The United States has arrested a US Army soldier and charged him with being part of a hacking scheme to sell and distribute stolen phone records. An indictment alleges that 20-year-old Cameron John Wagenius knowingly sold “confidential phone records” over online forums and other communications platforms last November.

The indictment doesn’t detail the hacked material, but KrebsOnSecurity reports that Wagenius appears to be connected to a series of high-profile data breaches linked to the online alias “Kiberphant0m.” Kiberphant0m claimed to have hacked 15 telecom firms and was working with the person allegedly behind the Snowflake data breach to sell the stolen information.

In November, Kiberphant0m posted what they claimed were AT&T call logs for President-elect Donald Trump and Vice President Kamala Harris. It’s not clear if the data was genuine, but AT&T did suffer a major theft of customer data as part of the Snowflake breach last year. In 2023, the hacker is also alleged to have sold “remote access credentials for a major U.S. defense contractor,” according to Krebs.

Krebs reports that Wagenius worked on communications at an Army base in South Korea. After the alleged leak of Trump and Harris data, Krebs did a deep dive into Kiberphant0m’s online communications and identified that they were likely a US soldier. In this latest report, Krebs spoke with Wagenius’ mother, who confirmed his connection to the alleged Snowflake hacker.

Cybersecurity experts reportedly received harassment for trying to track down Kiberphant0m’s identity, leading to this incredible quote from Allison Nixon, the lead researcher at cybersecurity firm Unit 221B, who was part of the work. “Anonymously extorting the President and VP as a member of the military is a bad idea,” Nixon told Krebs, “but it’s an even worse idea to harass people who specialize in de-anonymizing cybercriminals.”