{"id":1087,"date":"2025-01-01T03:13:48","date_gmt":"2025-01-01T03:13:48","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/01\/01\/u-s-army-soldier-arrested-in-att-verizon-extortions\/"},"modified":"2025-01-01T03:13:48","modified_gmt":"2025-01-01T03:13:48","slug":"u-s-army-soldier-arrested-in-att-verizon-extortions","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/01\/01\/u-s-army-soldier-arrested-in-att-verizon-extortions\/","title":{"rendered":"U.S. Army Soldier Arrested in AT&T, Verizon Extortions"},"content":{"rendered":"\n
U.S. Army Soldier Arrested in AT&T, Verizon Extortions<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m<\/strong>, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T<\/strong> and Verizon<\/strong>. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.<\/p>\n

\n\"\"<\/p>\n

One of several selfies on the Facebook page of Cameron Wagenius.<\/p>\n<\/div>\n

Cameron John Wagenius<\/strong>\u00a0was arrested near the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.<\/p>\n

The sparse, two-page indictment<\/a> (PDF) doesn\u2019t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius\u2019 mother \u2014 Minnesota native Alicia Roen <\/strong>\u2014\u00a0filled in the gaps.<\/p>\n

Roen said that prior to her son\u2019s arrest he\u2019d acknowledged being associated with Connor Riley Moucka<\/strong>, a.k.a. \u201cJudische<\/strong>,\u201d a prolific cybercriminal from Canada who was arrested in late October<\/a> for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake<\/strong>.<\/p>\n

In an interview with KrebsOnSecurity, Judische said he had no interest in selling the data he\u2019d stolen from Snowflake customers and telecom providers, and that he preferred to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was responsible for hacking into at least 15 telecommunications firms, including AT&T and Verizon.<\/p>\n

On November 26, KrebsOnSecurity published a story<\/a> that followed a trail of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.<\/p>\n

Ms. Roen said Cameron worked on radio signals and network communications at an Army base in South Korea for the past two years, returning to the United States periodically. She said Cameron was always good with computers, but that she had no idea he might have been involved in criminal hacking.<\/p>\n

\u201cI never was aware he was into hacking,\u201d Roen said. \u201cIt was definitely a shock to me when we found this stuff out.\u201d<\/p>\n

Ms. Roen said Cameron joined the Army as soon as he was of age, following in his older brother\u2019s footsteps.<\/p>\n

\u201cHe and his brother when they were like 6 and 7 years old would ask for MREs from other countries,\u201d she recalled, referring to military-issued \u201cmeals ready to eat\u201d food rations. \u201cThey both always wanted to be in the Army. I\u2019m not sure where things went wrong.\u201d<\/span><\/p>\n

Immediately after news broke of Moucka\u2019s arrest, Kiberphant0m posted on the hacker community BreachForums<\/strong>\u00a0what they claimed were the AT&T call logs for\u00a0President-elect<\/strong>\u00a0Donald J. Trump<\/strong>\u00a0and for\u00a0Vice President Kamala Harris<\/strong>.<\/p>\n

\u201cIn the event you do not reach out to us @ATNT all presidential government call logs will be leaked,\u201d Kiberphant0m threatened, signing their post with multiple \u201c#FREEWAIFU\u201d tags. \u201cYou don\u2019t think we don\u2019t have plans in the event of an arrest? Think again.\u201d<\/p>\n

\n\"\"<\/p>\n

Kiberphant0m posting what he claimed was a \u201cdata schema\u201d stolen from the NSA via AT&T.<\/p>\n<\/div>\n

On that same day, Kiberphant0m posted what they claimed was the \u201cdata schema\u201d from the U.S. National Security Agency<\/strong>.<\/p>\n

On Nov. 5, Kiberphant0m offered call logs stolen from Verizon\u2019s push-to-talk (PTT) customers \u2014 mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a \u201cSIM-swapping\u201d service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target\u2019s phone calls and text messages to a device they control.<\/p>\n

The profile photo on Wagenius\u2019 Facebook page was deleted within hours of my Nov. 26 story identifying Kiberphant0m as a likely U.S. Army soldier. Still, many of his original profile photos remain, including several that show Wagenius in uniform while holding various Army-issued weapons.<\/p>\n

\n\"\"<\/p>\n

Several profile photos visible on the Facebook page of Cameron Wagenius.<\/p>\n<\/div>\n

November\u2019s story on Kiberphant0m cited his own Telegram messages saying he maintained a large botnet that was used for distributed denial-of-service (DDoS) attacks to knock websites, users and networks offline. In 2023, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.<\/p>\n

Allison Nixon,<\/strong>\u00a0chief research officer at the New York-based cybersecurity firm Unit 221B<\/a>, helped track down Kiberphant0m\u2019s real life identity. Nixon was among several security researchers who faced harassment and specific threats of violence from Judische and his associates.<\/p>\n

\u201cAnonymously extorting the President and VP as a member of the military is a bad idea, but it\u2019s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,\u201d Nixon told KrebsOnSecurity. She said\u00a0the investigation into Kiberphant0m shows that law enforcement is getting better and faster at going after cybercriminals \u2014 especially those who are actually living in the United States.<\/p>\n

\u201cBetween when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,\u201d she said.<\/p>\n

Nixon asked to share a message for all the other Kiberphant0ms out there who think they can\u2019t be found and arrested.<\/p>\n

\u201cI know that young people involved in cybercrime will read these articles,\u201d Nixon said. \u201cYou need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.\u201d<\/p>\n

The indictment against Wagenius was filed in Texas, but the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n BrianKrebs
\n \t

\n
<\/BR>
\nGo to krebsonsecurity<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. Army Soldier Arrested in AT&T, Verizon Extortions Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[188,481,482,235,238,239,55,190,483],"tags":[72],"class_list":["post-1087","post","type-post","status-publish","format-standard","hentry","category-a-little-sunshine","category-allison-nixon","category-cameron-john-wagenius","category-connor-riley-moucka","category-judische","category-kiberphant0m","category-krebsonsecurity","category-neer-do-well-news","category-unit-221b","tag-krebsonsecurity"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1087"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=1087"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/1087\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=1087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=1087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=1087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}