Article content

(Bloomberg) — Connor Moucka, a Canadian, dropped out of high school and lived with his grandfather. John Binns, an American living in Turkey, feared the FBI and CIA were tracking him. Cameron Wagenius, a US soldier, allegedly Googled how to defect to Russia.

Article content

Article content

That unlikely trio now faces charges related to an extensive hacking spree that resulted in millions of dollars in ransom payments, a massive cache of stolen mobile phone records, and a warning from FBI leaders that the theft could expose communications between agents and secret sources.

Article content

Moucka, 25, and Binns, 25, who is being held in a Turkish prison, are accused of hacking customers of software provider Snowflake Inc. and attempting to extort them for ransom payments in exchange for deleting the stolen data. Companies including AT&T Inc., Live Nation Entertainment Inc. and Advance Auto Parts Inc. disclosed that they were affected by the attacks in June and July. 

It’s not clear if Moucka or Binns have yet entered a plea.

Wagenius, a 21-year-old previously stationed in Texas, pleaded guilty to trying to sell stolen AT&T data. In a court filing on Feb. 26, prosecutors said that Wagenius also communicated with an email address he believed belonged to an unnamed foreign intelligence service in an attempt to sell stolen information. 

Lawyers representing the men didn’t respond to several emails seeking comment.

On Friday, Canadian authorities scheduled Moucka’s extradition hearing for March 21. The US has asked for his extradition so he can be tried on charges related to hacks of at least 10 Snowflake customers.

Some details of how Moucka, Binns and Wagenius met and allegedly engaged in related cybercrimes have emerged in court records, in social media histories reviewed by Bloomberg News, and in interviews with people who knew them or tracked them online. 

Article content

Article content

Online, Moucka went by the handle Waifu, while Wagenius used the name KiberPhant0m and Binns, Irdev, according to US prosecutors. The online personas engaged in conspiracy theories and mutual suspicion of the US government, according to messages on Telegram and Discord reviewed by Bloomberg.

An arrest warrant alleges Moucka, as Waifu, wrote on Discord about “mass mailing sodium nitrite pills” to Black people in Michigan and Ohio in January 2024. Minutes later, he added, “I think I’d make a really good serial killer,” according to the warrant. He talked about mass shootings and mowing down crowds, Canadian authorities said.

In addition, Waifu boasted about knowing key members of Atomwaffen Division, a neo-Nazi group, according to messages seen by Bloomberg. Waifu also shared crude messages about rape and torture on group Telegram messages frequented by young hackers and seen by Bloomberg. 

Moucka struck a different posture in real life, where he struggled to make friends and lived mostly out of a bedroom in his grandfather’s bungalow in Ontario. 

“He’d work for 30 hours and fall asleep. He didn’t know what day it was,” said Moucka’s grandfather, Anthony Przeklasa, during an interview in January. Moucka never finished high school, Przeklasa, 75, said. The former circuit board designer added that he believed his grandson worked as a freelance software developer.

Article content

Moucka would stare for hours at the two monitors he had set up in his bedroom, Przeklasa said. A window was kept open to cool his computer’s whirring processors, in a region where temperatures regularly dip below freezing during the winter. 

Moucka’s mother and stepfather live in the US, where he occasionally spent time as a teen, Przeklasa said. During the Covid-19 pandemic, Moucka was encouraged to take virtual classes. That’s when, Przeklasa believes, he developed the extreme views outlined in his arrest warrant, spending his days and nights online.

The alleged online personas for Moucka and Binns — Waifu and Irdev — met in the late 2010s while gaming online, according to interviews with three people who tracked them for years. The pair are alleged members of a loose online network known as the Com, according to Allison Nixon, chief research officer at cybersecurity research firm Unit 221B who has tracked Com members, including the defendants, for years. The Com consists largely of English-speaking young men who specialize in financially motivated crime, such as hacking verified social media handles to sell on the black market and stealing from cryptocurrency wallets, according to Nixon and other cybersecurity experts. 

Article content

Online, Waifu and Irdev compared their hacks to sexual violence, sometimes threatening other Com members, said Nixon, who said she was threatened by Waifu.

In 2024, Moucka rekindled an old friendship with Binns to allegedly hack and extort AT&T after stealing six months’ worth of mobile phone customer call and text logs, according to public chat blogs and a person familiar with the defendants who asked not to be named for legal reasons. The breach alarmed FBI leaders, who worried that agents’ phone records were among those stolen — potentially exposing confidential informants. 

In early October, US prosecutors urged Canadian authorities to apprehend Moucka, concerned about his violent online threats. 

FBI Concerned

Shortly after Moucka’s arrest, KiberPhant0m offered the AT&T dataset for sale on a criminal forum. KiberPhant0m, which US authorities tied to Wagenius, had met Waifu a few months prior online, according to the person familiar with the matter. 

By then, Binns was in custody in Turkey for hacking and privacy violation charges, the specifics of which aren’t clear. It’s not known if Binns has entered a plea for the Turkish charges.

Article content

Born in Virginia, Binns grew up in McLean, the headquarters of the CIA. His father died when Binns was a toddler, according to an obituary, and his mother is a Turkish citizen. 

He’d already spent years believing the CIA and FBI were tracking him, according to court documents reviewed by Bloomberg. 

Binns tried to sue both government departments in 2020. In the suit, Binns alleged the FBI had been surveilling him since he moved to Izmir, Turkey, with his mother in 2018. He said the CIA was shooting “psychotronic lasers” into his bedroom and tried to have him killed in 2019. Neither the FBI nor CIA responded to a request for comment. His lawsuit was dismissed.

Binns was indicted in 2022 by the US for breaking into T-Mobile’s systems to install a malware backdoor and steal data belonging to 76.6 million customers — after confessing to the hack in a 2021 interview with the Wall Street Journal. The theft would later cost T-Mobile $350 million to settle a class-action lawsuit.

As Binns’ legal issues piled up, Irdev and Waifu kept working together, US prosecutors said. The pair wanted to break into telecommunications companies to learn who was investigating them, according to three people familiar with the matter who asked to remain anonymous for fear of retaliation. 

Article content

Waifu’s Telegram account regularly mocked Irdev’s paranoia about the FBI and CIA tracking him, according to messages seen by Bloomberg. But according to a person who knew Moucka, who asked not to be named, he was infatuated with Russia, talking about it often and changing his name to Alexander Antonin Moucka from Connor Riley Moucka to sound more Eastern European.

Wagenius also shared interest in Russia. According to US prosecutors, while on active duty at Fort Cavazos in November last year, he Googled how to defect to the country. Around the same time, he was accused by US prosecutors of attempting to extort AT&T with the call records Moucka and Binns allegedly stole.

During the time Binns was jailed pending a trial in Izmir, he was granted Turkish citizenship and will not face extradition to the US, a senior Turkish official who asked not to be named discussing official matters told Bloomberg.

Back in Canada, Przeklasa said police were prepared for a dangerous encounter when they arrived at his house to arrest Moucka on Oct. 30.

“They said they were about five minutes away from busting the door down and gassing the place to get to him,” Przeklasa said, after the police confronted him from a church parking lot. “I gave them my keys, and told them there’s a doorbell.”

Moucka simply answered the door. Authorities didn’t find sodium nitrite pills, nor any of the weaponry Waifu boasted about online, his grandfather said.

Przeklasa didn’t attend his grandson’s court hearings. After Moucka’s arrest, the police seized the computer where Przeklasa had saved photos and videos of his late wife Sheila. His request to have them returned was denied. 

“He played me,” Przeklasa said of Moucka. 

—With assistance from Selcan Hacaoglu.

Article content