Canadian Suspect Arrested for Snowflake Data Breach and Extortion Attacks.

Canadian authorities have detained a person suspected of carrying out a series of hacks following the breach of cloud data warehousing platform Snowflake earlier this year.

Alexander "Connor" Moucka (aka Judische and Waifu) was seized on October 30, 2024, on the basis of a temporary arrest warrant, as requested by the United States.

Bloomberg originally reported the development, which was later confirmed by 404 Media. The specific charges brought against Moucka are unknown at this time.

In June 2024, Snowflake revealed that a "limited number" of its clients were targeted as part of a campaign. Later, Google-owned Mandiant linked it to UNC5537, a financially driven attack group.

"UNC5537 comprises members based in North America and collaborates with an additional member in Turkey," the business stated with moderate confidence at the time, adding that around 165 organizations were affected.

Targeted companies included large corporations like Advance Auto Parts, AT&T, LendingTree, Neiman Marcus, Santander, and Ticketmaster (Live Nation).

In other cases, the threat actor(s) tried to extort the companies by threatening to sell the stolen data on criminal forums if they didn't pay. WIRED reports that AT&T paid the hackers $370,000 to remove the stolen data.

The assaults used stolen client credentials received from previous stealer malware infections to gain initial access. The research also discovered that the initial breach of infostealer malware took place on contractor systems used to download games and unlicensed software.

According to reports published by Krebs On Security and 404 Media in September 2024, Judische is most likely based in Canada and has ties to the Com, a larger cybercrime ecosystem known for engaging in physical and digital attacks, including violence, to gain access to accounts and steal funds from rivals.

Judische is also thought to have worked with another hacker named John Binns, who was captured in Turkey in May 2024.

Source: The Hacker News