Cameron John Wagenius: Hacker behind Trump, Harris private call logs extortion threat arrested

The hacker who threatened to release the private call logs of United States President-elect Donald Trump and Vice President Kamala Harris has been arrested after being identified as an American soldier.

In November, The Nightly exclusively revealed that a cybercriminal using the handle kiberphant0m had threatened one of the world’s largest telecommunications companies that if it did not comply with his demands, he would publish Trump and Harris’s private call records.

International law enforcement agencies and cybersecurity researchers swiftly identified kiberphant0m as US Army soldier Cameron John Wagenius.

Court documents, obtained by The Nightly, reveal Wagenius was arrested late last month at Fort Hood in Texas and charged with two counts of unlawful transfer of confidential phone records.

In November Wagenius had posted a sample of Harris’ stolen call records to BreachForums alongside a demand to American telecommunications company AT&T.

“TRUMP and Vice President of the United States CALL LOGS -- OFFICIAL WARNING TO ATNT,” he wrote.

“If you do (not) contact me or Reddington by Sunday, consider all of the Data to be leaked. You have until Sunday to contact me or Reddinton (Sic). In the event you do not reach out to us @ATNT all presidential government call logs will be leaked. You don’t think we don’t have plans in the event of an arrest? Think again.

“I’d highly advise you to contact us.

“Have fun with the media coverage, shouldn’t (have) dragged it on.”

Wagenius followed up his demand with the tag #FREEWAIFU typed five times.

Waifu is one of the hacker handles of his associate Alexander Connor Moucka, who was arrested in Canada in November and is facing extradition to the US.

The 26-year-old software engineer and prolific cybercriminal is suspected of committing a string of breaches involving cloud services provider Snowflake.

Over a number of months in mid-2024 more than 165 Snowflake customers – including AT&T, Santander bank, Ticketmaster owner Live Nation Entertainment, Ticketek owner TEG, Lending Tree, Advance Auto Parts and Neiman Marcus – had their data exposed or stolen.

The hack was one of the biggest in history due to the scale of personal data stolen in the breaches.

As a part of the Snowflake hacking spree, Moucka is suspected to have stolen the personal information of millions of Australians who held accounts with Ticketmaster and Ticketek.

After stealing the data, Moucka – who used online handles including Judische and Waifu – allegedly tried to extort the companies he had breached.

They were threatened that if ransoms were not paid, the stolen personal data would be posted online.

Moucka is understood to have shared the stolen Snowflake data with Wagenuis.

Court documents show the indictment against Wagenius was filed in Texas but then transferred to the US District Court for the Western District of Washington in Seattle where Moucka’s case is being prosecuted.

Meanwhile, Wagenius’ Facebook profile remains active and boasts photos and videos of him in military uniform while holding various Army-issued weapons.

Colonel Kamil Sztalkoper, a spokesperson for the III Armored Corps, told Reuters Wagenius was a Fort Cavazos soldier.

“III Armored Corps will continue to cooperate with all law enforcement agencies as appropriate,” he said.

Fort Cavazos, in Texas, was formerly known as Fort Hood.

The Department of the Army Criminal Investigation Division told Reuters it was working with federal law enforcement partners and would not be sharing additional information.

Last month cybersecurity journalist Brian Krebs revealed that Wagenius was a 20-year-old communications specialist who was recently stationed in South Korea.

Wagenius’ mother Alicia Roen told Krebs that prior to her son’s arrest he had acknowledged being associated with Moucka.

Wagenius’ older brother is also in the US Army.

Allison Nixon, chief research officer at New York-based cybersecurity firm Unit 221B, told Krebs that she and an anonymous colleague identified Wagenius’ real-life identity.

“Anonymously extorting the President and VP as a member of the military is a bad idea, but it’s an even worse idea to harass people who specialise in de-anonymising cybercriminals,” she said.

“Between when we, and an anonymous colleague, found his opsec mistake on November 10th to his last Telegram activity on December 6, law enforcement set the speed record for the fastest turnaround time for an American federal cyber case that I have witnessed in my career.”