Kitchener, Ont., man arrested in massive Snowflake hacking scheme faces possible extradition to U.S.

A data breach affecting Snowflake, a U.S.-based cloud storage provider, was reported to authorities several months ago. A Kitchener, Ont., man and a man residing in Turkey have been arrested in the case. (Kacper Pempel/Reuters - image credit)
A data breach affecting Snowflake, a U.S.-based cloud storage provider, was reported to authorities several months ago. A Kitchener, Ont., man and a man residing in Turkey have been arrested in the case. (Kacper Pempel/Reuters - image credit)

A Kitchener, Ont., man accused of taking part in a massive hacking scheme affecting cloud storage provider Snowflake has been arrested and may be extradited to the United States.

Connor Moucka, 25, was arrested on Oct. 30 at his Stanley Park area home on a provisional warrant following a request by U.S. authorities.

Moucka — alleged to be the person also known as Alexander Moucka, judische, catist, ellyel8 and waifu in the criminal investigation — is accused of being a co-conspirator along with John Binns, a resident of Turkey also known as irdev and j_irdev1337.

Indictment documents also obtained by CBC suggest others beyond Moucka and Binns may have been involved in the scheme to "hack into at least 10 victim organizations' protected computer networks."

Snowflake, which reported the data breach to U.S. authorities several months ago, is an American-based data storage company, with customers including telecommunications giant AT&T, Live Nation's Ticketmaster and Santander Bank.

According to an unsealed arrest warrant obtained by CBC from the Superior Court of Justice in Kitchener, the United States District Court for the Western District of Washington issued the warrant for Moucka's arrest on Oct. 29.

He's accused of conspiracy, computer fraud and abuse, extortion in relation to computer fraud, wire fraud and aggravated identity theft. No charges have been laid. His case was remanded to Friday for an update on his legal aid status.

Accused waiting for legal aid, Ottawa official says

The indictment documents allege Moucka and Binns "profited from these schemes through several means, including by successfully extorting at least 36 bitcoin (worth approximately $2.5 million at the time of payment) from at least three victims."

The warrant also says Moucka's arrest was necessary in the public interest.

"On Nov. 12, Mr. Moucka indicated that he is still waiting for a decision from legal aid," Ian McLeod, senior adviser of media relations with the Department of Justice Canada, said in an emailed statement to CBC.

"As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case."

The U.S. Department of Justice declined to comment. CBC reached out to the jail where Moucka is currently being held but was denied communication. He is not yet represented by a lawyer.

On May 30, Snowflake posted a notice to its website acknowledging it was aware of a possible compromise of the company's online data.

Cybersecurity organizations Crowdstrike and Mandiant Consulting, which is part of Google Cloud, were hired to investigate.

"We learned that a number of organizations had their data stored in Snowflake tenants which an adversary was accessing and then mass downloading from Snowflake environments and then using that stolen data to reach out to organizations and then extort them," Charles Carmakal, Mandiant's chief technology officer, said in an interview with CBC.

According to Carmakal, the company began investigating on April 14 and tracked roughly 165 potentially exposed organizations operating with Snowflake's services.

WATCH | Some tips on how to determine if you've been hacked and ways to protect yourself:

Carmakal said the apparent perpetrator, or UNC5537 as he was referred to throughout the investigation, didn't compromise Snowflake but gained personal information to infiltrate the company.

"The threat actor had leveraged stolen credentials for customer tenants and then used that to log in as if they were an employee or contractor of the company that had a Snowflake account."

In June, Mandiant publicly released a report of its findings.

"The initial compromise of infostealer malware occurred on contractor systems that were also used for personal activities, including gaming and downloads of pirated software," reads the report.

A timeline posted to cybersecurity company Mandiant's website following their investigation into the Snowflake data breach.
A timeline posted to cybersecurity company Mandiant's website following their investigation into the Snowflake data breach.

A timeline posted to cybersecurity company Mandiant's website following its investigation into the Snowflake data breach. (Mandiant's Google Cloud blog post)

Carmakal said that since the pandemic, more people have been working from home and using personal computers to access work environments.

"We've started really blending work and personal use on systems, and that's enabled threat actors to essentially get access to corporate resources by way of less protected infrastructure," he said.

A spokesperson for Snowflake, the company, declined CBC's request for comment.

Identifying the suspect from Canada

Though not initially involved in the Snowflake investigation, Allison Nixon, chief researcher with Unit 221B, said threats against researchers within her organization is what piqued the security company's interest.

U.S.-based Unit 221B specializes in cybersecurity consulting, threat intelligence and identifying cyber criminals.

"What's really funny is we weren't going to work on Snowflake at all. We had never talked to Snowflake, but for some reason, [username] Waifu convinced himself [we were]," Nixon explained.

After being targeted by online threats, the security company dug deeper until they found a critical mistake made within the operations security by the person who posted them.

LISTEN | Kitchener man arrested in international hacking scheme affecting millions of people:

"We found the OPSEC [operations security] slip-up that he made and we're like half the reason that he got doxxed. The other half are some unnamed partners."

Though Nixon wasn't able to share the exact mistake, she said the user behind the account  later posted misinformation to various platforms in an attempt to offset the fact the user's identity was revealed.

When it became public knowledge that Moucka had been arrested, Nixon said, the company was thrilled, adding: "It was a huge win."