Full Report
Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect -- a prolific hacker known as Kiberphant0m -- remains at large and continues to publicly extort victims. However, this person's identity may not remain a secret for long: A careful review of Kiberphant0m's daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.
Analysis Summary
# Threat Actor: Kiberphant0m
## Attribution & Identity
* **Primary Identity:** Kiberphant0m.
* **Alleged Identity:** Believed to be a U.S. Army soldier, possibly recently stationed in South Korea (associated heavily with the Eighth Army's cyber operations unit).
* **Known Aliases/Personas:** @cyb3rph4nt0m (Telegram), Buttholio, Vars\_Secc (posting suggestive imagery related to NSA job applications), Judische, and Waifu (handles associated with arrested accomplice Alexander Moucka).
* **Affiliations/Associates:** Associated with Alexander Moucka (a.k.a. Judische/Waifu) and John Erin Binns, who were arrested/incarcerated in relation to the Snowflake data thefts and extortion attempts.
## Activity Summary
Kiberphant0m is a prolific cybercriminal actively selling stolen data and operating fraud services. Their primary recent focus involved exploiting poor security (username/password only) on **Snowflake** cloud storage instances belonging to major corporations.
* **Snowflake Extortion:** Selling data stolen from organizations using Snowflake, often targeting records that were not protected by MFA.
* **Post-Arrest Escalation (Nov 2024):** Following the arrest of accomplice Moucka, Kiberphant0m publicly threatened to leak sensitive data obtained from AT&T, including purported call logs for President-elect Donald J. Trump and Vice President Kamala Harris, and a claimed "data schema" from the U.S. National Security Agency (NSA).
* **IoT Botnet Operations:** Previously involved in efforts to recruit individuals to deploy malware to create an IoT botnet.
* **Historical Activity:** Public chatter dates back to at least early 2022. Prior to the Snowflake breaches, they sold databases stolen from South Korean companies.
## Tactics, Techniques & Procedures
* **Data Exfiltration/Theft:** Scouring vulnerable cloud storage repositories (Snowflake) for sensitive customer data.
* **Extortion/Ransom Demands:** Threatening to leak stolen data unless victims comply.
* **Social Engineering/Fraud:** Offering and performing "SIM-swapping" services targeting Verizon Push-to-Talk (PTT) customers.
* **Botnet Management:** Sold the source code for "**Shi-Bot**," a custom Linux DDoS botnet derived from the **Mirai** malware.
* **Forum Activity:** Active on cybercrime forums (e.g., BreachForums) and social platforms (Telegram, Discord) for sales, recruitment, and threats.
## Targeting
* **Sectors:** Telecommunications, Cloud Storage/Data Providers, US Government Agencies (implied via Verizon PTT data), and General Corporate Entities.
* **Geography:** Victims mentioned include US-based entities (AT&T, Verizon) and companies in South Korea (historical sales).
* **Victims:** **AT&T** (large data theft, paid an alleged ransom), **Verizon** (offered SIM-swapping services targeting PTT customers, often government/first responders), and entities whose customer data was stored in vulnerable **Snowflake** instances.
## Tools & Infrastructure
* **Malware Families:** **Shi-Bot** (custom DDoS botnet based on Mirai source code).
* **Infrastructure/Handles:** Telegram handle **@cyb3rph4nt0m**, BreachForums presence, and various identity claims used across communication channels.
* **C2/Infrastructure (Implied):** Involved in managing an IoT botnet.
## Implications
Kiberphant0m represents a highly active, persistent cybercriminal potentially with background or high-level access to sophisticated networking/cyber knowledge (due to alleged military status). The actor’s willingness to leverage stolen data against high-profile political targets following law enforcement action signals a dangerous escalation and disrespect for legal interference. The ability to conduct SIM-swapping on major carriers indicates access to sensitive credentialing information or significant internal compromise.
## Mitigations
* **Enforce Multi-Factor Authentication (MFA):** Critical defense against credential-based cloud breaches, as the initial Snowflake compromises relied on weak password protection.
* **Review Cloud Configuration:** Immediately audit all cloud data storage platforms (specifically Snowflake, if utilized) to ensure strong access controls and monitoring are in place.
* **SIM-Swapping Defense:** Organizations and high-value individuals should utilize multi-factor authentication methods resistant to SMS interception (e.g., hardware tokens, authenticator apps) and monitor for unauthorized SIM changes.
* **Threat Monitoring:** Heightened vigilance regarding sensitive data leaks, particularly concerning AT&T records, Verizon PTT customer lists, and potential NSA schema information posted on cybercrime forums.