Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been promoting and leaking delicate buyer name data stolen earlier this yr from AT&T and Verizon. As first reported by KrebsOnSecurity final month, the accused is a communications specialist who was just lately stationed in South Korea.
Cameron John Wagenius was arrested close to the Army base in Fort Hood, Texas on Dec. 20, after being indicted on two felony counts of illegal switch of confidential telephone data.
The sparse, two-page indictment (PDF) doesn’t reference particular victims or hacking exercise, nor does it embody any private particulars concerning the accused. But a dialog with Wagenius’ mom — Minnesota native Alicia Roen — crammed within the gaps.
Roen stated that previous to her son’s arrest he’d acknowledged being related to Connor Riley Moucka, a.okay.a. “Judische,” a prolific cybercriminal from Canada who was arrested in late October for stealing information from and extorting dozens of corporations that saved information on the cloud service Snowflake.
In an interview with KrebsOnSecurity, Judische stated he had no real interest in promoting the info he’d stolen from Snowflake clients and telecom suppliers, and that he most popular to outsource that to Kiberphant0m and others. Meanwhile, Kiberphant0m claimed in posts on Telegram that he was chargeable for hacking into not less than 15 telecommunications companies, together with AT&T and Verizon.
On November 26, KrebsOnSecurity revealed a narrative that adopted a path of clues left behind by Kiberphantom indicating he was a U.S. Army soldier stationed in South Korea.
Ms. Roen stated Cameron labored on radio alerts and community communications at an Army base in South Korea for the previous two years, returning to the United States periodically. She stated Cameron was all the time good with computer systems, however that she had no thought he may need been concerned in felony hacking.
“I never was aware he was into hacking,” Roen stated. “It was definitely a shock to me when we found this stuff out.”
Ms. Roen stated Cameron joined the Army as quickly as he was of age, following in his older brother’s footsteps.
“He and his brother when they were like 6 and 7 years old would ask for MREs from other countries,” she recalled, referring to military-issued “meals ready to eat” meals rations. “They both always wanted to be in the Army. I’m not sure where things went wrong.”
Immediately after information broke of Moucka’s arrest, Kiberphant0m posted on the hacker neighborhood BreachForums what they claimed had been the AT&T name logs for President-elect Donald J. Trump and for Vice President Kamala Harris.
“In the event you do not reach out to us @ATNT all presidential government call logs will be leaked,” Kiberphant0m threatened, signing their put up with a number of “#FREEWAIFU” tags. “You don’t think we don’t have plans in the event of an arrest? Think again.”
On that very same day, Kiberphant0m posted what they claimed was the “data schema” from the U.S. National Security Agency.
On Nov. 5, Kiberphant0m provided name logs stolen from Verizon’s push-to-talk (PTT) clients — primarily U.S. authorities businesses and emergency first responders. On Nov. 9, Kiberphant0m posted a gross sales thread on BreachForums providing a “SIM-swapping” service focusing on Verizon PTT clients. In a SIM-swap, fraudsters use credentials which can be phished or stolen from cell phone firm staff to divert a goal’s telephone calls and textual content messages to a tool they management.
The profile photograph on Wagenius’ Facebook web page was deleted inside hours of my Nov. 26 story figuring out Kiberphant0m as a possible U.S. Army soldier. Still, a lot of his unique profile photographs stay, together with a number of that present Wagenius in uniform whereas holding numerous Army-issued weapons.
November’s story on Kiberphant0m cited his personal Telegram messages saying he maintained a big botnet that was used for distributed denial-of-service (DDoS) assaults to knock web sites, customers and networks offline. In 2023, Kiberphant0m offered distant entry credentials for a serious U.S. protection contractor.
Allison Nixon, chief analysis officer on the New York-based cybersecurity agency Unit 221B, helped monitor down Kiberphant0m’s actual life identification. Nixon was amongst a number of safety researchers who confronted harassment and particular threats of violence from Judische and his associates.
“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals,” Nixon advised KrebsOnSecurity. She stated the investigation into Kiberphant0m reveals that regulation enforcement is getting higher and quicker at going after cybercriminals — particularly those that are literally dwelling within the United States.
“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career,” she stated.
Nixon requested to share a message for all the opposite Kiberphant0ms on the market who assume they will’t be discovered and arrested.
“I know that young people involved in cybercrime will read these articles,” Nixon stated. “You need to stop doing stupid shit and get a lawyer. Law enforcement wants to put all of you in prison for a long time.”
The indictment in opposition to Wagenius was filed in Texas, however the case has been transferred to the U.S. District Court for the Western District of Washington in Seattle.