{"id":985,"date":"2024-11-27T11:18:38","date_gmt":"2024-11-27T11:18:38","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=985"},"modified":"2024-11-27T11:18:38","modified_gmt":"2024-11-27T11:18:38","slug":"a-us-soldier-is-suspected-of-being-behind-the-massive-snowflake-data-leak","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=985","title":{"rendered":"A US soldier is suspected of being behind the massive Snowflake data leak"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

One of the hackers who masterminded the Snowflake credential leak<\/a> that led to the threat actors stealing data from and extorting at least 165 companies<\/a>, including 560 million Ticketmaster<\/a> customers and 110 million AT&T customers, could be a US soldier, according to cybersecurity journalist Brian Krebs.<\/p>\n

The hacker, known for using the moniker Kiberphant0m, carried out online chats using multiple cybercrime personas across different platforms, Krebs said, adding that the chats suggested their US Army links with possible posting in South Korea.<\/p>\n

Two men, Connor Riley Moucka and John Erin Binns<\/a>, have already been arrested and are under trial in connection with the Snowflake extortions, while Kiberphant0m, whose identity is yet unknown, remains at large and is still extorting victims.<\/p>\n

The hacker might not be able to do so for long, Krebs claims, as pieces of the puzzle are beginning to fall into place.<\/p>\n

Kiberphant0m allegedly said they are the US Army on Telegram<\/h2>\n

While Krebs dated Kiberphant0m\u2019s BreachForums account to January 2024, the cybersecurity researcher was also able to uncover the hacker\u2019s presence on a few Discord and Telegram channels since as early as 2022.<\/p>\n

\u201cOn their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle @cyb3rph4nt0m,\u201d Krebs said. \u201cA review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.\u201d<\/p>\n

Kiberphant0m joined a fraud-focused Telegram channel \u201cCowgirl\u201d in June 2024, under the handle \u201cButtholio\u201d, claiming to be Kiberphant0m. This was revealed as a show-of-proof after another \u201cCowgirl\u201d member taunted \u201cButtholio\u201d as a nobody, Krebs noted.<\/p>\n

In a gaming chatroom on Discord, in September 2023, Buttholio told others they bought the game in the US, but are playing it in Asia. \u201cUSA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,\u201d they shared, adding \u201cCome to Korea, servers there is pretty much no extract camper or cheater\u201d.<\/p>\n

Months later in January 2024, Kiberphant0m logged on to the Telegram channel \u201cDstat,\u201d where cybercriminals chatted about distributed denial-of-service (DDoS) attacks and attempted selling DDoS for hire kits, to which another user wrote \u201chi buttholio.\u201d Kiberphant0m acknowledged the greeting with \u201cwsg\u201d (what\u2019s good).<\/p>\n

In April 2024, kiberphant0m told a fellow member of Dstat that their alternate Telegram username was \u201c@reverseshell.\u201d Krebs was able to dig up an old post from @reverseshell in Nov 2022, where they told a Telegram Channel \u201cCecilio Chat\u201d member that they were US Army, with a picture that showed someone in the military uniform from the waist down.<\/p>\n

<\/a>Continued activity on BreachForums<\/h2>\n

Immediately after the news of Moucka\u2019s arrest broke on the internet, Kiberphant0m posted<\/a> on BreachForums claiming to have in their possession AT&T call logs for President-elect Donald J. Trump and Vice President Kamala Harris.<\/p>\n

\u201cEnjoy the data schema from the NSA which spies on literally all American citizens, who knows what else,\u201d the hacker had written in the post<\/a> that has since been updated. \u201cThis was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion. They wanted to keep the NSA data a secret.\u201d<\/p>\n

The hacker went on to emphasize that AT&T chose to pay for keeping the NSA data a secret but refused to pay for over 20 million social security numbers (SSNs).<\/p>\n

Additionally, on Nov 5, Kiberphant0m offered to sell stolen call logs from Verizon\u2019s push-to-talk (PTT) customers, mainly consisting of government agencies. Previously, in a tweet on Oct 22, an X account with the handle @kiberphant99087 had asked<\/a> a Verizon board member to reach out to them.<\/p>\n

\u201c@ShelArchambeau<\/a> Please DM me, it\u2019s critical involving Verizon data and cybersecurity,\u201d the Tweet read. \u201cFailure to comply will result in consequence. Tweet will be deleted once I am contacted.\u201d <\/p>\n

The tweet is still up.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

One of the hackers who masterminded the Snowflake credential leak that led to the threat actors stealing data from and extorting at least 165 companies, including 560 million Ticketmaster customers and 110 million AT&T customers, could be a US soldier, according to cybersecurity journalist Brian Krebs. The hacker, known for using the moniker Kiberphant0m, carried […]<\/p>\n","protected":false},"author":0,"featured_media":980,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-985","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/985"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=985"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/985\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/980"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=985"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=985"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=985"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}