US Army Soldier Arrested in Connection with AT&T and Verizon Extortion Scheme

Federal law enforcement has arrested Cameron John Wagenius, a 20-year-old U.S. Army soldier, following a two-count indictment related to the compromise of customer accounts at Snowflake, a cloud data warehousing provider. Wagenius is accused of extorting victims after obtaining sensitive information from the breached accounts.

The arrest occurred on December 20 near Fort Cavazos in Texas, as first reported by cybersecurity journalist Brian Krebs. Wagenius is charged with illegally transferring confidential phone records without the necessary authorization and gathering these records through fraudulent means, as laid out in the indictment filed on December 18 in a Seattle federal court. Details surrounding the indictment were only made public recently when the court unsealed the document.

While the indictment does not specify Snowflake, the reported criminal activities are linked to multiple high-profile cases involving the platform. Specifically, prosecutors have connected Wagenius to an associate, Connor Riley Moucka, who has been charged alongside others in a significant breach affecting over 165 organizations, including major telecommunications companies, resulting in the theft of extensive call data records.

Following investigations, it has been reported that the attackers were able to exploit accounts that lacked multi-factor authentication, facilitating unauthorized access. This tactic, considered under the MITRE ATT&CK framework, indicates an avenue of initial access and exploitation of a known vulnerability that organizations failed to secure adequately.

In the aftermath of the breach, Snowflake has implemented enhanced security measures, including mandatory multi-factor authentication for newly created accounts and heightened prompts for existing users to activate MFA—a critical step in preventing similar future incidents.

Prosecutors have remained tight-lipped regarding any explicit connections between Wagenius and the stolen Snowflake data leading to extortion pressures against his potential victims. However, evidence suggests that stolen data was used to extort ransom payments, reportedly amounting to large sums, including an instance where AT&T allegedly paid approximately $370,000 to hackers for the deletion of compromised customer information.

Moucka, the individual with whom Wagenius was associated, was arrested by Canadian authorities last month revolving around similar charges, while another suspect, John Binns, faces separate allegations linked to a previous hacking incident involving T-Mobile. Both suspects’ extraditions to the United States are being pursued as law enforcement intensifies efforts to dismantle the cybercriminal network involved in these high-profile attacks.

The ongoing criminal activities surrounding this case exemplify the critical need for organizations to strengthen their cybersecurity defenses, especially against social engineering and unauthorized access tactics, as illustrated in the MITRE ATT&CK framework. Implementing rigorous authentication measures and monitoring for suspicious activities are paramount in thwarting such cyber threats.