the hacked call records of President Trump and his family in a failed bid to extort AT&T,” Nixon said. “He pled guilty without even a plea bargain, and the government might still file additional charges. Amazing.”
Authorities did not name Wagenius’ alleged victims in court filings. AT&T in July confirmed cybercriminals accessed the company’s Snowflake environment in April and stole six months of phone and text records of “nearly all” of its customers.
Wagenius’ alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Moucka, a Canadian citizen, consented to extradition to the United States in March to face 20 federal charges stemming from his alleged involvement in a series of attacks targeting as many as 165 Snowflake customers, one of the most widespread and damaging attack sprees on record.
Some of the records allegedly in Wagenius’ possession were stolen in the attack spree on Snowflake customer databases, according to cybercrime researchers. Federal law enforcement also found evidence on seized Wagenius’ devices indicating he had access to thousands of stolen identification documents and large amounts of cryptocurrency.
Justice Department officials said Wagnius and his co-conspirators attempted to extort at least $1 million from victim data owners. “They successfully sold at least some of this stolen data and also used stolen data to perpetuate other frauds, including SIM-swapping,” officials said in a news release.
“Cybercriminals are shockingly slow to update their threat model, and still operate on the assumption that they won’t be jailed and will get a job in the industry afterwards,” Nixon said. “As multi-decade sentences pile up, reality will set in: Brazen cybercriminals are much more likely to die in prison than they used to, and anonymity isn’t real.”
