{ "id": "fdb6fa86-757b-477d-bbed-507cc9f2c19f", "created_at": "2026-04-06T00:20:08.795709Z", "updated_at": "2026-04-10T03:31:41.950279Z", "deleted_at": null, "sha1_hash": "a3c0615ac327cf7f099227cb48a8c93c9ca16240", "title": "Canadian Suspect Arrested Over Snowflake Customer Breach and Extortion Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 687153, "plain_text": "Canadian Suspect Arrested Over Snowflake Customer Breach and\r\nExtortion Attacks\r\nBy The Hacker News\r\nPublished: 2024-11-05 · Archived: 2026-04-05 21:29:32 UTC\r\nCanadian law enforcement authorities have arrested an individual who is suspected to have conducted a series of\r\nhacks stemming from the breach of cloud data warehousing platform Snowflake earlier this year.\r\nThe individual in question, Alexander \"Connor\" Moucka (aka Judische and Waifu), was apprehended on October\r\n30, 2024, on the basis of a provisional arrest warrant, following a request by the U.S.\r\nThe development was first reported by Bloomberg and corroborated by 404 Media. The exact nature of the\r\ncharges against Moucka is currently not known.\r\nIn June 2024, Snowflake disclosed that a \"limited number\" of its customers were targeted as part of a targeted\r\ncampaign. Later, Google-owned Mandiant attributed it to a financially motivated threat group called UNC5537.\r\n\"UNC5537 comprises members based in North America, and collaborates with an additional member in Turkey,\"\r\nthe company assessed with moderate confidence at the time, adding approximately 165 organizations were\r\nimpacted.\r\nhttps://thehackernews.com/2024/11/canadian-suspect-arrested-over.html\r\nPage 1 of 3\n\nSome of the targeted companies included major corporations such as Advance Auto Parts, AT\u0026T, LendingTree,\r\nNeiman Marcus, Santander, and Ticketmaster (Live Nation).\r\nIn some of the incidents, the threat actor(s) attempted to extort the companies by threatening to sell the stolen data\r\non criminal forums if they didn't pay up. AT\u0026T reportedly paid the hackers $370,000 to delete the stolen data,\r\naccording to WIRED.\r\nThe attacks worked by leveraging stolen customer credentials obtained via prior stealer malware infections to\r\nobtain initial access. The investigation also found that the initial compromise of infostealer malware occurred on\r\ncontractor systems that were used for downloading games and pirated software. \r\nReports published by Krebs On Security and 404 Media in September 2024 revealed that Judische is likely based\r\nin Canada and has connections to a broader cybercrime ecosystem called the Com, which is known to engage in\r\nphysical and digital attacks, sometimes resorting to violence, to gain access to accounts and steal funds from\r\nrivals.\r\nJudische is also believed to have collaborated with another hacker called John Binns, who was arrested in Turkey\r\nin May 2024.\r\nUpdate\r\nThe U.S. Department of Justice has unsealed an indictment accusing Connor Riley Moucka and John Erin Binns\r\nof using credentials obtained via information stealers to breach at least 10 Snowflake customers and exfiltrate\r\nsensitive data in exchange for ransom payments. \r\nThis included \"approximately 50 billion customer call and text records\" from a \"major telecommunications\"\r\ncompany in the U.S., court documents said, likely referencing AT\u0026T. The defendants have also been alleged to\r\nconceal the money trail by routing the funds through \"a complex series of cryptocurrency transactions.\"\r\nIn all, the two hackers are estimated to have extorted three victims for at least 36 bitcoins, valued at roughly $2.5\r\nmillion at the time of the payment. They also attempted to sell the stolen data, harvested using a tool dubbed\r\nRapeflake, on cybercriminal forums for millions of dollars.\r\n\"Through this scheme, the co-conspirators gained unlawful access to billions of sensitive customer records,\r\nincluding individuals' non-content call and text history records, banking and other financial information, payroll\r\nrecords, Drug Enforcement Agency ('DEA') registration numbers, driver's license numbers, passport numbers,\r\nSocial Security numbers, and other personally identifiable information,\" it said.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nhttps://thehackernews.com/2024/11/canadian-suspect-arrested-over.html\r\nPage 2 of 3\n\nSource: https://thehackernews.com/2024/11/canadian-suspect-arrested-over.html\r\nhttps://thehackernews.com/2024/11/canadian-suspect-arrested-over.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2024/11/canadian-suspect-arrested-over.html" ], "report_names": [ "canadian-suspect-arrested-over.html" ], "threat_actors": [ { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434808, "ts_updated_at": 1775791901, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3c0615ac327cf7f099227cb48a8c93c9ca16240.pdf", "text": "https://archive.orkl.eu/a3c0615ac327cf7f099227cb48a8c93c9ca16240.txt", "img": "https://archive.orkl.eu/a3c0615ac327cf7f099227cb48a8c93c9ca16240.jpg" } }