29.8k unique visitors in the last 3 days

What an American Hacker’s Methods Tells Us about a Flaw in Fraud Prevention Strategies

Cameron Wagenius used an online alias to sell customer data stolen from Verizon and AT&T while he was serving in the US Army.

A former soldier in the US Army recently pled guilty to charges of stealing call records from Verizon and AT&T, then threatening to sell the data unless the telcos paid him off. Cameron John Wagenius (pictured) also known by his online alias of kiberphant0m, was serving from an Army base in Texas when his criminal exploits began in April 2023. They continued until December 2024, even after he was stationed in South Korea. Wagenius conspired with others to obtain user credentials for systems belonging to the telcos and to eight other organizations via a hacking tool they called SSH Brute. A group chat on Telegram was used to orchestrate their efforts. Once the data had been stolen, the conspirators both offered it for sale on criminal forums and also demanded ransoms from their victims totaling USD1mn. Wagenius led efforts to sell the data through his kiberphant0m online accounts.

And the criminal gang used the stolen data to commit other frauds, including unauthorized SIM swaps.

A lot of guff emanating from anti-fraud associations concentrates on hackers connecting to comms networks in order to exploit the networks and their customers. Tackling these abuses is unquestionably important, but an excessively narrow focus on the comms network can blind us to the other routes that criminals take to infiltrate comms providers and cause harm to customers. It can also blind us to how much fraudsters crave data about everybody who has a phone. Whether they get this data by bribing a telco employee, hacking into a system themselves, or by simply buying data from a darknet forum, the leak of data is a precursor to crimes that affect consumers. But if you only listened to the shills that US telcos have parachuted into consumer protection initiatives, you could be forgiven for believing that their shameful history of leaking data is unrelated to the elevated levels of scam activity that we experience today.

Wagenius is scheduled to be sentenced on October 6, when he faces a maximum prison sentence of 20 years for conspiracy to commit wire fraud and a maximum penalty of five years for extortion in relation to computer fraud. He is guaranteed a two-year sentence for aggravated identity theft. Wagenius also pled guilty in a separate case to the unlawful transfer of confidential phone records. A long prison sentence for Wagenius is necessary to deter similar crimes. However, the telcos who applaud such sentences are doing so to distract attention from their own failings. Enforcement of US laws and regulations on comms providers that leak data has been inadequate, as exemplified by AT&T dodging a USD57mn fine a few months ago for failing to apply controls that would have prevented unauthorized access to customer data processed by business partners. The consequence is that there is a serious possibility that telcos like AT&T will calculate it is cheaper to pay ransoms for stolen data than to implement the security necessary to prevent its theft.

Justice requires that repeat offenders suffer increasingly harsh punishment, but you would never conclude that from the way the USA has applied data protection rules to big businesses, including comms providers. Robust controls over customer data are especially vital for comms providers because of the enormous amounts of potentially sensitive data they process on behalf of large swathes of the population. However, AT&T successfully argued their constitutional rights were infringed when the Federal Communications Commission (FCC), the US comms regulator, attempted to impose the aforementioned USD57mn fine without a jury trial. I cannot identify another country in the world where government agencies are not legally allowed to impose penalties on the businesses they regulate because such penalties can only be determined by a jury selected from the general public. The authorities in the USA were already too weak and timid in disciplining businesses that leaked data; expecting the public to adjudicate the seriousness of every data leak will grind all enforcement of privacy rules to a halt. And what does prioritizing AT&T’s constitutional right to a jury by trial say about the rights supposedly conferred to ordinary Americans? It means the right to be let alone is no longer a right that Americans can expect to exercise in practice.

I repeat myself when observing there are no arguments which I can make that will benefit ordinary Americans. The American justice system and American political system are so warped that the issues created by their failings extend well beyond the topics covered by Commsrisk. And there is no way that I can obtain similar levels of influence to the grossly overpaid ex-FCC lawyers that lobby on behalf of US comms providers. They will shape consumer protection policy in the USA. The USA has no forum that will listen to impartial experts in the way comms providers are behaving because no impartial expert can afford to pay the hefty costs associated with lobbying in the USA. My best hope is to encourage regulators, officials, police and professionals who work in the comms sector to not allow the mistakes that have been made in the USA to distort the consumer protection strategies of other countries too.

When it comes to protecting the public, the best and first strategy is to keep them out of harm’s way by preventing the leakage of data before it occurs. A business will not be sufficiently motivated to spend on protecting the data of customers if the cost of a leak is only suffered by the victims of crime. That is why there is also a need to punish organizations that allow leaks to occur, even if they have been hacked by criminals. A line needs to be drawn, and the failure to implement sufficiently robust data protection controls deserves to be punished. Sadly, the USA’s lax data protection law and enforcement is hurting people worldwide because American companies process so much data about people who have no rights under American law. However, those of us who work in the global communications sector can also draw a line, by welcoming tough data security expectations even when American comms providers go to the authorities in other countries to lobby against them. Perhaps, if other countries hold the line well enough, it might even prompt American businesses to do better.

The press release issued by the US Department of Justice about Wagenius’ gulity plea can be found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email