US Army soldier who allegedly stole Trump’s AT&T call logs arrested

#### [Cyber-crime](/security/cyber_crime/)US Army soldier who allegedly stole Trump’s AT-&T call logs arrested====================================================================Brings the arrest count related to the Snowflake hacks to 3———————————————————–[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Wed 1 Jan 2025 // 08:32 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested) [](https://twitter.com/intent/tweet?text=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&summary=Brings%20the%20arrest%20count%20related%20to%20the%20Snowflake%20hacks%20to%203) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) A US Army soldier has been arrested in Texas after being indicted on two counts of unlawful transfer of confidential phone records information.While the indictment -[[PDF](https://regmedia.co.uk/2024/12/31/cameron_john_wagenius_indictment.pdf)-] doesn’t specify any hacking activity or victims’ names, Cameron John Wagenius, 20, is suspected of being a cybercriminal known as Kiberphant0m, who claimed to have breached at least 15 telecommunications firms including AT-&T and Verizon, according to KrebsOnSecurity.Wagenius is allegedly an associate of [Connor Riley Moucka](https://www.theregister.com/2024/11/11/infosec_in_brief/), one of the men accused of compromising multiple organizations’ Snowflake-hosted environments, stealing sensitive customer data housed in the cloud storage service, and then extorting victims for millions of dollars. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z3USXkZ5YbOpfcgDwtWwoQAAAYk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)Infosec journalist Brian Krebs spoke with Wagenius’ mother, Alicia Roen, who said her son worked on radio signals and network communications at an Army base in South Korea. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z3USXkZ5YbOpfcgDwtWwoQAAAYk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)’I never was aware he was into hacking,’ Roen [said](https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/). ‘It was definitely a shock to me when we found this stuff out.’On November 6, shortly after Moucka’s arrest, Kiberphant0m [bragged](https://x.com/elizzeserna/status/1854163024308994216) on BreachForums about stealing AT-&T call logs for President-elect Donald Trump and for Vice President Kamala Harris. The crook threatened to leak all of the call logs unless AT-&T contacted either Kiberphant0m or Reddinton, and signed the post ‘#FREEWAIFU.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z3USXkZ5YbOpfcgDwtWwoQAAAYk&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)The identity of Reddinton remains unknown.According to the court documents, on or about November 6, Wagenius did ‘knowingly and intentionally sell and transfer, and attempt to sell and transfer, confidential phone records information of a covered entity, without prior authorization from the customer to whom such confidential phone records information was obtained fraudulently.’Wagenius appeared in a Texas court on December 20, and federal prosecutors requested his extradition to Washington state, TheDesk [reported](https://thedesk.net/2024/12/cameron-wagenius-kiberphant0m-arrested-indicted/).* [Here’s what we know about the suspected Snowflake data extortionists](https://www.theregister.com/2024/11/12/snowflake_hackers_indictment/)* [Alleged Snowflake attacker gets busted by Canadians — politely, we assume](https://www.theregister.com/2024/11/11/infosec_in_brief/)* [Snowflake slams ‘more MFA’ button again — months after Ticketmaster, Santander breaches](https://www.theregister.com/2024/09/16/snowflake_mfa_default/)* [Suspected LockBit dev, facing US extradition, ‘did it for the money’](https://www.theregister.com/2024/12/23/lockbit_ransomware_dev_extradition/)Wagenius’ indictment and subsequent arrest bring the number of suspects in the Snowflake data storage hacks to three. In addition to Wagenius and Moucka, who lives and was arrested in Canada, John Erin Binns, an American living in Turkey, was arrested earlier this year and is being held in a Turkish prison.The Feds [unsealed](https://www.theregister.com/2024/11/12/snowflake_hackers_indictment/) an indictment against Moucka and Binns in November. Both men face 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft after allegedly breaking into at least 10 organizations’ online environments and accessing ‘billions of sensitive customer records.’Federal prosecutors allege the duo also demanded ransom payments from the victims before ultimately selling the stolen data.Previous reports indicated digital intruders compromised at least [165 Snowflake customers](https://www.theregister.com/2024/06/11/crims_targeting_snowflake_customers/), including [AT-&T](https://www.theregister.com/2024/07/12/att_110_million_call_text_logs/), Santander Bank, [Ticketmaster](https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/), and [Advance Auto