Suspect in Snowflake hack arrested in Canada

News
By published

Alexander 'Connor' Moucka is believed to be a prominent figure in the hacking group behind breaches at 165 companies

The Snowflake logo displayed on their pavilion at the Mobile World Congress 2024 in Barcelona, Spain, on February 28, 2024.
(Image credit: Getty Images)

Canadian authorities have arrested a man in connection with the series of Snowflake-related breaches earlier this year.

Along with alleged co-conspirator John Binns, Alexander 'Connor' Moucka is believed to have been behind the widespread campaign that breached around 165 companies by targeting cloud storage provider Snowflake.

According to reports, Moucka - known online as Judische and Waifu - was arrested following a request by the US and could face extradition. While officials have confirmed that he has been arrested on a provisional warrant and has appeared in court, there's no information on the precise charges he faces.

The attackers, known as UNC5537 or ShinyHunters, are believed to be mainly from North America, with Binns based in Turkey.

They leveraged the stolen credentials of an employee purchased on the dark web to compromise misconfigured SaaS instances at companies that had failed to use multi-factor authentication (MFA) on their Snowflake accounts.

Those affected included AT&T, Neiman Marcus, Ticketmaster, Adobe, Santander, Western Union, and PepsiCo. The AT&T attack alone saw the theft of personal data and call and text logs for more than 100 million people - virtually all its customers - while Ticketmaster said the data of 560 million customers was impacted.

Companies were reported to have later received ransom demands of between $300,000 and $5 million in exchange for the deletion of their data.

"UNC5537, aka Alexander ‘Connor’ Moucka, has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations," said.

"The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools. This arrest serves as a deterrent to cyber criminals and reinforces that their actions have serious consequences."

Snowflake implemented sweeping changes in the wake of the incident earlier this year, and now enforces multi-factor authentication (MFA) for new accounts. The company also requires all passwords to be at least 14 characters long.

Emma Woollacott
Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.

More about security
Quantum computing concept image showing CPU and computing chip on a circuit board.

Get started on post-quantum encryption, organizations warned
Security tools concept image showing multiple locked padlocks with one opened padlock placed in middle.

Western Alliance Bank admits cyber attack exposed 22,000 customers

ServiceNow signage pictured during the Singapore FinTech Festival in Singapore, on Wednesday, Nov. 15, 2023.

Old ServiceNow vulnerabilities could cause havoc for unpatched customers
See more latest