A former soldier in the US Army recently pled guilty to charges of stealing call records from Verizon and AT&T, then threatening to sell the data unless the telcos paid him off. Cameron John Wagenius (pictured) also known by his online alias of kiberphant0m, was serving from an Army base in Texas when his criminal exploits began in April 2023. They continued until December 2024, even after he was stationed in South Korea. Wagenius conspired with others to obtain user credentials for systems belonging to the telcos and to eight other organizations via a hacking tool they called SSH Brute. A group chat on Telegram was used to orchestrate their efforts. Once the data had been stolen, the conspirators both offered it for sale on criminal forums and also demanded ransoms from their victims totaling USD1mn. Wagenius led efforts to sell the data through his kiberphant0m online accounts.
And the criminal gang used the stolen data to commit other frauds, including unauthorized SIM swaps.
A lot of guff emanating from anti-fraud associations concentrates on hackers connecting to comms networks in order to exploit the networks and their customers. Tackling these abuses is unquestionably important, but an excessively narrow focus on the comms network can blind us to the other routes that criminals take to infiltrate comms providers and cause harm to customers. It can also blind us to how much fraudsters crave data about everybody who has a phone. Whether they get this data by bribing a telco employee, hacking into a system themselves, or by simply buying data from a darknet forum, the leak of data is a precursor to crimes that affect consumers. But if you only listened to the shills that US telcos have parachuted into consumer protection initiatives, you could be forgiven for believing that their shameful history of leaking data is unrelated to the elevated levels of scam activity that we experience today.
Wagenius is scheduled to be sentenced on October 6, when he faces a maximum prison sentence of 20 years for conspiracy to commit wire fraud and a maximum penalty of five years for extortion in relation to computer fraud. He is guaranteed a two-year sentence for aggravated identity theft. Wagenius also pled guilty in a separate case to the unlawful transfer of confidential phone records. A long prison sentence for Wagenius is necessary to deter similar crimes. However, the telcos who applaud such sentences are doing so to distract attention from their own failings. Enforcement of US laws and regulations on comms providers that leak data has been inadequate, as exemplified by AT&T dodging a USD57mn fine a few months ago for failing to apply controls that would have prevented unauthorized access to customer data processed by business partners. The consequence is that there is a serious possibility that telcos like AT&T will calculate it is cheaper to pay ransoms for stolen data than to implement the security necessary to prevent its theft.
Justice requires that repeat offenders suffer increasingly harsh punishment, but you would never conclude that from the way the USA has applied data protection rules to big businesses, including comms providers. Robust controls over customer data are especially vital for comms providers because of the enormous amounts of potentially sensitive data they process on behalf of large swathes of the population. However, AT&T successfully argued their constitutional rights were infringed when the Federal Communications Commission (FCC), the US comms regulator, attempted to impose the aforementioned USD57mn fine without a jury trial. I cannot identify another country in the world where government agencies are not legally allowed to impose penalties on the businesses they regulate because such penalties can only be determined by a jury selected from the general public. The authorities in the USA were already too weak and timid in disciplining businesses that leaked data; expecting the public to adjudicate the seriousness of every data leak will grind all enforcement of privacy rules to a halt. And what does prioritizing AT&T’s constitutional right to a jury by trial say about the rights supposedly conferred to ordinary Americans? It means the right to be let alone is no longer a right that Americans can expect to exercise in practice.
I repeat myself when observing there are no arguments which I can make that will benefit ordinary Americans. The American justice system and American political system are so warped that the issues created by their failings extend well beyond the topics covered by Commsrisk. And there is no way that I can obtain similar levels of influence to the grossly overpaid ex-FCC lawyers that lobby on behalf of US comms providers. They will shape consumer protection policy in the USA. The USA has no forum that will listen to impartial experts in the way comms providers are behaving because no impartial expert can afford to pay the hefty costs associated with lobbying in the USA. My best hope is to encourage regulators, officials, police and professionals who work in the comms sector to not allow the mistakes that have been made in the USA to distort the consumer protection strategies of other countries too.
When it comes to protecting the public, the best and first strategy is to keep them out of harm’s way by preventing the leakage of data before it occurs. A business will not be sufficiently motivated to spend on protecting the data of customers if the cost of a leak is only suffered by the victims of crime. That is why there is also a need to punish organizations that allow leaks to occur, even if they have been hacked by criminals. A line needs to be drawn, and the failure to implement sufficiently robust data protection controls deserves to be punished. Sadly, the USA’s lax data protection law and enforcement is hurting people worldwide because American companies process so much data about people who have no rights under American law. However, those of us who work in the global communications sector can also draw a line, by welcoming tough data security expectations even when American comms providers go to the authorities in other countries to lobby against them. Perhaps, if other countries hold the line well enough, it might even prompt American businesses to do better.
The press release issued by the US Department of Justice about Wagenius’ gulity plea can be found here.



