A banner for Snowflake Inc. is displayed celebrating the company's IPO at the New York Stock Exchange in New York in September, 2020.BRENDAN MCDERMID/Reuters
U.S. authorities are seeking the extradition of a Canadian resident accused of being responsible for a massive hacking scheme targeting a cloud storage provider believed to be Snowflake Inc SNOW-N.
Prosecutors allege that Connor Moucka and his co-conspirators, including Turkey resident John Erin Binns and others whose identities are unknown to authorities, were responsible for an international hacking scheme that breached the networks of at least 10 companies and stole billions of sensitive customer records.
The alleged hackers then extorted companies for ransoms by threatening to leak the stolen data online. At least three companies paid ransoms totalling at least 36 bitcoin, worth approximately $2.5-million total at the time, according to a recently unsealed indictment filed in the United States District Court for the Western District of Washington.
“This gang was the Snowflake hackers and law enforcement are finally rounding them up,” said Allison Nixon, the chief research officer at security firm Unit 221B, who has been tracking the hackers’ online activity for months.
Snowflake, a U.S. cloud-based data storage provider, was breached last spring by hackers using stolen customer credentials. Incident response firm Mandiant Inc., which investigated the breach, said 165 companies who had stored data with Snowflake may have been affected.
Companies that have publicly announced breaches linked to the Snowflake attack include U.S. telecom giant AT&T Inc. T-N, luxury retailer Neiman Marcus Group Ltd., Ticketmaster Entertainment, Santander Bank and more.
The U.S indictment doesn’t identify the affected companies by name, although the first one listed, “Victim-1,” is described as a “software-as-a-service provider located in the United States” that “allowed U.S. and foreign organizations to upload and store data within … online storage environments.” The company is widely believed to be Snowflake, because of the breach it experienced. Representatives of Snowflake did not respond to a request for comment.
Other victim companies listed in the documents include a “major telecommunications company,” a “major retailer” and a “major entertainment company,” all located in the United States. (AT&T, Neiman Marcus, Ticketmaster and Santander Bank did not confirm to The Globe and Mail that they were the companies described in the indictment.)
Ian McLeod, a spokesperson for the Department of Justice Canada, said Mr. Moucka was arrested on Oct. 30, appearing in court later that afternoon. The matter was adjourned until Nov. 12, at which point Mr. Moucka indicated that he was still awaiting a decision from legal aid. His next court appearance is scheduled for Nov. 29, Mr. McLeod said.
“As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case,” Mr. McLeod said in an e-mail.
Attempts to locate Mr. Moucka or a lawyer representing him for comment were unsuccessful. Ontario court records list him as “unrepresented” and indicate that the case is being heard in Kitchener, Ont.
Mr. Moucka, whose full name is Connor Riley Moucka, goes by several aliases, including “Alexander Antonin Moucka,” “judische,” “catist,” “waifu” and “ellye18,” according to U.S. court documents.
Court records obtained by The Globe indicate that a 25-year-old resident of Kitchener named Alexander Antonin Moucka faces criminal charges in Quebec for allegedly harassing a woman “by means of telecommunication” and threatening to kill her or cause bodily harm to her. The alleged incidents occurred in Montreal between July 1 and Sept. 30, 2023, with charges laid the following November, court records show.
Around that time, Mr. Moucka, Mr. Binns and others began devising an international computer hacking scheme, according to U.S. prosecutors.
The scheme involved stealing log-in credentials that allowed them to access private data stored in the cloud belonging to businesses and their users, including call and text history, banking information, payroll records, driver’s licence numbers, passport numbers and Social Security numbers.
The alleged hackers used software they called “Rapeflake” to identify valuable information stored in companies’ cloud environments, such as user roles and Internet Protocol, or IP, addresses.
In one attack, the hackers obtained 50 billion phone-call and text-message records belonging to the customers of the unnamed U.S. telecom giant, threatening to post the data online unless a ransom was paid. After the telecom paid the ransom, the hackers demanded another ransom payment, according to court documents.
The co-conspirators advertised stolen data for sale on online forums, used encrypted communications services aimed at protecting their identities and completed complex cryptocurrency transactions in an attempt to obfuscate the money trail, including transferring bitcoin into monero, a digital currency that promises users a high level of anonymity, according to prosecutors.
Ms. Nixon describes waifu, the actor that U.S. authorities allege is Mr. Moucka, as the leader of a gang of cybercriminals that is similar to other groups operating in the online criminal space.
“There is an online cybercrime culture that has festered for years, and it’s grown to a significant size,” Ms. Nixon said, noting that in the early days it was fuelled by what are known as SIM swap scams. (A SIM swap occurs when a scammer calls the victim’s wireless provider, claiming that their phone is lost or stolen and asks to link the victim’s number to a new SIM card that is in the scammer’s possession, giving the attacker control of the victim’s phone number.)
“A lot of people entered this space, a lot of young people who decided they didn’t want to go through the normal path in life,” she added. Eventually, an online culture emerged, and within it subgroups that Ms. Nixon likens to “little violent street gangs.”
“These subgroups are maybe half a dozen to a dozen people, and they work together to steal money from financial institutions, or they steal data from companies, or, in the case of waifu’s gang, steal data and extort companies for that data, according to the indictment,” Ms. Nixon said.
With reports from Stephanie Chambers and Tu Thanh Ha