US Army soldier who allegedly stole Trump's AT&T call logs arrested

A US Army soldier has been arrested in Texas after being indicted on two counts of unlawful transfer of confidential phone records information. 

While the indictment [PDF] doesn't specify any hacking activity or victims' names, Cameron John Wagenius, 20, is suspected of being a cybercriminal known as Kiberphant0m, who claimed to have breached at least 15 telecommunications firms including AT&T and Verizon, according to KrebsOnSecurity.

Wagenius is allegedly an associate of Connor Riley Moucka, one of the men accused of compromising multiple organizations' Snowflake-hosted environments, stealing sensitive customer data housed in the cloud storage service, and then extorting victims for millions of dollars.

Infosec journalist Brian Krebs spoke with Wagenius' mother, Alicia Roen, who said her son worked on radio signals and network communications at an Army base in South Korea.

"I never was aware he was into hacking," Roen said. "It was definitely a shock to me when we found this stuff out."

On November 6, shortly after Moucka's arrest, Kiberphant0m bragged on BreachForums about stealing AT&T call logs for President-elect Donald Trump and for Vice President Kamala Harris. The crook threatened to leak all of the call logs unless AT&T contacted either Kiberphant0m or Reddinton, and signed the post "#FREEWAIFU."

The identity of Reddinton remains unknown.

According to the court documents, on or about November 6, Wagenius did "knowingly and intentionally sell and transfer, and attempt to sell and transfer, confidential phone records information of a covered entity, without prior authorization from the customer to whom such confidential phone records information was obtained fraudulently."

Wagenius appeared in a Texas court on December 20, and federal prosecutors requested his extradition to Washington state, TheDesk reported.

• Here's what we know about the suspected Snowflake data extortionists
• Alleged Snowflake attacker gets busted by Canadians – politely, we assume
• Snowflake slams 'more MFA' button again – months after Ticketmaster, Santander breaches
• Suspected LockBit dev, facing US extradition, 'did it for the money'

Wagenius' indictment and subsequent arrest bring the number of suspects in the Snowflake data storage hacks to three. In addition to Wagenius and Moucka, who lives and was arrested in Canada, John Erin Binns, an American living in Turkey, was arrested earlier this year and is being held in a Turkish prison.

The Feds unsealed an indictment against Moucka and Binns in November. Both men face 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft after allegedly breaking into at least 10 organizations' online environments and accessing "billions of sensitive customer records."

Federal prosecutors allege the duo also demanded ransom payments from the victims before ultimately selling the stolen data.

Previous reports indicated digital intruders compromised at least 165 Snowflake customers, including AT&T, Santander Bank, Ticketmaster, and Advance Auto Parts.

The criminals may have ties to Scattered Spider, which Google tracks as UNC3944. Scattered Spider is also believed to be behind the 2023 Las Vegas casino digital heists. ®