U.S. prosecutors have formally linked the arrest of a serving U.S. Army soldier in December to a massive theft of U.S. phone records from AT&T and Verizon last year.
Authorities arrested Cameron John Wagenius, a U.S. Army communications specialist, in Texas on December 20 following a brief two-page grand jury indictment accusing the U.S. serviceperson of two counts of unlawfully transferring confidential phone records. Wagenius was later extradited to Washington state.
In a new court filing on Friday, U.S. prosecutors confirmed that the charges against Wagenius are related to the earlier indictment of two alleged hackers, Connor Moucka and John Binns, who the U.S. government accuse of multiple intrusions at cloud computing company Snowflake that saw the mass-theft of data stored in its customer accounts. The Snowflake customers whose data was stolen include AT&T, which had “nearly all” of its customer call records through 2024 exfiltrated from its Snowflake account, and Verizon, from whom a substantial cache of customer call logs was taken.
U.S. Attorney Tessa Gorman told the Seattle court that, “both cases arise from the same computer intrusion and extortion and include some of the same stolen victim information,” and as such, “these cases rely on overlapping evidentiary material and legal process and arguably present common questions of law and fact.”
This is the first public acknowledgement by prosecutors that Wagenius’ charges are connected to last year’s breaches at cloud computing company Snowflake. Security journalist Brian Krebs first reported on the link between Wagenius and the Snowflake hacks in November, and later broke the news of Wagenius’ arrest.
The account hacks at Snowflake became one of the most wide-reaching cyberattacks of last year, affecting AT&T, LendingTree, Santander Bank, Ticketmaster, and at least 160 other companies. The hackers allegedly stole huge banks of personally identifiable and sensitive corporate data that companies stored in Snowflake, in part by using passwords stolen from employee computers with malware. Most of the affected Snowflake customers were not using multi-factor protection, which Snowflake did not require of its customers at the time.
According to Krebs’ reporting, following the earlier arrest of Moucka by Canadian authorities, Wagenius claimed in a post on a known cybercrime forum to have access to the call logs of Vice President Kamala Harris and then-President-elect Donald Trump, and threatened to leak all of the stolen files unless Moucka was released.
Prosecutors accuse the Snowflake hackers of stealing data that includes personal information, cell phone and IMEI numbers, dates of birth, postal and email addresses, passwords, Social Security numbers, government-issued identity numbers, as well as payment card and bank account numbers.
Wagenius was ordered on January 8 to be detained, and is understood to be in custody in Washington state.
