A hacker behind multiple data breaches and extortion attempts targeting Snowflake cloud storage customers may be an active U.S. Army service member stationed in South Korea, according to a detailed investigation of their online activities.
The cybercriminal, known by the alias "Kiberphant0m," remains at large after two other suspects were arrested in connection with stealing and extorting data from dozens of companies using Snowflake's platform.
Through analysis of the hacker's daily conversations across various cybercrime forums, investigators have uncovered multiple online personas - including Buttholio, Reverseshell, Proman, and Vars_Secc - that appear to belong to the same individual. These accounts consistently revealed patterns suggesting the person behind them is a U.S. military member with advanced computer skills who was recently posted in South Korea.
The hacker's activities extend beyond the Snowflake breaches to include involvement in AT&T data theft, distributed denial-of-service (DDoS) attacks, botnet operations, and bug bounty claims. While specific details about their military role remain unknown, their technical expertise suggests they may have held an IT-related position.
When confronted with these findings, the individual operating as Kiberphant0m denied any connection to the U.S. Army, dismissing the evidence as an "opsec troll" - a deliberate attempt to mislead investigators about their true identity.
As investigations continue, law enforcement agencies are working to verify these military connections while the hacker maintains their extortion campaign against various companies.