Suspect in Snowflake hack arrested in Canada
Alexander 'Connor' Moucka is believed to be a prominent figure in the hacking group behind breaches at 165 companies


Canadian authorities have arrested a man in connection with the series of Snowflake-related breaches earlier this year.
Along with alleged co-conspirator John Binns, Alexander 'Connor' Moucka is believed to have been behind the widespread campaign that breached around 165 companies by targeting cloud storage provider Snowflake.
According to reports, Moucka - known online as Judische and Waifu - was arrested following a request by the US and could face extradition. While officials have confirmed that he has been arrested on a provisional warrant and has appeared in court, there's no information on the precise charges he faces.
The attackers, known as UNC5537 or ShinyHunters, are believed to be mainly from North America, with Binns based in Turkey.
They leveraged the stolen credentials of an employee purchased on the dark web to compromise misconfigured SaaS instances at companies that had failed to use multi-factor authentication (MFA) on their Snowflake accounts.
Those affected included AT&T, Neiman Marcus, Ticketmaster, Adobe, Santander, Western Union, and PepsiCo. The AT&T attack alone saw the theft of personal data and call and text logs for more than 100 million people - virtually all its customers - while Ticketmaster said the data of 560 million customers was impacted.
Companies were reported to have later received ransom demands of between $300,000 and $5 million in exchange for the deletion of their data.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"UNC5537, aka Alexander ‘Connor’ Moucka, has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations," said.
"The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools. This arrest serves as a deterrent to cyber criminals and reinforces that their actions have serious consequences."
Snowflake implemented sweeping changes in the wake of the incident earlier this year, and now enforces multi-factor authentication (MFA) for new accounts. The company also requires all passwords to be at least 14 characters long.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
AT&T hacker says firm paid nearly $400,000 to have stolen data deleted
News The move by AT&T comes after a data breach exposed "nearly all" of the telecoms giant's 100 million customers
By Solomon Klappholz Published
-
New Snowflake security policies mean admins can now enforce mandatory MFA
News The changes come two months after a major breach affected dozens of Snowflake customers
By Ross Kelly Published
-
With hundreds of Snowflake credentials published on the dark web, it’s time for enterprises to get MFA in order
News The recent Snowflake debacle highlights the need for more stringent enterprise MFA practices
By Solomon Klappholz Published
-
Snowflake data breach claims spark war of words over culpability
News Snowflake CISO Brad Jones hit back at claims the Ticketmaster and Santander data breaches were caused by platform vulnerabilities
By Solomon Klappholz Published