A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake.

BrianKrebs

The accused, Alexander Moucka, a.k.a. Connor Riley Moucka, of Kitchener, Ontario, faces multiple criminal indictments in the U.S.

Moucka is alleged to have used the hacker handles Judische and Waifu, among many others. These monikers correspond to a prolific cybercriminal whose exploits were the subject of a recent story about the overlap between Western, English-speaking cybercriminals and extremist groups that harass and extort minors into harming themselves or others.

Today's story, which I've been sitting on for a while, is the result of many months of reporting. And far too many Signal messages exchanged with the accused, who agreed to be interviewed.

https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/

https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/431/489/887/527/330/original/eda96385041156c9.png

BrianKrebs

Here's a fascinating snippet from the story about John Erin Binns, aka IRDev, Moucka's alleged partner in a threat group Mandiant calls UNC5537.

"Sources familiar with the investigation told KrebsOnSecurity that Binns was so paranoid about possible surveillance on him by American and Turkish intelligence agencies that his erratic behavior and online communications actually brought about the very government snooping that he feared.

In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile.

Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon."

BrianKrebs

Judische/Moucka allegedly outsourced the sale of stolen Snowflake databases to third parties, particularly one who goes by the handle Kiberphant0m on multiple cybercrime forums. Kiberphant0m has sold a number of telecom company databases in recent months, most recently one for Verizon push-to-talk customers that were reportedly stolen from a third party.

In response to today's news of Moucka's arrest, Kiberphant0m has released what he says is an "admin SQL dump + server logs + credentials tied to the stolen Verizon data, which apparently includes credentials for admins of Motorola Solutions. The sales thread has several shout-outs "FREEEWAIFU", one of Moucka's alleged handles.