A soldier of the American army arrested for forcibly ejecting data from AT&T and Verizon.

A soldier from the American army was arrested for allegedly embezzling money from AT&T and Verizon, followed by data thefts that resulted in an enormous quantity of customer data obtained.

A 20-year-old teenager was arrested near the Fort Hood military base in Texas, suspected of being the known digital criminal Kiberphant0m - and his mother's statements should not help...

The conviction does not refer to specific cases, but Krebs on Security links the arrest to hacks at AT&T and Verizon, mainly thanks to the statements from the accused's mother.

Federal authorities have arrested and charged a 20-year-old American soldier with suspicion of being Kiberphant0m, a cybercriminal who sold and distributed sensitive customer call records stolen last year from AT&T and Verizon [...]

Cameron John Wagenius, 20 years old, was arrested [... ] on December 20th, after being accused of two criminal accounts of illegal transfer of confidential telephone record files.

The emphasized accusation (PDF), brief and consisting of two pages, does not mention specific victims or hacking activities nor includes details of the innocent. But a conversation with Wagenius' mother – the original Minnesota Alicia Roen – filled in the gaps.

Roen stated that before her son's arrest, he was caught in flagrante deo for being associated with Connor Riley Moucka, known as "Judische," a prolific Canadian cybercriminal arrested last October for stealing data and extorting dozens of companies that store cloud service data on Snowflake.

Brian Krebs from the site previously identified evidence from chat logs that Kiberphant0m was an American soldier stationed in South Korea.

Moucka was arrested in November and received an investigation for 20 accounts. The report suggests that Moucka was the main hacker, while Wagenius' primary role was to obtain money from data.

Large Data Breach at AT&T

One of the ransom demands seems to be linked to a massive data theft at AT&T, where personal details were obtained for almost every customer the company had at the time.

A surprising security failure led not only to the disappearance of customers' phone numbers but also records of who contacted whom – a minefield for privacy [...]

Worse yet, the hackers were also able to obtain mobile site identification numbers for some calls and messages – which can provide customer locations with an accuracy of around 300 feet in certain areas.

It was later revealed that AT&T paid a ransom of 373,000 dollars in Bitcoin to cancel the data.

The provider stated that the data were obtained from a third-party cloud platform, and it is now credible that they are Snowflake – where data from other companies are also obtained. This includes the acquisition of personal data of 560 million TicketMaster customers.

Wired provided evidence that AT&T paid the hacker to remove their data in exchange for their removal. The hacker originally demanded one million bitcoins, and the final payment amount corresponded to 373,000 dollars.

Verizon Call Logs

The request seems to be about Verizon's call logs.

On November 5th, Kiberphant0m offered the stolen call logs from Verizon's push-to-talk (PTT) customers – mainly US government agencies and emergency responders. On November 9th, Kiberphant0m posted a sales thread on BreachForums offering a "SIM-swapping" service aimed at Verizon PTT customers. In a "SIM-swap," fraudsters use credentials that are phishing or stolen from telecommunications company employees to divert calls and text messages of the target to a device they control.

The process against Wagenius was transferred to the Western District of Washington in Seattle.

Photo of Levi Meir Clancy on Unsplas