Hacker Suspected of Involvement in the Snowflake-Related Cyberattacks Arrested in Canada

• A hacker known online as Judische and Waifu was arrested by authorities in Canada on suspicion of involvement in the Snowflake breach.
• The individual is believed to have connections to the cybercrime ecosystem The Com, as well as another hacker arrested in Turkiye.
• The U.S. authorities requested a provisional arrest warrant, but the charges against the individual are yet to be revealed.

Canadian authorities have arrested Alexander "Connor" Moucka, known online as Judische and Waifu, in connection with a series of cyberattacks linked to the breach of cloud data warehousing platform Snowflake. 

Moucka was apprehended on October 30, 2024, under a provisional arrest warrant requested by U.S. authorities, according to Bloomberg. The charges against the individual remain unspecified.

Further reports from Krebs On Security identified Judische as having connections to The Com, a cybercrime ecosystem notorious for engaging in both physical and digital attacks to seize accounts and finances from adversaries. 

Additionally, Judische is believed to have collaborated with John Binns, another hacker arrested in Turkiye earlier this year.

The breach, initially disclosed by Snowflake in June 2024, affected a limited number of its customers and was attributed to the UNC5537 threat actor, a financially motivated threat group. 

This group, based in North America and collaborating with a member in Turkey, targeted approximately 165 organizations, including major companies like Advance Auto Parts, AT&T, LendingTree subsidiary QuoteWizard, Neiman Marcus, Santander Bank, Ticketmaster, Ticketek, and Pure Storage. 

In July, AT&T said that information available to the company revealed that at least one person involved in this data theft had been apprehended without revealing other details on the matter. 

A member of the infamous ShinyHunters hacking group revealed how they reportedly stole customer data from Snowflake accounts via a breached EPAM employee account, and now it seems Sp1d3r and ShinyHunters have created an alliance.

Investigations revealed that the infostealer malware initially compromised contractor systems used for downloading games and pirated software. The threat actors employed a technique leveraging stolen customer credentials from previous stealer malware infections to gain initial access. Notably, some incidents involved ransomware attempts.

Incident response firm Mandiant revealed in their investigation that the hackers leveraged leaked credentials collected by several info-stealer malware variants that belonged to Snowflake customer accounts not using multi-factor authentication (MFA).