Parts](https://www.theregister.com/2024/06/24/snowflake_breach_accelerating_into_snowball/).The criminals may have ties to [Scattered Spider](https://www.theregister.com/2023/09/15/scattered_spider_snares_100_victims/), which Google tracks as [UNC3944](https://www.theregister.com/2024/05/23/mandiant_cto_scattered_spider/). Scattered Spider is also believed to be behind the 2023 [Las Vegas casino](https://www.theregister.com/2023/12/28/casino_ransomware_attacks/) digital heists. ® [Whitepaper: Top 5 Tips For Navigating Your SASE Journey](https://go.theregister.com/tl/2386/-14369/top-5-tips-for-navigating-your-sase-journey?td=wptl2386bt) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested) [](https://twitter.com/intent/tweet?text=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&summary=Brings%20the%20arrest%20count%20related%20to%20the%20Snowflake%20hacks%20to%203) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [AT-&T](/Tag/AT%26T/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) More like these × ### More about* [AT-&T](/Tag/AT%26T/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Telecommunications](/Tag/Telecommunications/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested) [](https://twitter.com/intent/tweet?text=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=US%20Army%20soldier%20who%20allegedly%20stole%20Trump%27s%20AT%26T%20call%20logs%20arrested&summary=Brings%20the%20arrest%20count%20related%20to%20the%20Snowflake%20hacks%20to%203) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/01/01/us_army_soldier_att_call_logs/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) POST A COMMENT #### More about* [AT-&T](/Tag/AT%26T/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) More like these × ### More about* [AT-&T](/Tag/AT%26T/)* [Cybercrime](/Tag/Cybercrime/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [Telecommunications](/Tag/Telecommunications/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### More telcos confirm Salt Typhoon breaches as White House weighs inThe intrusions allowed Beijing to ‘geolocate millions of individuals’Cyber-crime1 day -| 28](/2024/12/30/att_verizon_confirm_salt_typhoon_breach/?td=keepreading) [#### China’s cyber intrusions took a sinister turn in 2024From targeted espionage to pre-positioning – not that they are mutually exclusiveSecurity22 hrs -| 6](/2024/12/31/china_cyber_intrusions_2024/?td=keepreading) [#### It’s only a matter of time before LLMs jump start supply-chain attacksInterview ‘The greatest concern is with spear phishing and social engineering’Security3 days -| 57](/2024/12/29/llm_supply_chain_attacks/?td=keepreading) [#### A rethink of parental leave policyIT workers and programmers set to benefit as Sandvik implements HR rebootSponsored Feature](/2024/12/04/a_rethink_of_parental_leave/?td=keepreading) [#### How cops taking down LockBit, ALPHV led to RansomHub’s meteoric riseCut off one head, two more grow back in its placeCyber-crime4 days -| 4](/2024/12/28/lockbit_alphv_disruptions_ransomhub_rise/?td=keepreading) [#### How Androxgh0st rose from Mozi’s ashes to become ‘most prevalent malware’Botnet’s operators ‘driven by similar interests as that of the Chinese state’Cyber-crime8 days -| 3](/2024/12/24/androxgh0st_botnet_mozi/?td=keepreading) [#### Ransomware scum blow holes in Cleo software patches, Cl0p (sort of) claims responsibilityBut can you really take crims at their word?Security15 days -| 1](/2024/12/16/ransomware_attacks_exploit_cleo_bug/?td=keepreading) [#### Suspected LockBit dev, facing US extradition, ‘did it for the money’Dual Russian-Israeli national arrested in AugustCyber-crime9 days -| 18](/2024/12/23/lockbit_ransomware_dev_extradition/?td=keepreading) [#### Don’t fall for a mail asking for rapid Docusign action — it may be an Azure account hijack phishRecent campaign targeted 20,000 folk across UK and Europe with this tactic, Unit 42 warnsCyber-crime13 days -| 17](/2024/12/19/docusign_lure_azure_account_takeover/?td=keepreading) [#### Critical security hole in Apache Struts under exploitYou applied the patch that could stop possible RCE attacks last week, right?Patches15 days -| 4](/2024/12/17/critical_rce_apache_struts/?td=keepreading) [#### Phishers cast wide net with spoofed Google Calendar invitesNot that you needed another reason to enable the ‘known senders’ settingCyber-crime14 days -| 17](/2024/12/18/google_calendar_spoofed_in_phishing_campaign/?td=keepreading) [#### Microsoft adds another problem to the Windows 11 24H2 naughty listSanta Satya pops one more issue into his sack just in time for ChristmasOSes5 days -| 81](/2024/12/27/microsoft_windows_11_security_update/?td=keepreading)

Related Tags:
Octo Tempest

NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 517 – Telecommunications

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

NAICS: 51 – Information

Roasted 0ktapus

Scattered Spider

Associated Indicators:

Threat Intel Solutions

US Army soldier who allegedly stole Trump’s AT&T call logs arrested

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us