US Army soldier linked to Snowflake extortion rampage admits breaking the law

A US Army soldier suspected of hacking AT&T and Verizon has admitted leaking online people's private call records.

Cameron John Wagenius informed a federal court in Seattle, Wednesday, he intends to plead guilty [PDF] to two counts of unlawfully transferring confidential phone records, with no plea deal in sight. He was cuffed last month aged 20 after being indicted.

In December, US prosecutors had simply claimed [PDF] Wagenius on November 6 did "knowingly and intentionally sell and transfer, and attempt to sell and transfer, confidential phone records ... without prior authorization."

Here's where it gets interesting. Last month, prosecutors linked Wagenius with two others accused of stealing data from more than 150 Snowflake cloud accounts in April 2024, data that would be publicly leaked by the crew if a ransom wasn't paid. It is alleged Wagenius was recruited by the pair to help in that extortion.

Wagenius was believed to be using the underworld handle Kiberphant0m, who had bragged online of having compromised at least 15 telecommunications firms including AT&T and Verizon, and was even allegedly able to get their hands on Donald Trump and Kamala Harris's call logs.

When one of the other two suspected Snowflake extortionists was arrested, whoever was behind Kiberphant0m threatened on November 6 that they would release sensitive US government call logs unless AT&T – one of the Snowflake victims – got in touch. As part of that threat, Kiber released a sample of people's confidential logs.

You don’t think we don’t have plans in the event of an arrest? Think again

"In the event you do not reach out to us, [AT&T], all presidential government call logs will be leaked," Kiberphant0m said on a cyber-crime forum. "You don’t think we don’t have plans in the event of an arrest? Think again."

Thus, it appears prosecutors reckoned Wagenius was Kiberphant0m, who responded to an arrest in the Snowflake group by not only sharing some illegally obtained sensitive call records on the dark web but also threatened to leak the whole lot.

The two other Snowflake extortion suspects - Alexander "Connor" Moucka and John Binns - allegedly netted more than $2 million from AT&T, Ticketmaster, and other victims of the heist. Both were arrested — Moucka in Canada, Binns in Turkey — and are awaiting extradition.

"Both cases," the prosecution of Moucka and Binns, and Wagenius, "arise from the same computer intrusion and extortion and include some of the same stolen victim information," Uncle Sam's legal eagles claimed in a court filing [PDF] in January.

• US Army soldier who allegedly stole Trump's AT&T call logs arrested
• Here's what we know about the suspected Snowflake data extortionists
• Alleged Snowflake attacker gets busted by Canadians – politely, we assume
• Snowflake slams 'more MFA' button again – months after Ticketmaster, Santander breaches

Wagenius, who now faces up to 20 years in the clink and $500,000 in fines, was arrested near Fort Cavazos, Texas, home to multiple US Army divisions.

Moucka and Binns have been charged with 20 counts, including conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft. Court documents from November alleged the duo used custom software they had named Rapeflake to sift through compromised Snowflake accounts for valuable material to use in extortion attempts.

Neither the Army or Snowflake had any comment at the time of going to press. ®