Canadian authorities have reportedly arrested an individual suspected of orchestrating a large-scale campaign leading to the compromise of Snowflake accounts belonging to 165 organizations.
The campaign came to light in late May, after Snowflake warned that a limited number of customers that did not have their accounts protected with multi-factor authentication were targeted by threat actors.
In June, Mandiant, which was involved in investigating the attacks, revealed that the attackers used credentials compromised in previous information stealer infections to access the improperly protected accounts.
The campaign, attributed to a threat actor tracked as UNC5537, started on April 14 and impacted organizations such as Ticketmaster, Santander Bank, Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, AT&T, and State Farm.
The attackers were later said to have demanded ransom payments between $300,000 and $5 million from the victim organizations in exchange for deleting the data stolen from their Snowflake accounts.
On October 30, Canadian authorities arrested Alexander ‘Connor’ Moucka, following a request from the US in relation to the Snowflake campaign, according to reports from Bloomberg and 404 Media. He is scheduled to appear in court on Tuesday.
The Canadian authorities did not share information on Moucka’s arrest or his potential extradition, but people familiar with the matter reportedly confirmed that he was responsible for the Snowflake hacks. Moucka was reportedly known online as Judische and Waifu.
In May, Judische boasted on Telegram about hacking several known Snowflake victims just before the hacks were publicly confirmed, investigative journalist Brian Krebs reported in September, noting that Waifu was one of the most successful SIM swappers known on underground forums.
Krebs also noted in September that Judische is a 26-year-old software engineer from Ontario, Canada.
Another individual believed to have been involved in the Snowflake hacks, namely John Erin Binns, was arrested in Turkey. Binns was indicted in the US for the 2021 T-Mobile data breach.
“UNC5537 aka Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations. The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools,” Mandiant senior threat analysis Austin Larsen told SecurityWeek in an emailed statement.
“This arrest serves as a deterrent to cybercriminals and reinforces that their actions have serious consequences,” Larsen added.
With Binns arrested in Turkey, both suspects in the Snowflake campaign are now in custody, but a Mandiant spokesperson pointed out that the Google-owned security firm continues to respond to numerous intrusions perpetrated using stolen credentials and that infostealers pose a significant threat to organizations worldwide.
*Updated with statement from Mandiant.
Related: RedLine and Meta Infostealers Disrupted by Law Enforcement
Related: It’s Time to Reassess Your Cybersecurity Priorities
Related: Alabama Man Arrested in SEC Social Media Account Hack That Led the Price of Bitcoin to Spike
Related: Author of Dryad and Rubella Macro Builders Arrested
