Former US soldier pleads guilty to hacking and extortion scheme targeting telecom firms

A former U.S. Army soldier has pleaded guilty to participating in a coordinated cyber extortion campaign that targeted telecommunications companies and resulted in the theft and sale of sensitive data, the Department of Justice announced.

Cameron John Wagenius, 21, admitted to conspiring with others to hack into at least ten organizations between April 2023 and December 2024. While serving on active duty, Wagenius used the alias “kiberphan0m” to operate online and carry out the attacks. The scheme involved the use of a hacking tool called “SSH Brute” to obtain login credentials, which allowed the conspirators to infiltrate protected computer systems and exfiltrate confidential information.

According to federal prosecutors, once inside the victim networks, the group attempted to extort the companies by threatening to publish the stolen data on underground cybercrime forums such as BreachForums and XSS.is unless ransom payments were made. In some instances, the data was sold directly to other cybercriminals and used to carry out further offenses, including SIM-swapping fraud. The group’s total extortion demands exceeded $1 million.

Wagenius pleaded guilty to conspiracy to commit wire fraud, extortion in relation to computer fraud, and aggravated identity theft. He had already entered a separate guilty plea in connection with two counts of unlawfully transferring confidential phone records. He is scheduled to be sentenced on October 6, 2025. The charges carry a maximum sentence of 20 years for conspiracy to commit wire fraud, five years for computer-related extortion, and a mandatory two-year term for identity theft, to be served consecutively.

Investigators have linked Wagenius’s activities to the high-profile breach of Snowflake, a cloud data warehousing company whose customers were affected by a credential stuffing attack. In that breach, stolen usernames and passwords were used to access vast stores of sensitive corporate data, which was later offered for sale or ransom. The attack, like the broader scheme involving Wagenius, was financially motivated and orchestrated through the dark web.