One of the hackers who masterminded the Snowflake credential leak that led to the threat actors stealing data from and extorting at least 165 companies, including 560 million Ticketmaster and 110 AT&T customers, could be a US soldier, according to cybersecurity journalist Brian Krebs.The hacker, known for using the moniker Kiberphant0m, carried out online chats using multiple cybercrime personas across different platforms, Krebs said, adding that the chats suggested their US Army links with possible posting in South Korea.Two men, Connor Riley Moucka and John Erin Binns, have already been arrested and are under trial in connection with the Snowflake extortions, while Kiberphant0m, whose identity is yet unknown, remains at large and is still extorting victims.The hacker might not be able to do so for long, Krebs claims, as pieces of the puzzle are beginning to fall into place. While Krebs dated Kiberphant0m’s BreachForums account to January 2024, the cybersecurity researcher was also able to uncover the hacker’s presence on a few Discord and Telegram channels since as early as 2022.”On their first post to BreachForums, Kiberphant0m said they could be reached at the Telegram handle @cyb3rph4nt0m,” Krebs said. “A review of @cyb3rph4nt0m shows this user has posted more than 4,200 messages since January 2024. Many of these messages were attempts to recruit people who could be hired to deploy a piece of malware that enslaved host machines in an Internet of Things (IoT) botnet.”Kiberphant0m joined a fraud-focused Telegram channel “Cowgirl” in June 2024, under the handle “Buttholio”, claiming to be Kiberphant0m. This was revealed as a show-of-proof after another “Cowgirl” member taunted “Buttholio” as a nobody, Krebs noted.In a gaming chatroom on Discord, in September 2023, Buttholio told others they bought the game in the US, but are playing it in Asia. “USA is where the game was purchased from, server location is actual in game servers u play on. I am a u.s. soldier so i bought it in the states but got on rotation so i have to use asian servers,” they shared, adding “Come to Korea, servers there is pretty much no extract camper or cheater”.Months later in January 2024, Kiberphant0m logged on to the Telegram channel “Dstat,” where cybercriminals chatted about distributed denial-of-service (DDoS) attacks and attempted selling DDoS for hire kits, to which another user wrote “hi buttholio.” Kiberphant0m acknowledged the greeting with “wsg” (what’s good).In April 2024, kiberphant0m told a fellow member of Dstat that their alternate Telegram username was “@reverseshell.” Krebs was able to dig up an old post from @reverseshell in Nov 2022, where they told a Telegram Channel “Cecilio Chat” member that they were US Army, with a picture that showed someone in the military uniform from the waist down.
Continued activity on BreachForums
Immediately after the news of Moucka’s arrest broke on the internet, Kiberphant0m posted on BreachForums claiming to have in their possession AT&T call logs for President-elect Donald J. Trump and Vice President Kamala Harris.”Enjoy the data schema from the NSA which spies on literally all American citizens, who knows what else,” the hacker had written in the post that has since been updated. “This was obtained from the ATNT Snowflake hack which is why ATNT paid an extortion. They wanted to keep the NSA data a secret.”The hacker went on to emphasize that AT&T chose to pay for keeping the NSA data a secret but refused to pay for over 20 million social security numbers (SSNs).Additionally, on Nov 5, Kiberphant0m offered to sell stolen call logs from Verizon’s push-to-talk (PTT) customers, mainly consisting of government agencies. Previously, in a tweet on Oct 22, an X account with the handle @kiberphant99087 had asked a Verizon board member to reach out to them.”@ShelArchambeau Please DM me, it’s critical involving Verizon data and cybersecurity,” the Tweet read. “Failure to comply will result in consequence. Tweet will be deleted once I am contacted.” The tweet is still up.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3613655/a-us-soldier-is-suspected-of-being-behind-the-massive-snowflake-data-leak.html
