A soldier in the U.S. Army who confessed last week to disclosing telephone records of senior U.S. government officials had searched the internet for countries that do not extradite and for the answer to the question “can hacking be considered treason?” according to prosecutors in the case on Wednesday. The government revealed this information in a court filing aimed at keeping the defendant detained until he is released from military service.

Cameron John Wagenius, 20, was apprehended near the base at Fort Cavazos, Texas, on December 20, facing two criminal charges for the illicit transfer of confidential telephone records. Wagenius worked as a communications expert at a U.S. Army installation in South Korea, where he secretly adopted the alias Kiberphant0m and was part of a trio of cybercriminals who extorted numerous companies last year using stolen information.

At the close of 2023, malicious cyber actors discovered that many firms had uploaded sensitive client information to accounts on the cloud data storage platform Snowflake, which were secured with little more than basic username and password (lacking multi-factor authentication). After searching darknet marketplaces for compromised Snowflake account credentials, the cyber criminals initiated attacks on data storage sites utilized by some of the world’s largest enterprises.

One such victim was AT&T, which revealed in July that cyber thieves had stolen personal details, along with phone and text message logs, for approximately 110 million individuals — nearly all of its clientele. AT&T allegedly compensated a hacker $370,000 to erase the stolen telephone records. Over 160 additional Snowflake clients were also compromised, including TicketMaster, Lending Tree, Advance Auto Parts, and Neiman Marcus.

In several posts on an English-language cybercrime forum in November, Kiberphant0m leaked some phone records while threatening to unveil the entirety of the information unless a ransom was paid. Prosecutors noted that in addition to his public posts on the forum, Wagenius had made multiple direct attempts to extort “Victim-1,” which seems to reference AT&T. The government claims that Kiberphant0m privately demanded $500,000 from Victim-1, warning that he would publish all the stolen phone records if he was not compensated.

On February 19, Wagenius admitted guilt to two charges of unlawfully transferring sensitive phone records, but he did so without the advantages of a plea deal. In submitting his plea, Wagenius’s attorneys requested the court permit him to remain with his father pending sentencing.

However, in a response submitted today (PDF), prosecutors in Seattle argued that Wagenius posed a flight risk, partially due to his online searches for ways to defect to countries that do not extradite to the United States prior to his apprehension. According to the government, while Kiberphant0m was extorting AT&T, Wagenius’s inquiries included:

-“where can i defect from the u.s government military which country will not extradite me”
-“U.S. military personnel defecting to Russia”
-“Embassy of Russia – Washington, D.C.”

“As noted in the government’s sealed filing, evidence has surfaced suggesting that the conduct charged was merely a fraction of Wagenius’s malevolent activity,” the government document states. “Additionally, for over two weeks in November 2024, Wagenius communicated with an email address he believed to belong to Country-1’s military intelligence agency in an effort to sell stolen data. Days after he seemingly concluded communication with Country-1’s military intelligence service, Wagenius searched online, ‘can hacking be treason.’”

Prosecutors informed the court that investigators also discovered a screenshot on Wagenius’s laptop indicating he possessed over 17,000 files containing passports, driver’s licenses, and other identification cards belonging to victims of a data breach, and that within one of his online accounts, the authorities also came across a counterfeit identification document featuring his photo.

“Wagenius should be detained as he poses a significant flight risk, has both the means and intention to escape, and is aware that he is likely facing further charges,” the Seattle prosecutors contended.

The court document states that Wagenius is currently in the process of separation from the Army, but the government has yet to receive verification that his discharge has been finalized.

“The government understands that, until his discharge from the Army is officially completed (anticipated to occur in early March), he may only be released directly to the Army,” asserts a footnote in the memorandum. “Until this procedure is finalized, Wagenius’s proposed release to his father should be denied for this supplementary reason.”

Wagenius’s desire to defect to another nation to evade prosecution parallels that of his alleged accomplice, John Erin Binns, a 25-year-old fugitive American man indicted by the Justice Department for a 2021 breach at T-Mobile that compromised the personal information of at least 76.6 million users.

Binns has also been charged in connection to the Snowflake cyberattack and subsequent extortion efforts. He is currently incarcerated in a Turkish jail. Sources linked to the investigation informed KrebsOnSecurity that before his arrest by Turkish authorities, Binns visited the Russian embassy in Turkey to inquire about obtaining Russian citizenship.

In late November 2024, Canadian authorities detained a third suspected member of the extortion ring, 25-year-old Connor Riley Moucka from Kitchener, Ontario. The U.S. government has indicted both Moucka and Binns, accusing them of one count of conspiracy; ten counts of wire fraud; four counts of computer fraud and abuse; two counts of extortion related to computer fraud; and two counts of aggravated identity theft.

Less than a month prior to Wagenius’s arrest, KrebsOnSecurity published an in-depth analysis of Kiberphant0m’s various identities on Telegram and Discord over the years, revealing how the account owner informed others they were serving in the Army and stationed in South Korea.

The maximum punishment Wagenius could encounter at sentencing includes up to ten years imprisonment for each count, along with fines not exceeding $250,000.