Threat Intel Solutions

[Cloud Security](https://www.govinfosecurity.com/cloud-security-c-445) , [Cybercrime](https://www.govinfosecurity.com/cybercrime-c-416) , [Fraud Management -& Cybercrime](https://www.govinfosecurity.com/fraud-management-cybercrime-c-409)Arrest of US Army Soldier Tied to AT-&T and Verizon Extortion=============================================================Cameron Wagenius Suspected of Extorting Snowflake Customers Over Stolen Data [Mathew J. Schwartz](https://www.govinfosecurity.com/authors/mathew-j-schwartz-i-892) ([euroinfosec](https://www.twitter.com/euroinfosec)) • December 31, 2024 [](https://www.bankinfosecurity.com/arrest-us-army-soldier-tied-to-att-verizon-extortion-a-27192#disqus_thread) * * * * * [Credit Eligible](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* [](/premium/pricing ‘As a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking.’)* Get Permission*  Image: ShutterstockFederal authorities arrested a serving member of the U.S. military for a two-count indictment reportedly tied to the breach of Snowflake customer accounts and follow-on extortion.**See Also:** [2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries](https://www.govinfosecurity.com/whitepapers/2024-threat-hunting-report-insights-to-outsmart-modern-adversaries-w-14396?rf=RAM_SeeAlso)Police detained Cameron John Wagenius, 20, on Dec. 20 near the U.S. Army’s military base Fort Cavazos, formerly known as Fort Hood, in Texas, as cybersecurity blogger Brian Krebs first [reported](https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizon-extortions/).A two-count [indictment](https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/wagenius-indictment-18dec2024.pdf) against Wagenius, filed under seal on Dec. 18 in Seattle federal court, charges him with ‘knowingly and intentionally’ selling and transferring ‘confidential phone records information,’ without first obtaining ‘prior authorization from the customer to whom such confidential phone records information related’ to do so, as well as ‘having reason to know such information was obtained fraudulently.’The court unsealed the indictment Monday.The indictment makes no mention of the cloud-based data warehousing platform Snowflake. Wagenius’ mother told Krebs that her son confirmed to her that he’d been associating with Connor Riley Moucka – aka ‘Judische,’ ‘Waifu’ – and that her son was stationed at a U.S. military base in South Korea for the past two years, making periodic visits back to the U.S.Federal prosecutors declined to comment about any alleged connection between Wagenius and the theft of data from customers of Bozeman, Minnesota-based Snowflake, including AT-&T and Verizon.A U.S. indictment unsealed last month [charges](/us-prosecutors-charge-hackers-in-snowflake-data-theft-a-26805) Moucka and American John Binns with stealing terabytes of data from cloud platform Snowflake in a major breach impacting over 165 organizations and involving roughly 50 billion call and text records, as well as extorting ‘at least 36 bitcoin’ – worth $3.4 million as of Tuesday – from victims.At least 10 organizations whose Snowflake data got swiped [received ransom demands](/victims-snowflake-data-breach-receive-ransom-demands-a-25576) ranging from $300,000 to $5 million in return for a promise to not leak stolen data, said incident response firm Mandiant, which Snowflake hired to probe the attacks for.At least one victim, AT-&T, paid the attackers a ransom worth $370,000 in return for a promise to delete stolen data pertaining to 110 million AT-&T cellphone plan customers, corroborated by a video showing the attacker doing so, reported Wired.Canadian police arrested Moucka last month. Turkish police arrested Binns in May on separate charges tied to a 2022 U.S. 12-count [indictment](https://www.courtlistener.com/docket/68158976/united-states-v-binns/) accusing him of [hacking](/t-mobile-attackers-stole-86-million-customers-details-a-17314) T-Mobile in 2021.The U.S. is seeking both suspects’ extradition.Snowflake attackers successfully accessed accounts for which customers hadn’t enabled multifactor authentication. The cloud provider subsequently implemented a range of security improvements, including mandatory multifactor for new accounts, giving administrators the ability to make MFA mandatory for all users, and regularly nudging for established accounts that hadn’t yet activated MFA (see: [*After Customers Get Breached, Snowflake Refines Security*](/after-customers-get-breached-snowflake-refines-security-a-25734)).Last month, Krebs [reported](https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/ ) that investigators believe Judische tasked someone going by the online handle ‘Kiberphant0m’ with selling data from Snowflake victims who refused to pay a ransom. Krebs cited security researchers’ evidence that Kiberphant0m appeared to be a U.S. soldier who’d been stationed in South Korea.Kiberphant0m has been a regular poster to the cybercriminal site Breach Forums. In January, he solicited for $3,000 the source code for an ‘advanced Linux botnet’ called Mushi that could be used to generate denial-of-service attacks. He offered to sell ‘big data belonging to the FBI’ in May and offered 900 gigabytes of data allegedly stolen from a Thai telecommunications firm in June. On Oct. 14, he offered for sale 328 gigabytes of data stolen from Verizon, including API access credentials, credentials for F5 networking gear, SIM keys and more. The selling price was $200,000. On Nov. 9, Kiberphant0m advertised ‘SIM swapping services’ targeting push-to-talk Verizon customers, ‘to those who have high valuable targets (pref crypto).’Following Moucka’s arrest, on Nov. 7 Kiberphant0m responded by threatening AT-&T, leaking to Breach Forums what they claimed were ‘call logs’ for both U.S. presidential contenders Kamala Harris and Donald Trump, and threatening to leak further such data unless AT-&T reached out via Telegram, in a post sporting multiple ‘#FREEWAIFU’ hashtags.’You don’t think we don’t have plans in the event of an arrest?’ Kiberphant0m posted. ‘Think again.’  #### [Mathew J. Schwartz](https://www.govinfosecurity.com/authors/mathew-j-schwartz-i-892)*Executive Editor, DataBreachToday -& Europe, ISMG* Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.[](https://twitter.com/euroinfosec) [](mailto:mschwartz@ismg.io)  ##### [OnDemand Webinar -| Protect Your Amazon S3 Data: Why Versioning, Replication, and AWS Backup are Not Enough](https://www.govinfosecurity.com/webinars/ondemand-webinar-protect-your-amazon-s3-data-versioning-replication-w-5820?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/safeguard-enhance-value-your-cloud-investment-w-14217?rf=RAM_Resources)##### [Safeguard and Enhance the Value of Your Cloud Investment](https://www.govinfosecurity.com/whitepapers/safeguard-enhance-value-your-cloud-investment-w-14217?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/2024-ciso-insights-navigating-cybersecurity-maelstrom-w-14214?rf=RAM_Resources)##### [2024 CISO Insights: Navigating the Cybersecurity Maelstrom](https://www.govinfosecurity.com/whitepapers/2024-ciso-insights-navigating-cybersecurity-maelstrom-w-14214?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/on-thin-ices-augmenting-microsoft-365-integrated-cloud-email-w-14219?rf=RAM_Resources)##### [On Thin ICES: Augmenting Microsoft 365 with Integrated Cloud and Email Security](https://www.govinfosecurity.com/whitepapers/on-thin-ices-augmenting-microsoft-365-integrated-cloud-email-w-14219?rf=RAM_Resources) [whitepaper](https://www.govinfosecurity.com/whitepapers/2024-threat-landscape-data-loss-people-problem-w-14212?rf=RAM_Resources)##### [2024 Threat Landscape: Data Loss is a People Problem](https://www.govinfosecurity.com/whitepapers/2024-threat-landscape-data-loss-people-problem-w-14212?rf=RAM_Resources) [Training -& Security Leadership](https://www.govinfosecurity.com/training-security-leadership-c-488)##### [CyberEdBoard Profiles in Leadership: Kevin Li](https://www.govinfosecurity.com/cyberedboard-profiles-in-leadership-kevin-li-a-26936) [Encryption -& Key Management](https://www.govinfosecurity.com/encryption-key-management-c-209)##### [Patched BitLocker Flaw Still Susceptible to Hack](https://www.govinfosecurity.com/patched-bitlocker-flaw-still-susceptible-to-hack-a-27195) [Cloud Security](https://www.govinfosecurity.com/cloud-security-c-445)##### [Arrest of US Army Soldier Tied to AT-&T and Verizon Extortion](https://www.govinfosecurity.com/arrest-us-army-soldier-tied-to-att-verizon-extortion-a-27192) [Artificial Intelligence -& Machine Learning](https://www.govinfosecurity.com/artificial-intelligence-machine-learning-c-469)##### [Safety Concerns, Pushback Against OpenAI’s For-Profit Plan](https://www.govinfosecurity.com/safety-concerns-pushback-against-openais-for-profit-plan-a-27193) [Identity -& Access Management](https://www.govinfosecurity.com/identity-access-management-c-446)##### [The Evolution of Identity Defense: Saviynt’s Vision for 2025](https://www.govinfosecurity.com/evolution-identity-defense-saviynts-vision-for-2025-a-27171)[Overview](https://www.govinfosecurity.com/webinars/risk-management-framework-learn-from-nist-w-255) * Twitter* Facebook* LinkedIn* * * From heightened risks to increased regulations, senior leaders at all levels are pressured to improve their organizations’ risk management capabilities. But no one is showing them how – until now.Learn the fundamentals of developing a risk management program from the man who wrote the book on the topic: Ron Ross, computer scientist for the National Institute of Standards and Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37 – the bible of risk assessment and management – will share his unique insights on how to:* Understand the current cyber threats to all public and private sector organizations;* Develop a multi-tiered risk management approach built upon governance, processes and information systems;* Implement NIST’s risk management framework, from defining risks to selecting, implementing and monitoring information security controls.Presented By———— [Presented By](/authors/ron-ross-i-558)—————————————#### [Ron Ross](/authors/ron-ross-i-558)*Sr. Computer Scientist -& Information Security Researcher, National Institute of Standards and Technology (NIST)*

Related Tags:
NAICS: 52 – Finance And Insurance

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 522 – Credit Intermediation And Related Activities

NAICS: 51 – Information

NAICS: 928 – National Security And International Affairs

Blog: GovInfoSecurity

Associated Indicators: