Canadian authorities arrest alleged Snowflake hacker

Canadian authorities arrested the alleged threat actor behind a series of Snowflake-related breaches that led to data theft and extortion for high-profile victim organizations earlier this year.

The Canadian Department of Justice (DOJ) confirmed authorities arrested Alexander Moucka on Oct. 30. Moucka is accused of breaching Snowflake customers including AT&T, Ticketmaster and Santander Bank.

"Following a request by the United States, Alexander Moucka (a.k.a. Connor Moucka) was arrested on a provisional arrest warrant on Wednesday October 30, 2024. He appeared in court later that afternoon and his case was adjourned to Tuesday November 5, 2024," the DOJ said in a statement provided to TechTarget Editorial. "As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case."

While Snowflake confirmed its own network was not breached, a threat actor obtained compromised credentials to target customers' instances of the cloud storage and analytics giant. An investigation revealed affected customers did not have MFA enabled on their Snowflake accounts, despite an industry push for the authentication protocol.

Mandiant attributed the breaches, which affected more than 100 Snowflake customers, to a threat actor it tracks as UNC5537. In a statement to TechTarget Editorial, Austin Larsen, Mandiant senior threat analyst at Google Cloud, said the threat actor was a significant player in the threat landscape.

"UNC5537 aka Alexander 'Connor' Moucka has proven to be one of the most consequential threat actors of 2024. In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations," Larsen said. "The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools. This arrest serves as a deterrent to cybercriminals and reinforces that their actions have serious consequences."

A Mandiant spokesperson sent the following statement to TechTarget Editorial:

"Mandiant continues to respond to a high proportion of intrusions where the initial access was obtained using stolen credentials, which can be obtained via multiple methods, most commonly the use of phishing emails, infostealer malware, or purchasing them from actors who used these methods. This category of malware has been used by many financially motivated intrusion operators beyond just UNC5537, with prolific examples including UNC3944 and UNC3661. The frequent use of infostealers by actors engaging in extortion operations coupled with the continued interest in infostealers across underground communities underscores that they pose a significant ongoing threat to organizations globally."

Bloomberg first reported on the law enforcement action on Monday, stating that Moucka was arrested for allegedly using stolen logins to breach Snowflake database customers. 404 Media also reported on the arrest Monday. The media outlet had been in direct contact with a hacker who goes by the nickname "Judische," who had taken credit for the Snowflake-related data breaches. However, 404 Media reported that Judische believed they would soon be arrested and had not responded to message requests since Oct. 27.

Mouka's arrest marks the latest example of law enforcement actions against cyber threat actors that have led to arrests. Last month, the third phase of the international law enforcement known as Operation Cronos resulted in the arrest of four suspected LockBit ransomware gang members.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.