Two men have been accused of compromising the cloud environments hosted by Snowflake that are believed to belong to multiple organizations, subsequently stealing sensitive data and extorting a staggering sum of at least $2.5 million from a minimum of three victims.
In a significant development on Sunday, the United States officially unsealed an indictment against Connor Riley Moucka, a Canadian resident, and John Erin Binns, an American currently residing in Turkey. The legal document, lodged in a Seattle federal court, outlines serious charges against the two suspects, including 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft.
According to prosecutors, Moucka and Binns orchestrated breaches into the online environments of at least 10 organizations, accessing an alarming “billions of sensitive customer records.” They allegedly demanded ransoms from the victims, threatening to reveal the details of their thefts unless paid, and they also sold the stolen data on underground marketplaces.
This illicitly obtained data encompassed a range of private information, including individuals’ call and text logs, detailed banking and other financial information, payroll records, Drug Enforcement Agency registration numbers, as well as driver’s license, passport information, and Social Security numbers.
While the court documents refrained from naming the compromised organizations, they do refer to “Victim 1” as a US-based software-as-a-service company known for providing cloud storage solutions to clients, suggesting a likely connection to Snowflake. The company had previously reported in June that an unauthorized individual had breached some of its customers’ accounts.
Earlier reports revealed that the data of at least 165 Snowflake customers had been compromised, including major corporations such as AT&T, Santander Bank, Ticketmaster, and Advance Auto Parts. The indictment further identifies five additional unnamed victims, with Victim 2 being a significant American telecommunications company, Victim 3 identified as a large US retailer, Victim 4 as a major US-based entertainment corporation, and Victim 5 as a healthcare giant with substantial operations in the United States. Victim 6 is described as “a major foreign company located in Europe with operations and personnel in the United States.”
Beginning in or around November 2023, it is alleged that Moucka, Binns, and their accomplices used stolen credentials to infiltrate the cloud computing instances belonging to their victims. They reportedly employed software they ominously dubbed “Rapeflake” to identify and exfiltrate valuable information stored within these instances, further extorting their victims by threatening to sell or leak the stolen data unless ransoms were paid. To date, at least three organizations have been confirmed as having paid these demands.
The criminals are said to have actively advertised the stolen files on underground platforms such as BreachForums, Exploit.in, and XSS.is, offering to sell the sensitive data for both fiat currency and cryptocurrency.
Moucka, who was allegedly known by online aliases including “judische,” “catist,” “waifu,” and “ellye18,” was arrested in Canada on October 30. Google’s threat hunters at Mandiant have been tracking the perpetrators responsible for targeting Snowflake customers under the codename UNC5537.
Larsen, a senior threat analyst at Mandiant, previously stated in an interview with The Register that the entity behind the Snowflake data breaches has emerged as one of the most consequential threat actors of 2024. “The operation, which has left organizations grappling with severe data loss and extortion attempts, underscores the alarming scale of damage an individual can inflict using readily available tools,” he remarked.
Additionally, there are indications that the group responsible for the Snowflake breaches may have connections to Scattered Spider, a notorious gang tracked by Google as UNC3944, which is believed to have orchestrated the digital heists at a Las Vegas casino in 2023.
Meanwhile, Binns, who is also allegedly tied to the 2021 breach involving T-Mobile US, is reportedly being held in a Turkish prison following his arrest earlier this year.
**Interview with Cybersecurity Expert Dr. Sarah Chen on the Recent Snowflake Cloud Breach Indictments**
**Interviewer:** Thank you for joining us today, Dr. Chen. The recent indictment of Connor Riley Moucka and John Erin Binns has sent shockwaves through the cybersecurity community. Can you break down the significance of these charges?
**Dr. Chen:** Absolutely. This case highlights the growing threat of cyber extortion and the vulnerabilities that exist even in established cloud environments. The scale of the operations—targeting multiple organizations and allegedly compromising billions of sensitive records—demonstrates that even major players can fall victim to sophisticated cybercriminals.
**Interviewer:** It’s concerning to hear that the stolen data included personal information like social security numbers and banking details. What does this mean for the affected individuals and companies?
**Dr. Chen:** The implications are severe. For individuals, there’s the risk of identity theft and financial fraud. For businesses, the potential loss of customer trust and the financial repercussions can be devastating. Companies may also face legal action if they are found to have inadequate security measures in place.
**Interviewer:** The indictment mentions the use of software called “Rapeflake.” Can you explain what this indicates about the perpetrators’ methods?
**Dr. Chen:** Naming the software in such a manner suggests a certain level of bravado and the intent to instill fear. It also indicates that they had developed tools specifically designed to exploit vulnerabilities in cloud environments. This underscores the need for organizations to continuously evaluate and strengthen their cybersecurity defenses against such tailored attacks.
**Interviewer:** The indictment refers to several unnamed victims, including large corporations. How important is transparency in these situations?
**Dr. Chen:** Transparency is crucial. When companies disclose breaches, it allows others to learn from those incidents and implement preventative measures. It also fosters a culture of accountability. However, organizations must balance this with the need to protect their reputation and sensitive data.
**Interviewer:** As a final thought, what can organizations do to protect themselves from such attacks?
**Dr. Chen:** Organizations need to prioritize cybersecurity by investing in robust security measures, conducting regular audits, and ensuring all employees are trained in best practices. Implementing multi-factor authentication and monitoring for unusual activities can provide an additional layer of protection. It’s about creating a culture of security awareness and vigilance.
**Interviewer:** Thank you, Dr. Chen. Your insights are invaluable as we navigate this evolving landscape of cyber threats.
**Dr. Chen:** Thank you for having me.