One of the most enigmatic figures in the world of cybercrime, the hacker known as Kiberphant0m, has become the subject of international investigations. His actions have been linked to numerous high-profile data breaches, yet he has thus far evaded capture. Following the arrest of his associates, new information has surfaced that may shed light on his identity.
Renowned across forums like BreachForums, Telegram channels, and even gaming chats, Kiberphant0m’s latest victims include Snowflake clients, such as AT&T, which reportedly paid $370,000 to ensure the deletion of stolen data. But who is he? Emerging evidence hints at an unexpected connection to the U.S. military.
In October 2024, Canadian authorities arrested Alexander Mauka, an associate of Kiberphant0m known as Judische and Waifu. Mauka is accused of selling data stolen from Snowflake users who refused to pay the ransom. After Mauka’s arrest, Kiberphant0m posted emotional threats on BreachForums, declaring his readiness to leak AT&T’s presidential records. His posts were marked with hashtags like #FREEWAIFU.
Among the data allegedly stolen by Kiberphant0m are recordings of government agency calls, schematics of the U.S. National Security Agency’s databases, and information about Verizon’s emergency services. On forums, he has also sold databases stolen from South Korean companies.
Kiberphant0m frequently operated under other aliases, such as Reverseshell and Proman557. As Proman557, he appeared on hacker forums in 2022, advertising Linux-based botnets and access to corporate networks. However, his activities on the Russian-speaking forum Exploit ended in scandal when he was banned for a $350 fraud. Undeterred, he resumed operations under the alias Vars_Secc.
The Telegram account @Kiberphant0m (ID 6953392511) actively participated in discussions on the Dstat channel, frequented by cybercriminals offering DDoS services. On January 4, 2024, shortly after joining a discussion, a user addressed him by another alias, “buttholio,” to which he replied with the slang term “wsg” (“what’s good?”). The Dstat channel and its associated site were later dismantled during the international PowerOFF operation targeting DDoS services.
In April 2024, Kiberphant0m admitted on the Dstat channel to using an alternate Telegram account under the alias @Reverseshell. Two weeks later, he confirmed this in another Telegram chat called The Jacuzzi, significantly aiding investigators in their pursuit.
The Telegram account Vars_Secc also claimed affiliation with the BreachForums user Boxfan. In his final post on BreachForums in January 2024, Boxfan disclosed a vulnerability he had discovered in Naver, South Korea’s most popular search engine. His comments revealed a deep animosity towards South Korean culture, a recurring theme in his activities.
“Enjoy exploiting this vulnerability,” he wrote on BreachForums, alongside a lengthy code snippet. “Screw you, South Korea, with your discriminatory views. Nobody likes your K-pop, you miserable bastards. Whoever leaks this database, congratulations. I can’t be bothered, so here’s the exploit.”
At one point, the hacker earned money through bug bounty programs, collaborating with companies like Reddit and Coinbase. In one message, he claimed to have found a vulnerability in a major U.S. aerospace company’s system but chose to sell the data instead of reporting the flaw.
The most intriguing element of this saga lies in his alleged ties to the military. In 2022, under one of his aliases, the hacker claimed to serve in the U.S. Army at a South Korean base. This claim is supported by screenshots showing him using military Wi-Fi and wearing a uniform. Given his skill set, it is plausible that he had connections to a cyber unit. Posts on gaming forums further painted an unusual picture: he shared experiences of using South Korean servers in online games, claiming he purchased the games in the U.S. but played from Asia due to his “rotation” assignment.
Interestingly, he frequently clashed with moderators on cybercrime forums, often being banned for defrauding users. Despite this, he continued offering services such as hacking government servers and reselling access.
The key question remains: can he truly remain elusive? Kiberphant0m claims to be beyond the reach of law enforcement, describing his “military service” narrative as a mere diversion. However, investigators continue to piece together clues, analyzing digital footprints and anonymous accounts.
Despite his assertions of invulnerability, cybersecurity experts believe his arrest is only a matter of time. A wealth of evidence—links between his aliases, IP addresses, and forum activities—has already been amassed.
Even among cybercriminals, Kiberphant0m stands out as a singular figure. While most focus on financial data and corporate vulnerabilities, he exhibits a selective approach, targeting government entities and critical infrastructure.
