Feds: Army soldier suspected of AT&T heist Googled ‘can hacking be treason,’ ‘defecting to Russia’
FYI: What NOT to search after committing a crime
The US Army soldier suspected of compromising AT&T and bragging about getting his hands on President Trump's call logs allegedly tried to sell stolen information to a foreign intel agent.
The military man even Google searched for "can hacking be treason," and "US military personnel defecting to Russia," according to prosecutors who argue he poses a serious flight risk and should be detained.
Cameron John Wagenius, 21, was arrested in Texas in December, and last week told a federal court judge he intends to plead guilty to unlawfully posting and transferring confidential phone records.
Prosecutors have also linked Wagenius to two other men accused of stealing data from more than 150 Snowflake cloud accounts in April 2024, and then demanding payment to keep a lid on that info.
After admitting his crimes in court, and showing a willingness to enter a guilty plea, "Wagenius should be detained as both a danger to the community — given his ability to access sensitive datasets — and a serious risk of flight," Uncle Sam's attorneys argued.
In federal court documents [PDF] filed Wednesday in Seattle, Washington, the US Department of Justice revealed fresh allegations of Wagenius' wider extortion and computer intrusion capers, and what could be some very ill-advised Google search terms.
"While engaged in these criminal activities, Wagenius conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service," the documents allege.
Wagenius, we're told, while on active military duty and using the online monikers kiberphant0m and cyb3rph4nt0m, bragged about infiltrating 15 telecommunications providers, and then posted on a dark-web forum call records belonging to high-ranking public officials and their family members. While neither the public officials nor the breached firms are named in the court documents, they reportedly included AT&T, Verizon, Donald Trump, and Kamala Harris.
After stealing digital data from one organization, Wagenius then tried "multiple" times to extort this "Victim-1," believed to be AT&T, and threatened the American telco with messages, it is alleged, like this one detailed in the court filing:
Let's start off, a little thing you should know about me. I get what I want and when I don't get what I want in my own timeframes that I set I will do what I say. I don't care if I don't receive the money involved in the extortions. I already made your samples and data on [REDACTED] available to everybody on breachforums. I will leak much much much more, literally all of it.
Around the same time in November 2024, Wagenius allegedly communicated with an email address that he believed belonged to another nation's military intelligence service and tried to sell it stolen information. The court documents don't specify which country, but judging from Wagenius' alleged search history it would appear to be Russia.
Before and after allegedly breaking into phone companies' networks, stealing people's call data, and trying to extort organizations for cash, Wagenius also conducted several searches related to fleeing the US, the Feds claim. A "subset" of these searches occurring over "multiple weeks," according to prosecutors, including:
- "Where can I defect [from] the US government military, which country will not hand me over"
- "US military personnel defecting to Russia"
- "Embassy of Russia, Washington DC"
The g-men also said they found additional evidence on Wagenius' devices, including thousands of stolen ID documents such as passports and drivers' licenses, at least one fake ID he created for himself, and large sums of cryptocurrency, indicating his intent to flee.
- US Army soldier linked to Snowflake extortion rampage admits breaking the law
- US Army soldier who allegedly stole Trump's AT&T call logs arrested
- Here's what we know about the suspected Snowflake data extortionists
- Alleged Snowflake attacker gets busted by Canadians – politely, we assume
Plus, in October 2024, it's said he messaged a potential co-conspirator with the following: "What's funny is that if I ever get found out, I can't get instantly arrested because of military law, which gives me time to go AWOL."
It's unclear who this potential co-conspirator is, but Wagenius has been connected to two other Snowflake extortion suspects - Alexander "Connor" Moucka and John Binns, who allegedly netted at least $2 million from AT&T, Ticketmaster, and other victims of the heist.
Moucka was arrested in Canada, and Binns in Turkey. Both are awaiting extradition. ®