Canadian law enforcement has apprehended Alexander “Connor” Moucka, a suspect in a series of high-profile cyberattacks linked to the breach of the cloud data warehousing platform Snowflake. The arrest, executed on October 30, 2024, was made under a provisional warrant following a request from U.S. authorities.
This incident was initially reported by Bloomberg and later confirmed by 404 Media, although the specific charges against Moucka have yet to be disclosed. In June 2024, Snowflake publicly revealed that a targeted campaign had compromised a “limited number” of its clients, which was later attributed to a financially motivated group identified as UNC5537.
The attributed group, comprised of members primarily based in North America, was reported to collaborate with another member located in Turkey. According to Snowflake, approximately 165 organizations were impacted, including notable companies like Advance Auto Parts, AT&T, LendingTree, Neiman Marcus, Santander, and Ticketmaster.
Reports indicate that the attacks involved extortion tactics wherein the threat actors threatened to sell stolen data on criminal underground forums unless ransom payments were made. It has been reported that AT&T paid $370,000 to the attackers to erase the compromised data.
The modus operandi of the attackers involved utilizing stolen customer credentials acquired through prior infections with infostealer malware, enabling them initial access into targeted systems. Investigations revealed that these initial compromises originated from contractor systems that had been used to download unauthorized software and games.
As the case unfolded, reports emerged linking Moucka, who uses online aliases such as Judische, to a larger cybercrime network known as “the Com.” This group is notorious for engaging in both physical and digital attacks, including violent tactics for accessing accounts and stealing funds from rivals. Evidence suggests that he may also have collaborated with John Binns, a hacker who was arrested in Turkey in May 2024.
Update
The U.S. Department of Justice has unsealed an indictment against Moucka and Binns, accusing them of exploiting stolen credentials to breach a minimum of ten Snowflake customers. This resulted in the exfiltration of sensitive data sold for ransom, including around “50 billion customer call and text records” from a major telecommunications firm, presumably AT&T. The indictment further alleges that the duo attempted to obscure their financial transactions using a complex network of cryptocurrency.
In summary, the two suspects are estimated to have extorted at least three victims for a total of 36 bitcoins, translating to approximately $2.5 million at the time. They also sought to monetize stolen data, employing a tool dubbed Rapeflake to market this information on cybercriminal platforms for millions.
Throughout their operations, the conspirators illegally accessed billions of sensitive records, including individuals’ non-content call and text histories, banking details, and other personally identifiable information. The methods employed in these attacks align notably with several tactics outlined in the MITRE ATT&CK framework, including initial access through credential theft and subsequent lateral movement within victim networks.
