{
	"id": "89c7391e-a37c-47c4-b35e-46c842b2925a",
	"created_at": "2026-04-06T03:36:58.608262Z",
	"updated_at": "2026-04-10T03:21:32.974314Z",
	"deleted_at": null,
	"sha1_hash": "6a1e624eba3df4b836d5dd78249b03a72aca5be5",
	"title": "U.S. Soldier Charged in AT\u0026T Hack Searched “Can Hacking Be Treason”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 969270,
	"plain_text": "U.S. Soldier Charged in AT\u0026T Hack Searched “Can Hacking Be\r\nTreason”\r\nPublished: 2025-02-27 · Archived: 2026-04-06 03:09:11 UTC\r\nA U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government\r\nofficials searched online for non-extradition countries and for an answer to the question “can hacking be treason?”\r\nprosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the\r\ndefendant in custody until he is discharged from the military.\r\nOne of several selfies on the Facebook page of Cameron Wagenius.\r\nhttps://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/\r\nPage 1 of 3\n\nCameron John Wagenius, 21, was arrested near the Army base in Fort Cavazos, Texas on Dec. 20, and charged\r\nwith two criminal counts of unlawful transfer of confidential phone records. Wagenius was a communications\r\nspecialist at a U.S. Army base in South Korea, who secretly went by the nickname Kiberphant0m and was part of\r\na trio of criminal hackers that extorted dozens of companies last year over stolen data.\r\nAt the end of 2023, malicious hackers learned that many companies had uploaded sensitive customer records to\r\naccounts at the cloud data storage service Snowflake that were protected with little more than a username and\r\npassword (no multi-factor authentication needed). After scouring darknet markets for stolen Snowflake account\r\ncredentials, the hackers began raiding the data storage repositories used by some of the world’s largest\r\ncorporations.\r\nAmong those was AT\u0026T, which disclosed in July that cybercriminals had stolen personal information and phone\r\nand text message records for roughly 110 million people — nearly all of its customers. AT\u0026T reportedly paid a\r\nhacker $370,000 to delete stolen phone records. More than 160 other Snowflake customers were relieved of data,\r\nincluding TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus.\r\nIn several posts to an English-language cybercrime forum in November, Kiberphant0m leaked some of the phone\r\nrecords and threatened to leak them all unless paid a ransom. Prosecutors said that in addition to his public posts\r\non the forum, Wagenius had engaged in multiple direct attempts to extort “Victim-1,” which appears to be a\r\nreference to AT\u0026T. The government states that Kiberphant0m privately demanded $500,000 from Victim-1,\r\nthreatening to release all of the stolen phone records unless he was paid.\r\nOn Feb. 19, Wagenius pleaded guilty to two counts of unlawfully transferring confidential phone records, but he\r\ndid so without the benefit of a plea agreement. In entering the plea, Wagenius’s attorneys had asked the court to\r\nallow him to stay with his father pending his sentencing.\r\nBut in a response filed today (PDF), prosecutors in Seattle said Wagenius was a flight risk, partly because prior to\r\nhis arrest he was searching online for how to defect to countries that do not extradite to the United States.\r\nAccording to the government, while Kiberphant0m was extorting AT\u0026T, Wagenius’s searches included:\r\n-“where can i defect the u.s government military which country will not hand me over”\r\n-“U.S. military personnel defecting to Russia”\r\n-“Embassy of Russia – Washington, D.C.”\r\n“As discussed in the government’s sealed filing, the government has uncovered evidence suggesting that the\r\ncharged conduct was only a small part of Wagenius’ malicious activity,” the government memo states. “On top of\r\nthis, for more than two weeks in November 2024, Wagenius communicated with an email address he believed\r\nbelonged to Country-1’s military intelligence service in an attempt to sell stolen information. Days after he\r\napparently finished communicating with Country-1’s military intelligence service, Wagenius Googled, ‘can\r\nhacking be treason.'”\r\nProsecutors told the court investigators also found a screenshot on Wagenius’ laptop that suggested he had over\r\n17,000 files that included passports, driver’s licenses, and other identity cards belonging to victims of a breach,\r\nand that in one of his online accounts, the government also found a fake identification document that contained his\r\npicture.\r\nhttps://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/\r\nPage 2 of 3\n\n“Wagenius should also be detained because he presents a serious risk of flight, has the means and intent to flee,\r\nand is aware that he will likely face additional charges,” the Seattle prosecutors asserted.\r\nThe court filing says Wagenius is presently in the process of being separated from the Army, but the government\r\nhas not received confirmation that his discharge has been finalized.\r\n“The government’s understanding is that, until his discharge from the Army is finalized (which is expected to\r\nhappen in early March), he may only be released directly to the Army,” reads a footnote in the memo. “Until that\r\nprocess is completed, Wagenius’ proposed release to his father should be rejected for this additional reason.”\r\nWagenius’s interest in defecting to another country in order to escape prosecution mirrors that of his alleged co-conspirator, John Erin Binns, an 25-year-old elusive American man indicted by the Justice Department for a\r\n2021 breach at T-Mobile that exposed the personal information of at least 76.6 million customers.\r\nBinns has since been charged with the Snowflake hack and subsequent extortion activity. He is currently in\r\ncustody in a Turkish prison. Sources close to the investigation told KrebsOnSecurity that prior to his arrest by\r\nTurkish police, Binns visited the Russian embassy in Turkey to inquire about Russian citizenship.\r\nIn late November 2024, Canadian authorities arrested a third alleged member of the extortion conspiracy, 25-year-old Connor Riley Moucka of Kitchener, Ontario. The U.S. government has indicted Moucka and Binns, charging\r\nthem with one count of conspiracy; 10 counts of wire fraud; four counts of computer fraud and abuse; two counts\r\nof extortion in relation to computer fraud; and two counts aggravated identity theft.\r\nLess than a month before Wagenius’s arrest, KrebsOnSecurity published a deep dive into Kiberphant0m’s various\r\nTelegram and Discord identities over the years, revealing how the owner of the accounts told others they were in\r\nthe Army and stationed in South Korea.\r\nThe maximum penalty Wagenius could face at sentencing includes up to ten years in prison for each count, and\r\nfines not to exceed $250,000.\r\nSource: https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/\r\nhttps://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason/"
	],
	"report_names": [
		"u-s-soldier-charged-in-att-hack-searched-can-hacking-be-treason"
	],
	"threat_actors": [],
	"ts_created_at": 1775446618,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6a1e624eba3df4b836d5dd78249b03a72aca5be5.pdf",
		"text": "https://archive.orkl.eu/6a1e624eba3df4b836d5dd78249b03a72aca5be5.txt",
		"img": "https://archive.orkl.eu/6a1e624eba3df4b836d5dd78249b03a72aca5be5.jpg"
	}
}