An American soldier arrested for extortion linked to a data leak at AT&T and Verizon

A US soldier was arrested for suspicion of extorting money from AT&T and Verizon, following a data leak that saw a large number of client data obtained.

A 20-year-old was arrested near the Army Military Post at Fort Hood, Texas, on suspicion that he was the known cyber criminal Kiberphant0m – and his mother's statements will not be very useful...

The trial does not refer to specific cases, but Krebs on Security attributes the arrest to AT&T and Verizon break-ins, largely thanks to the mother of the accused.

Federal authorities have arrested and charged a 20-year-old US Army soldier with the accusation of Kiberphant0m, a computer criminal who had sold and disclosed sensitive voice recordings of stolen clients from AT&T and Verizon earlier this year.

Cameron John Wagenius, aged 20, was arrested […] on December 20 after being accused of two crimes relating to the illegal transfer of confidential telephone records.

The sparse indictment, two pages long (PDF), does not refer to specific victims or hacking activity, nor does it include any personal information about the accused. But a conversation with Wagenius' mother — Alicia Roen from Minnesota — completed the gaps.

Roen stated that before her son's arrest, she had recognized being associated with Connor Riley Moucka, nicknamed "Judische," a prolific Canadian cyber criminal who was arrested at the end of October for stealing data and extorting several dozen companies that stored their data on the Snowflake cloud service.

Brian Krebs' website had previously identified evidence in conversation logs suggesting that Kiberphant0m was an American soldier stationed in South Korea.

Moucka was arrested last November and charged with 20 crimes. The report indicates that Moucka was the main hacker, while Wagenius' primary role was to obtain money from data.

Massive AT&T Failure

One of the ransom threats seems linked to a major data breach at AT&T, in which personal details were obtained for almost all clients the provider had at that time.

An incredible security flaw led to the theft of data that includes not only customers' phone numbers, but also records of who contacted whom – a potentially dangerous field for privacy [...]

Worse still, cybercriminals have also succeeded in obtaining cell site identification numbers for some calls and text messages - which can provide customer locations with an accuracy of about 300 feet in certain areas.

We were later informed that AT&T paid a ransom to the hacker in exchange for the data they deleted. The hacker initially demanded 1 million dollars in Bitcoin, and the final amount paid was equivalent to 373,000 dollars.

Verizon Call Records

The other request seems to refer to Verizon call logs.

On November 5, Kiberphant0m offered stolen call recordings from Verizon Push-to-Talk (PTT) customers – mainly American government agencies and emergency responders. On November 9, Kiberphant0m posted a sale thread on BreachForums offering a "SIM change" service for Verizon PTT customers. In a SIM swap operation, fraudsters use stolen or pirated credentials from mobile company employees to divert calls and text messages from a target to a device they control.

The indictment against Wagenius was transferred to the Western District Court of Washouga in Seattle.

Photo by Levi Meir Clancy on Unsplas