A US Army soldier has been arrested on suspicion of extorting money from AT&T and Verizon, following data breaches which saw a massive amount of customer data obtained.
The 20-year-old was arrested near the Army base in Fort Hood, Texas, on suspicion of being the cybercriminal known as Kiberphant0m – and statements by his mother aren’t likely to help …
The indictment doesn’t reference specific cases, but Krebs on Security ties the arrest to AT&T and Verizon hacks, in large part thanks to statements by the accused’s mother.
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon […]
Cameron John Wagenius, 20, was arrested […] on Dec. 20, after being indicted on two criminal counts of unlawful transfer of confidential phone records.
The sparse, two-page indictment (PDF) doesn’t reference specific victims or hacking activity, nor does it include any personal details about the accused. But a conversation with Wagenius’ mother — Minnesota native Alicia Roen — filled in the gaps.
Roen said that prior to her son’s arrest he’d acknowledged being associated with Connor Riley Moucka, a.k.a. “Judische,” a prolific cybercriminal from Canada who was arrested in late October for stealing data from and extorting dozens of companies that stored data at the cloud service Snowflake.
The site’s Brian Krebs had previously identified evidence from chat logs that Kiberphant0m was a US soldier stationed in South Korea.
Moucka was arrested back in November, and has been indicted of 20 counts. The report suggests that Moucka was the primary hacker, while the main role of Wagenius was to obtain money from the data.
Massive AT&T data breach
One of the ransom demands appears to relate to a massive data breach at AT&T, in which personal details were obtained for almost every customer the carrier had at the time.
In an incredible security fail, the stolen data includes not only customer phone numbers, but also records of who contacted whom – a potential privacy minefield […]
To make matters worse, hackers were also able to obtain cell site identification numbers for some of the calls and texts – which can provide locations of customers to an accuracy of around 300 feet in some areas.
It was later reported that AT&T paid a ransom of $373k in Bitcoin in return for the deletion of the data.
The carrier said the data was obtained from a third-party cloud platform, and this is now believed to be Snowflake – where data from other companies was also obtained. This includes obtaining the personal data of 560M TicketMaster customers.
Wired provides evidence that AT&T paid a ransom to the hacker in return for them deleting the data. The hacker originally demanded $1M in Bitcoin, and the amount finally paid was the equivalent of $373k.
Verizon call logs
The other demand appears to relate to Verizon call logs.
On Nov. 5, Kiberphant0m offered call logs stolen from Verizon’s push-to-talk (PTT) customers — mainly U.S. government agencies and emergency first responders. On Nov. 9, Kiberphant0m posted a sales thread on BreachForums offering a “SIM-swapping” service targeting Verizon PTT customers. In a SIM-swap, fraudsters use credentials that are phished or stolen from mobile phone company employees to divert a target’s phone calls and text messages to a device they control.
The indictment against Wagenius has been transferred to the Western District of Washington in Seattle.
Photo by Levi Meir Clancy on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments