21-year-old former US soldier pleads guilty to hacking, extorting telecoms

A former soldier in the U.S. Army pleaded guilty on Tuesday to charges that he stole data from multiple telecommunications giants and either sold it online or sought ransoms for it.

Cameron John Wagenius is now facing a maximum sentence of 27 years in prison after pleading guilty in a Seattle federal court to wire fraud, extortion and aggravated identity theft. In March, Wagenius pleaded guilty to two separate but related charges centered around posting confidential phone records to an online forum and sending the records through a platform. 

Prosecutors said Wagenius, 21, attempted to extort multiple U.S.-based telecommunications companies after obtaining login credentials and breaching their systems. Wagenius and several others sought at least $1 million in ransoms for the stolen data.

Wagenius was an active duty soldier and stationed in South Korea and at Fort Cavazos in Texas when he conducted the hacks between April 2023 and Dec. 18, 2024. He worked with two other hackers and allegedly stole thousands of sensitive call records, according to court documents.

The DOJ thanked private companies Flashpoint and Unit 221B for their assistance with the investigation. While the indictments do not mention Wagenius’ victims by name, Unit 221B’s chief research officer Allison Nixon said on social media that the conviction was the first of the “Snowflake hacker gang” — referencing a spate of attacks last year targeting more than 100 customers of data storage giant Snowflake.

“The Army member, ‘Cameron Wagenius,’ leaked Trump call logs from AT&T and faces 27 years. He was easy to find,” Nixon said. 

AT&T suffered a breach last year where metadata from nearly all call logs and texts made by the company’s customers over a six-month period in 2022 was stolen through Snowflake. 

Three unnamed co-conspirators are named in the court documents, including one based in Washington state and another in Canada. 

But one of the court documents for Wagenius’ charges references a “related case” of United States v. Connor Riley Moucka and John Erin Binns — two other hackers implicated in the theft of Snowflake data and previous targeting of telecoms like AT&T and T-Mobile. 

Moucka agreed to be extradited to the U.S. from Canada earlier this year while Binns was detained by Turkish authorities in May 2024 after being indicted for his role in a previous hack of T-Mobile.

kiberphant0m and cyb3rph4nt0m

Prosecutors said Wagenius and his crew “gained unlawful access to hundreds of thousands of sensitive business and customer records, including non-content call and text history records, telecommunication identifying information, and other personally identifiable information.”

Court documents for both cases say Wagenius accessed sensitive telecom records before extorting the companies, threatening to release the stolen data unless he and his co-conspirators were paid ransoms. The group used Telegram to coordinate, share the stolen data, distribute credentials and discuss how to move forward with the extortion. 

Wagenius and his co-conspirators threatened to post the stolen data to popular cybercriminal forums like BreachForums and XSS.is, often offering to sell the data for thousands of dollars. In some cases the data was offered on platforms like X and Telegram. Prosecutors said some was successfully sold on these forums and in some cases the hackers used the stolen data to perpetuate other schemes like SIM swapping.

In at least one instance, Wagenius offered to sell the stolen data to a foreign intelligence service.

The indictment mentions one instance in May 2024 where Wagenius and a co-conspirator accessed the systems of a victim company and stole information on hundreds of thousands of the company’s customers. Wagenius allegedly demanded a ransom payment of $500,000 for the company’s data before posting an offer to sell more than 250GB of data on XSS.is. 

In August and September, Wagenius and two others stole data on thousands from another victim company. On October 12, Wagenius posted 325 GB stolen from the company on XSS.is, offering to sell the data for $200,000. He also posted the data on BreachForums and on a Telegram channel. He ended up releasing all of the data stolen from that victim on November 5. 

Wagenius tried to extort several other victims, demanding $500,000 worth of cryptocurrency in some cases, prosecutors said. 

He will be sentenced on October 6 after prosecutors decided to postpone it as additional charges were being levied. 

‘U.S. military personnel defecting to Russia’

Wagenius previously pleaded guilty to “unlawfully posting and transferring confidential phone records information, including those allegedly pertaining to high-ranking public officials.”

Many of the court documents for that case have been sealed and restricted from the public but those available paint a picture of Wagenius as a U.S. soldier actively seeking to flee the country following his cybercrimes.

Prosecutors said he “conducted online searches about how to defect to countries that do not extradite to the United States and that he previously attempted to sell hacked information to at least one foreign intelligence service.” 

“Additionally, Wagenius violated his commanding officer’s orders by purchasing a new laptop after a federal search warrant was executed at his barracks room and his electronic devices were seized, which raises concerns about his willingness to comply with any conditions of release,” court documents explained. 

Accounts tied to Wagenius made public online posts around November 6 that included “highly sensitive call detail records purportedly belonging high-ranking public officials and their family members and threatened to release additional phone records belonging to the same individual victims unless Victim-1, a major telecommunications company, contacted him or an intermediary to pay a ransom.”

Prosecutors obtained threatening messages Wagenius sent to the one victim company where he said he didn't care if he received a ransom. 

“I already made your samples and data on [REDACTED] available to everybody on breachforums. I will leak much much much more, literally all of it,” he wrote. 

These messages were sent while he was still on active duty with the U.S. Army in Texas. 

In November 2024, Wagenius contacted an email address he believed belonged to an unidentified country’s military intelligence service in an effort to sell the information he stole. 

Prosecutors obtained Google searches made by Wagenius that included “can hacking be treason,” “where can i defect the u.s government military which country will not hand me over,”  “U.S. military personnel defecting to Russia” and “Embassy of Russia – Washington, D.C,” and “how to get passport fast.”

Wagenius’ devices were seized by federal law enforcement on December 4 and his commanding officer restricted him from buying new devices. But he ignored the order and bought a laptop, continuing to use it until December 12. 

He used a virtual private network (VPN) during this period, obfuscating his activity, and the DOJ said it is still investigating what exactly he did. 

In October 2024, Wagenius boasted in messages to another hacker that because of U.S. military law, he believed he would not be arrested immediately. This year, prosecutors were successful in keeping Wagenius detained after arguing that he was not only a danger to the community but also a “serious” flight risk.

Investigators found passports and driver’s licenses, as well as access to large amounts of cryptocurrency on his devices. They were able to find evidence that he created at least one fake ID for himself. 

Prosecutors said the stolen data did not include customer names, but the data Wagenius posted was enriched to include names associated with specific telephone numbers. 

“The danger to the public is amplified by the possibility that Wagenius may be able to access remote servers and cloud storage accounts when he gains access to the internet, and there are potentially gigabytes of sensitive victim information that have not yet been recovered,” prosecutors said. 

“Wagenius has repeatedly demonstrated his inability to resist posting stolen data. He posted offers to sell stolen information on criminal forums throughout 2024, leaked victim data in November 2024, and then proceeded to violate military orders in December 2024 when he was on active duty — because he could not resist the urge to access the internet.”

A screenshot found on his laptop had “suggested he had over 17,000 files that included passports, driver’s licenses, and other identity cards belonging to victims of a breach.”

Google Threat Intelligence Group’s Austin Larsen noted that they have been tracking Wagenius’ activity since November 2023 due to his involvement in multiple intrusions impacting their customers.