Snowflake data theft suspect arrested in Canada

An alleged threat actor behind the data theft and extortion affecting more than 160 customers of the cloud service Snowflake was arrested by Canadian authorities last week and now faces extradition to the United States.

Alexander “Connor” Moucka, 26, was arrested on a provisional warrant Wednesday, Bloomberg first reported late Monday, and is believed to have been involved in the extortion of companies including AT&T, Ticketmaster and Advanced Auto Parts after company databases stored on Snowflake were accessed using stolen credentials.

The data breaches were attributed to a threat actor dubbed UNC5537 by Mandiant in June, with threat researchers saying the group consisted of members in North America and Turkey. In September, Brian Krebs, on his blog KrebsonSecurity, further identified one of the individuals involved in the Snowflake incident as a 26-year-old Canadian software engineer who goes by “Judische” and “Waifu” online.

Another suspected member of UNC5537 is John Binns, a U.S. citizen who is detained in Turkey in May 2024 for his alleged involvement in a 2021 T-Mobile breach. A researcher told Wired magazine that Binns claimed to have call logs of millions of AT&T customers and attempted to extort $370,000 from the company.

The hacker known as Judische, who is now believed to be Mouck, had previously claimed in Telegram groups to have hacked one of the first Snowflake customers confirmed to have had its data stolen — Santander Bank — according to Krebs. Judische would also mention the names of other Snowflake customers on Telegram prior to their data showing up on cybercrime forums, further corroborating Judische’s involvement in the incident.

Under the name Waifu, Judische was previously involved in several SIM swapping schemes, earning himself a reputation among cybercrime-focused Telegram channels, Krebs reported.

Snowflake suspect faces extradition to the United States

Moucka appeared remotely in court by phone from prison on Nov. 5, saying he was unable to retain a lawyer due to the prison being “locked down,” 404 Media first reported. Canadian authorities have confirmed that Moucka was arrested “following a request by the United States,” according to 404 Media, meaning the U.S. government is likely seeking to extradite the suspect to face charges for crimes against American companies and consumers.

Further details about the potential criminal charges against Moucka were not available Tuesday, although KrebsonSecurity reported that Moucka was named in multiple sealed indictments issued by U.S. federal law enforcement agencies and prosecutor’s offices. KrebsonSecurity also reported than an individual claiming to be Judische told the publication more than three months ago that they were responsible for stealing the Snowflake data and extorting Snowflake customers, and had also stated on Oct. 26 that they felt authorities were “closing in.”

The Snowflake data thefts were the result of breaches of Snowflake accounts whose credentials had previously been stolen using infostealer malware, according to Mandiant, affecting victims who did not have multi-factor authentication (MFA) enabled. Snowflake implemented a new mandatory MFA policy in July.