A 21-year old former U.S. Army soldier pleaded guilty to charges of hacking and extorting at least ten telecommunications and technology companies in the country.
Cameron John Wagenius was arrested in Texas on December 20, 2024 and indicted in the Western District of Washington on two counts of unlawful transfer of confidential phone records.
In February 2025, the man pleaded guilty to hacking AT&T and Verizon, for which Connor Moucka and John Binnswere had been indicted in November 2024, linking their activities to the major Snowflake hacking incident.
According to the latest U.S. DoJ announcement, Wagenius was active in the underground cyberspace between 2023 and 2024 under the aliases ‘kiberphant0m’, ‘cyb3rph4nt0m’, and ‘buttholio’.
He conspired with others to steal login credentials, access sensitive IT systems, and demand ransom payments from breached telecommunication firms under the threat of leaking stolen data on cybercrime forums such as BreachForums and XSS.is.
“Between April 2023 and Dec. 18, 2024, Cameron John Wagenius, 21, used online accounts associated with the nickname “kiberphant0m” and conspired with others to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ protected computer networks,” reads the U.S. DoJ announcement.
“The conspirators obtained these credentials using a hacking tool that they called SSH Brute, among other means.”
“They used Telegram group chats to transfer stolen credentials and discuss gaining unauthorized access to victim companies’ networks.”
Wagenius and his co-conspirators also engaged in SIM-swapping and announced stolen data sales on said forums, attempting extortion for up to $1 million.
It has been confirmed that the threat actors successfully sold some of this data to other cybercriminals or used it to perpetrate further fraud.
The authorities underline that Wagenius performed these activities while he was on active duty with the U.S. Army.
Wagenius was indicted on July 14th for wire fraud conspiracy, aggravated identity theft, and extortion in relation to computer fraud.
A message he left one of the victims threatened with leaking more than 358GB of data unless the organization contacted him to negotiate a ransom payment. In an email to another victim company, Wagenius asked for $500,000 in cryptocurrency.
A day after the indictment, Wagenius entered a plea agreement, admitting guilt on all three charges.
Based on these charges, the man faces a possible maximum sentence of up to 27 years in prison.
The punishment will be decided on October 6, and it may also include additional time for Wagenius’ previous guilty plea for two counts of unlawful transfer of confidential phone records information concerning the separate case.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
