US Prosecutors Indict Hackers for Snowflake Data Breach

In a significant development, the U.S. Department of Justice has unveiled an indictment against two individuals, Connor Moucka and John Binns, for their alleged involvement in a major cyber breach at Snowflake, a prominent cloud platform. This breach has reportedly affected over 165 organizations, leading to the theft of approximately 50 billion call and text records.

The authorities have apprehended Moucka in Canada earlier this month, while Binns was detained in Turkey. Both face serious charges stemming from a 12-count indictment related to a previous incident involving the hacking of telecom company T-Mobile. The investigation has been supported by Google Cloud’s Mandiant incident response team, which has been assisting Snowflake since June to address the breach attributed to the cybercriminal group known as UNC5537, or Scattered Spider.

The indictment specifies that Moucka and Binns are charged with stealing “approximately 50 billion customer call and text records” and extorting “at least 36 bitcoin,” valued at around $2.5 million at the time of the transaction. Furthermore, the alleged hackers are accused of generating revenue by advertising the sale of the stolen data on cybercriminal forums, emphasizing the lucrative nature of such breaches.

According to federal prosecutors, the duo exploited computer fraud and engaged in aggravated identity theft from November 2023 through October 2024. They are said to have gained unauthorized access to cloud services and amassed massive amounts of private data, including personal identification information, banking records, and communication histories. Such actions illustrate potential tactics aligned with the MITRE ATT&CK framework, particularly those related to initial access and credential theft.

Victims publicly acknowledged in the aftermath of the Snowflake breach include notable organizations such as Santander Bank, Advance Auto Parts, Ticketmaster, Neiman Marcus, the Los Angeles Unified School District, and Bausch Health. Reports indicate that the hackers began contacting victims for ransom in June, asserting threats to publish any sensitive information online. At that time, Mandiant had identified up to ten Snowflake customers who received ransom demands ranging from $300,000 to $5 million.

The indictment further alleges that Moucka and Binns called for ransom payments in cryptocurrency and engaged in complex transactions aimed at obscuring the origins and destinations of their funds. They reportedly utilized global virtual asset service providers, including those based in the United States, to facilitate these operations, showcasing the evolving sophistication of cybercriminal strategies.