Here's what we know about the suspected Snowflake data extortionists

A Canadian and an American living in Turkey 'walk into' cloud storage environments…

Two men allegedly compromised what's believed to be multiple organizations' Snowflake-hosted cloud environments, stole sensitive data within, and extorted at least $2.5 million from at least three victims.

On Sunday, the United States unsealed an indictment against Connor Riley Moucka, who lives in Canada, and John Erin Binns, an American who lives in Turkey. The rap sheet [PDF], filed in a Seattle federal court, charges the two suspects with 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft. 

Moucka and Binns, according to prosecutors, broke into at least 10 organizations' online environments, accessed "billions of sensitive customer records," demanded the victims pay ransoms to keep a lid on the thefts, and also sold stolen data.

This info included people's call and text logs, banking and other financial details, payroll records, Drug Enforcement Agency registration numbers, driver's license and passport info, and Social Security numbers. 

And while the court documents don't name the compromised organizations, they do describe "Victim 1" as a US-based software-as-a-service company that provides cloud storage environments to customers — and this sounds a lot like Snowflake, which, in June, said a crook broke into some of its customers' accounts. 

A Snowflake spokesperson declined to comment on the indictment.

Earlier reports indicated at least 165 Snowflake customers had bee compromised, including AT&T, Santander Bank, Ticketmaster, and Advance Auto Parts.

The indictment lists five other unnamed victims. Victim 2 is a major American telecommunications company, Victim 3 is a large US retailer, Victim 4 is a major US-based entertainment company, and Victim 5 is a healthcare giant with "significant operations in the United States." Victim 6 is "a major foreign company located in Europe with operations and personnel located in the United States."

Beginning no later than or around November 2023, Moucka, Binns, and others used stolen credentials to access victims' cloud computing instances, the court documents allege. 

They then allegedly used software they had named "Rapeflake" to identify and steal valuable information stored within these instances, and extorted victims by threatening to sell or leak their stolen data unless the victims paid ransom. At least three victims did pay, we're told. 

The criminals also advertised the purloined files on BreachForums, Exploit.in, and XSS.is, among other underground marketplaces, and offered to sell the data for fiat currency and cryptocurrency, according to prosecutors. 

Moucka, who the Feds claim went by the handles "judische," "catist," "waifu," and "ellye18," was arrested in Canada on October 30.

Google's threat hunters at Mandiant have been tracking whoever has been raiding Snowflake customers as UNC5537.

Mandiant senior threat analyst Austin Larsen told The Register earlier whichever miscreant was behind the Snowflake thefts "has proven to be one of the most consequential threat actors of 2024."

"The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools," he added.

The crew behind the Snowflake intrusions may have ties to Scattered Spider, which Google tracks as UNC3944 — the notorious gang believed to be behind the 2023 Las Vegas casino digital heists.

Meanwhile Binns, who is also allegedly behind the 2021 breach of T-Mobile US, was reportedly arrested in Turkey earlier this year and is being held in a Turkish prison.

There's no word on whether or when the duo will be extradited to the US and how much jail time they face related to the alleged crimes if convicted. ®

More about

TIP US OFF

Send us news


Other stories you might like