Welcome to the latest issue of The Breach Report, a cybersecurity newsletter from the creators of the Cybersecurity Careers Blog. Be sure to subscribe via email or RSS.
United States authorities have charged Cameron John Wagenius, a 21-year-old U.S. Army soldier, for his involvement in a cybercrime spree targeting Snowflake and exfiltrating data from over 165 major companies. Known online as "Kiberphant0m" and "cyb3rph4nt0m," Wagenius has a history of malicious cyber activity while maintaining a security clearance. He is formally charged in U.S. district courts with unlawfully posting and transferring confidential phone records information, including those allegedly of high-ranking public officials.
Wagenius allegedly attempted to sell stolen data to a foreign intelligence service and extort victims, including AT&T.
In November 2024, while on active duty, Wagenius attempted to extort $500,000 from AT&T, threatening to leak phone records of high-ranking officials. AT&T confirmed in July that cybercriminals accessed their Snowflake environment in April, stealing six months of customer phone and text records.
Court filings state Wagenius is accused of attempting to sell stolen data to a foreign intelligence service—although the service is not named.
How to defect to Russia
However, forensic investigations of personal devices and accounts show repeated use of VPNs and search engine history. Court documents redact the country names, but Wagenius’s search engine queries give the public a strong indication of which foreign intelligence service.
Search engine history revealed that Wagenius was researching information on defecting to Russia. He also searched for “Can hacking be treason?” and “How to defect to countries that do not extradite to the United States.”
Wagenius' alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Binns has also been charged with the 2021 T-Mobile breach that exposed the personal information of at least 76.6 million customers.
Wagenius, known online as "Kiberphant0m" and "cyb3rph4nt0m," has a history of malicious cyber activity.
His boldness as a cyber criminal despite being an active Army soldier was apparent throughout his activities. Court documents state Wagenius violated his commanding officer’s orders by purchasing a new laptop after a federal search warrant was executed at his barracks room and his electronic devices were seized. He further leveraged VPNs and other technologies to try and conceal his geographic location or identity.
Wagenius pleaded guilty to unlawfully transferring confidential phone records. The court deemed him a flight risk, citing his online searches for non-extradition countries and the Russian embassy.
The incident also raises concerns about the security of cloud data storage services and the importance of multi-factor authentication [9].
This case has several potential implications for national security and international relations.
Insider threats are some of the most challenging to detect and prevent. Financially motivated cybercrime can directly intersect with and undermine national security interests when individuals with access to highly sensitive data or in positions of trust can become compromised.
Wagenius' alleged attempt to sell data to a foreign intelligence service suggests a willingness to engage with state-level actors, blurring the lines with espionage.
His online research of defecting to countries without the ability to extradite to the U.S. would have enormous national security concerns if he were successful. Attempting to flee the country and potentially seek refuge with a foreign government is deja vu for those intimately familiar with Edward Snowden’s actions.
If Wagenius did attempt to sell stolen data to a foreign intelligence service, this could strain relations between the U.S. and the country involved. Despite current President Donald Trump's complicated relationship with Russian President Vladimir Putin, this would be the last thing Trump wants to deal with in his early second term.
What we’re reading across the wire about the latest cybersecurity hacks, breaches, industry news, and more.
New from our favorite blogs and journalists:
Buying a $250 Residency Card From a Tropical Island Let Me Bypass U.S. Crypto Laws (404 Media)
AT&T Hacker Tried to Sell Stolen Data to Foreign Government (404 Media)
Flock Threatens Open Source Developer Mapping Its Surveillance Cameras (404 Media)
DHS says CISA won’t stop looking at Russian cyber threats (CyberScoop)’
Microsoft IDs developers behind alleged generative AI hacking-for-hire scheme (CyberScoop)
Lee Enterprises ransomware attack hits freelance and contractor payments (TechCrunch)
US said to halt offensive cyber operations against Russia (TechCrunch)
The biggest data breaches of 2025 — so far (TechCrunch)
Busted….
Krebs posted a blog post yesterday about a US Army soldier who worked alongside threat actors to steal customer call records from AT&T and Verizon.
I found a screenshot dating back to September 2nd, 2022 and I believe it is of Cameron John Wagenius aka Kiberphant0m.… x.com/i/web/status/1…
— vxdb (@vxdb)
6:14 PM • Dec 31, 2024
Until next time…
Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog
P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.
Reply