close_game
close_game

US hacker likely linked to ’24 BSNL data breach

By, New Delhi
Jan 10, 2025 03:00 AM IST

Cameron John Wagenius, a communications specialist, was arrested on December 20 for attempting to sell hacked data from American telecom companies.

An American soldier arrested in Texas last month for selling hacked telecom data is likely linked to a major data breach at India’s State-owned BSNL last year, cybersecurity analysts and publicly available information suggest, bringing into the spotlight the cross-continental workings of an underground cybercrime industry.

Cameron John Wagenius, a communications specialist stationed in South Korea, was arrested on December 20 for attempting to sell hacked data from American telecom companies. (HT PHOTO)
Cameron John Wagenius, a communications specialist stationed in South Korea, was arrested on December 20 for attempting to sell hacked data from American telecom companies. (HT PHOTO)

Cameron John Wagenius, a communications specialist stationed in South Korea, was arrested on December 20 for attempting to sell hacked data from American telecom companies. Wagenius, according to a report by an American cybersecurity publication and experts HT spoke to, is likely “kiberphant0m” on a popular dark web marketplace, where he also to sell attempted to 278 GB of sensitive BSNL data in May for $5,000 – a fraction of its potential value.

Also Read: Supreme Court YouTube channel likely hacked to promote cryptocurrency videos

The stolen data included critical subscriber information and security infrastructure details, including international mobile subscriber identities, SIM numbers, and BSNL’s home location register – a database containing user histories and call routing information. The hacker also claimed to have obtained snapshots of BSNL’s SOLARIS server and security key data.

The arrest puts a rare name and face behind shadow criminal commodities market, where hackers break into networks and harvest sensitive data then pass it onto well-connected brokers like him who advertise their stolen goods on underground forums.

Also Read: Kash Patel, Donald Trump’s FBI pick, targeted in Iranian hack: Reports

On May 29 last year, kiberphant0m made the sale post on Breached Forums: “Information is worth several million dollars but I’m selling for pretty cheap. Negotiate a deal in telegram”. The post directed potential buyers to a Telegram account under the handle @cyb3rph4nt0m, which was last active on December 7.

In July, the Indian government said in the Lok Sabha that one of BSNL’s servers were breached, and that the Indian Computer Emergency Response Team (CERT-In) had reported this intrusion and breach on May 20.

Also Read: Kerala IAS officer says phone hacked, religious WhatsApp groups created without consent

At the time, HT reached out to the user via the Telegram link to find out if they still have access to any BSNL servers but there was no response. HT also called two of the BSNL numbers given in the sample screenshot posted by the user. HT could not verify the other details in the screenshot as the customers called had forgotten details about duration of calls made in early May as well as recharge details.

Indian officials said they were aware of the user kiberphant0m but did not know the identity behind the persona, or of Wagenius’s arrest.

A senior Indian government official, speaking on condition of anonymity, told HT this week: “We knew about the kiberphant0m account and have been working on it. We didn’t know who was responsible for the account. Attribution is very difficult in cyber domain.”

The breakthrough in identifying Wagenius came through his connection to a sophisticated criminal network that had already caught the attention of American law-enforcement. According to cybersecurity publication KrebsOnSecurity, Wagenius was associated with Connor Riley Moucka, who operated under multiple aliases including “Judische,” “catist,” “waifu,” and “ellye18”. Moucka, who preferred to “outsource the selling of stolen data from telcos and Snowflake customers to people like kiberphant0m”, was arrested in October for orchestrating data theft and extortion schemes targeting dozens of companies.

The October indictment revealed a sprawling operation: Moucka and his associate John Erin Binns allegedly breached at least 10 organisations across sectors, extracting approximately 36 bitcoin ($2.5 million) in extortion payments from three victims alone. The duo then monetised the stolen data through underground forums, generating millions in additional profits.

Allison Nixon, chief research officer of Unit 221B, a New York-based cybersecurity firm who helped establish Wagenius’s identity, confirmed he was the same person who had “posted a sales ad for illicit access” to the BSNL data. However, she distinguished this operation from state-sponsored attacks: “These large telcos are big targets and many different actors seek to target them with fraud or hacking. He is just part of a different group, and what they chose to do with the data is totally different from what the Salt Typhoon people chose to do.”

Salt Typhoon is an advanced persistent threat (APT) actor linked to China whose cyberespionage operations have breached at least nine American telecom firms, including AT&T and Verizon.

The scope of the operation went beyond India. Wagenius allegedly attempted to sell AT&T call logs of prominent US political figures, including incoming president Donald Trump and current vice president Kamala Harris. His posts also claimed access to data from 15 other Asian telecom providers and Verizon records.

The case exposes critical vulnerabilities in how state-owned telecom providers protect sensitive data and exposes a major legal complication in prosecution, given Wagenius’s employer.

“There are legal issues here. How do you deal with a person who is serving in the US Army?” the Indian government official noted, adding that India had not yet engaged with American counterparts on this specific case. Sources indicate the Department of Telecommunications has not filed any FIR regarding the breach, limiting legal options for international cooperation.

Aaron Kamath, leader, commercial and technology practice at Nishith Desai Associates, said that “Where the bad actor is beyond Indian shores, Indian law enforcement authorities, upon filing of an FIR, can initiate investigation, seek information and pursue action through international treaties, coordination with international agencies, or in cooperation with the foreign country’s law enforcement.”

BSNL did not respond to requests for comment, making it difficult to determine if the telecommunications provider had filed an FIR.

Wagenius now faces two counts of “knowingly and intentionally” selling confidential phone records without authorisation. His arrest marks a rare instance where the shadow world of international data trafficking intersects with military service, raising questions about insider threats to critical telecommunications infrastructure.

rec-icon Recommended Topics
Share this article
Get Current Updates on India News, Weather Today, Latest News at Hindustan Times.
See More
Get Current Updates on India News, Weather Today, Latest News at Hindustan Times.
SHARE THIS ARTICLE ON
SHARE
Story Saved
Live Score
Saved Articles
Following
My Reads
Sign out
New Delhi 0C
Friday, February 14, 2025
Start 14 Days Free Trial Subscribe Now
Follow Us On