Federal prosecutors have filed a detention memorandum urging the court to indefinitely detain Cameron John Wagenius, a 21-year-old active-duty U.S. Army soldier stationed at Fort Cavazos, Texas, following his alleged involvement in a multi-state cybercrime campaign targeting at least 15 telecommunications providers.
The charges, unsealed ahead of a March 3 detention hearing, reveal a sprawling operation involving data theft, extortion attempts, and communications with foreign intelligence services.
Wagenius faces federal charges under 18 U.S.C. § 1039 for allegedly stealing and attempting to sell call detail records (CDRs) belonging to high-ranking government officials and their families.
According to court documents, he used the aliases kiberphant0m and cyb3rph4nt0m to post samples of stolen data on cybercrime forums in November 2024, threatening to release “literally all of it” unless a major telecom provider paid a $500,000 ransom.
The indictment alleges Wagenius enriched raw CDRs with personally identifiable information (PII), violating privacy protections Congress established specifically to shield victims of domestic violence, law enforcement personnel, and public figures.
Prosecutors note the stolen records included geolocation data and contact frequency metrics that could compromise national security if disseminated.
Investigators uncovered evidence suggesting Wagenius attempted to monetize stolen data beyond public extortion.
For two weeks in November 2024, he allegedly negotiated via email with an entity he believed to be Country-1’s military intelligence service, offering exclusive access to telecom datasets.
Subsequent Google searches on his devices included queries about whether “hacking can be treason” and instructions to “defect[] to Russia”.
His search history from October 2024 paints a portrait of premeditated flight risk:
In encrypted chats, Wagenius allegedly boasted to a co-conspirator that military jurisdiction would buy him time to “go AWOL” if authorities discovered his activities.
Even after his December 2024 arrest, Wagenius reportedly violated direct orders from commanding officers by purchasing a new laptop and using VPN software to mask his online activity.
Army investigators seized the device, which contained evidence of continued data access through cloud storage platforms.
Prosecutors warn he retains “gigabytes of sensitive victim information” not yet recovered by law enforcement, including a cache of 17,000 stolen identity documents such as passports and driver’s licenses.
The case has alarmed cybersecurity experts due to Wagenius’ security clearance and military status.
“When someone with access to military networks starts funneling data to adversarial states, it blurs the line between cybercrime and espionage,” said Dr. Elena Torres of the Center for Strategic Cyber Studies.
“The depth of his access—and his apparent disregard for operational security—makes this a worst-case scenario”.
In their filing, prosecutors emphasized Wagenius’ technical aptitude and repeated defiance of authority as justification for detention:
The government rejected defense proposals for house arrest, noting his December 2024 laptop purchase occurred while under Army monitoring at Fort Cavazos.
“No combination of conditions can mitigate these risks,” the memorandum concludes.
Authorities confirm parallel probes into potential co-conspirators and foreign contacts, including a related case (United States v. Connor Riley Moucka and John Erin Binns) involving overlapping victims.
With Wagenius’ military discharge pending, the case tests jurisdictional boundaries between civilian and military justice systems.
As of publication, the defendant remains in custody awaiting his plea hearing.
The case underscores growing concerns about insider threats within defense infrastructure and the vulnerability of telecom networks to privileged actors.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…
Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…
Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in…
A new variant of malware, dubbed "Poco RAT," has emerged as a potent espionage tool…
The United States has suspended offensive cyber operations against Russia under an order issued by…
Cybersecurity researchers have uncovered a sophisticated phishing campaign leveraging Google Ads and PayPal’s infrastructure to…