Pierluigi Paganini November 05, 2024

Canadian authorities arrested a suspect linked to multiple hacks following a breach of cloud data platform Snowflake earlier this year.

Canadian law enforcement agencies arrested a suspect, Alexander “Connor” Moucka (aka Judische and Waifu), who is accused of being responsible for a series of attacks relying on information stolen from the cloud data warehousing platform Snowflake earlier this year.

Authorities arrested Mr. Moucka on October 30, 2024, he was taken into custody on a US provisional arrest warrant. Charges remain undisclosed.

“Canadian authorities have arrested a man suspected of being behind a string of hacks involving as many as 165 customers of Snowflake Inc., according to people familiar with the matter.” reads the report published by Bloomberg Canada.

“Following a request from the US, Alexander “Connor” Moucka was taken into custody on a provisional arrest warrant on Oct. 30, according to Canada’s Department of Justice. He is due to appear in court on Tuesday.”

In June 2024, Snowflake revealed that a limited number of its customers were targeted in a campaign by UNC5537, a financially motivated group based in North America. Around 165 organizations were affected, including major firms like AT&T, LendingTree, Neiman Marcus, Santander, and Ticketmaster.

“Through the course of our incident response engagements and threat intelligence collections, Mandiant has identified a threat campaign targeting Snowflake customer database instances with the intent of data theft and extortion. Snowflake is a multi-cloud data warehousing platform used to store and analyze large amounts of structured and unstructured data.” reads the report published by Mandiant, the company that helped Snowflake to investigate the security breach. “Mandiant tracks this cluster of activity as UNC5537, a financially motivated threat actor suspected to have stolen a significant volume of records from Snowflake customer environments. UNC5537 is systematically compromising Snowflake customer instances using stolen customer credentials, advertising victim data for sale on cybercrime forums, and attempting to extort many of the victims.”

UNC5537 used stolen credentials obtained via infostealer malware. This led to extensive data theft, with the attackers later attempting to extort victims and sell stolen data on criminal forums. Mandiant reported that many stolen credentials dated back to 2020.

In September, the popular cyber journalist Brian Krebs linked Mr. Moucka to crime-focused chat communities known as “The Com.” Independent news outlet 404 Media also confirmed Krebs’s findings 404 Media in September 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Snowflake)