Canadian law enforcement authorities have arrested an individual who is suspected to have conducted a series of hacks stemming from the breach of cloud data warehousing platform Snowflake earlier this year.
The individual in question, Alexander “Connor” Moucka (aka Judische and Waifu), was apprehended on October 30, 2024, on the basis of a provisional arrest warrant, following a request by the U.S.
The development was first reported by Bloomberg and corroborated by 404 Media. The exact nature of the charges against Moucka is currently not known.
In June 2024, Snowflake disclosed that a “limited number” of its customers were targeted as part of a targeted campaign. Google-owned Mandiant attributed it to a financially motivated threat group called UNC5537.
“UNC5537 comprises members based in North America, and collaborates with an additional member in Turkey,” the company assessed with moderate confidence at the time, adding approximately 165 organizations were impacted.
Some of the targeted companies included major corporations such as Advance Auto Parts, AT&T, LendingTree, Neiman Marcus, Santander, and Ticketmaster (Live Nation).
In some of the incidents, the threat actor(s) attempted to extort the companies by threatening to sell the stolen data on criminal forums if they didn’t pay up. AT&T reportedly paid the hackers $370,000 to delete the stolen data, according to WIRED.
The attacks worked by leveraging stolen customer credentials obtained via prior stealer malware infections to obtain initial access. The investigation also found that the initial compromise of infostealer malware occurred on contractor systems that were used for downloading games and pirated software.
Reports published by Krebs On Security and 404 Media in September 2024 revealed that Judische is likely based in Canada and has connections to a broader cybercrime ecosystem called the Com, which is known to engage in physical and digital attacks, sometimes resorting to violence, to gain access to accounts and steal funds from rivals.
Judische is also believed to have collaborated with another hacker called John Binns, who was arrested in Turkey in May 2024.
(This is a developing story. Please check back for more updates.)