Snowflake Data Breach and Extortion Attacks Lead to the Arrest of a Canadian Suspect

Authorities in Canada have detained a person suspected of carrying out a string of cyberattacks related to the Snowflake cloud data warehousing platform breach earlier this year. A temporary arrest warrant was used to seize Alexander "Connor" Moucka (also known as Judische and Waifu) on October 30, 2024, at the request of the U.S.

Snowflake Data Breach and Extortion Attacks Lead to the Arrest of a Canadian Suspect

Authorities in Canada have detained a person suspected of carrying out a string of cyberattacks related to the Snowflake cloud data warehousing platform breach earlier this year. A temporary arrest warrant was used to seize Alexander "Connor" Moucka (also known as Judische and Waifu) on October 30, 2024, at the request of the U.S.

404 Media confirmed the development, which was initially reported by Bloomberg. We don't yet know the specifics of the charges against Moucka. As part of a targeted campaign, Snowflake revealed in June 2024 that a "limited number" of its clients were singled out. Later, Google-owned Mandiant blamed it on UNC5537, a threat organization with financial motivations.

The company concluded, with a degree of certainty at the time, that "UNC5537 comprises members based in North America, and collaborates with an additional member in Turkey," adding that about 165 organizations were affected. Ticketmaster (Live Nation), Neiman Marcus, AT&T, LendingTree, Advance Auto Parts, and Santander were among the large corporations that were targeted.

Threat actors threatened to sell the stolen material on illegal forums if the companies didn't pay up, to extort them in some of the events. WIRED claims that AT&T paid the hackers $370,000 to remove the stolen information. To get initial access, the assaults used stolen customer credentials that were acquired through previous stealer malware infections. Additionally, the study discovered that contractor systems used for downloading games and unlicensed software were the points of initial infostealer virus penetration.

Krebs On Security and 404 Media reported in September 2024 that Judische is probably based in Canada and has ties to the Com, a larger cybercrime network that uses digital and physical attacks, sometimes involving violence, to access accounts and steal money from competitors. It is also thought that Judische worked with another hacker named John Binns, who was detained in Turkey in May 2024.