A 21-year-old former U.S. Army soldier, Cameron John Wagenius, has pleaded guilty to charges of hacking and extorting at least ten telecommunications and technology companies, including AT&T and Verizon. The case, prosecuted by the U.S. Department of Justice, highlights the growing intersection of cybercrime and insider threats within critical infrastructure sectors.
Case Overview and Legal Consequences
Wagenius, stationed in Texas before his discharge, admitted to conspiracy to commit wire fraud, extortion related to computer fraud, and aggravated identity theft. He faces a maximum sentence of 27 years, including a mandatory consecutive 2-year term for identity theft. Sentencing is scheduled for October 6, 2025. The charges stem from a scheme where Wagenius, operating under aliases like “kiberphant0m,” infiltrated corporate networks to steal sensitive customer data, including call logs of high-profile individuals such as former President Trump.
Technical Methods and Co-Conspirators
Wagenius employed tools like “SSH Brute” to conduct credential-stuffing attacks against Snowflake environments and other systems. He collaborated with Connor Moucka (arrested in Canada) and John Binns (arrested in Turkey) via Telegram, selling stolen data and orchestrating SIM-swapping attacks. The group leaked portions of the data on forums like BreachForums when extortion demands—reportedly up to $1 million—were unmet.
| Victim | Data Compromised | Impact |
|---|---|---|
| AT&T (Snowflake) | 6 months of call/text records | Nearly all customers affected |
| Verizon | Customer PII | Used for SIM-swapping |
Operational Security Failures and Investigation
Despite military orders to surrender his devices, Wagenius purchased a new laptop to continue his activities. Private cybersecurity firms Unit 221B and Flashpoint assisted in tracing his actions, including his attempts to defect to Russia and sell data to a foreign intelligence service. The FBI’s public announcement of the case drew mixed reactions, with some commentators speculating about political motivations.
Relevance to Security Professionals
The case underscores the need for robust monitoring of privileged access and third-party vendor risks, particularly in cloud environments like Snowflake. Key takeaways include:
- Monitor for anomalous SSH/RDP login attempts, especially from non-corporate IP ranges
- Implement strict device control policies for personnel with security clearances
- Review data retention policies for call detail records (CDRs) and other sensitive logs
Allison Nixon of Unit 221B described the prosecution as a “significant win against cybercrime,” emphasizing the deterrence value of holding insiders accountable.
Conclusion
This case illustrates the evolving threats posed by technically skilled insiders and the importance of cross-border collaboration in cybercrime investigations. The sentencing later this year will set a precedent for similar cases involving military personnel and critical infrastructure targeting.
References
- “Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies,” U.S. Department of Justice, Jul. 15, 2025. [Online]. Available: https://www.justice.gov/opa/pr/former-us-soldier-pleads-guilty-hacking-and-extortion-scheme-involving-telecommunications
- “Former U.S. Army soldier pleads guilty in phone company hacking, extortion case,” Reuters, Jul. 15, 2025. [Online]. Available: https://www.reuters.com/legal/government/former-us-army-soldier-pleads-guilty-phone-company-hacking-extortion-case-2025-07-15
- “Former soldier’s guilty plea reveals Snowflake breach link in AT&T attack,” CyberScoop, Jul. 15, 2025. [Online]. Available: https://cyberscoop.com/cameron-wagenius-att-snowflake-guilty-plea
