Court documents from the arrest of two men accused of being associated with an international hacking syndicate have revealed how they had access to “billions” of sensitive customer records.

Canadian Connor Moucka, also known as Alexander Moucka, and Turkish national John Binns were arrested and charged with computer fraud, wire fraud and aggravated identity theft over the Snowflake cloud storage hack.

Although the victims were not named in the indictment, Snowflake’s clients included American telecommunications companies AT&T, Neiman Marcus and Mitsubishi.

The hack allegedly resulted in the theft of the person’s text history, bank details, payroll records, driver’s license numbers, passports and other personal information.

US prosecutors said the charges covered a period between November 2023 and October 2024.

“Moucka, Binns and their co-conspirators accessed and obtained data from at least 10 different organizations’ cloud computing instances using stolen access credentials,” the indictment states.

The indictment detailed how Mr. Binns and Mr. Moucka allegedly extorted victims by threatening to sell or share the data, and three victims paid the ransom.

The scheme is believed to have netted $2.5 million or $3,814,988.

The accused hackers used many aliases

Mr Moucka allegedly went to a number of different people online, including judische, catist, waifu and ellyel8.

Mr. Binns would have passed irdev and j_irdev1337.

The indictment alleges that the men frequently changed accounts to protect their anonymity and operated on off-shore servers that did not regularly log IP addresses.

Loading…

They allegedly leased technology infrastructure using fraudulent information and payment methods for the conspiracy, including servers and IP addresses.

US prosecutors said they would advertise the stolen data on the dark web and demand payments in cryptocurrencies so they could hide the source and destination of their money.

victims

The individual victims of the data breach were not named in the indictment, instead referred to as “Victim 1” through “Victim 6.”

While the affected parties remain anonymous, the impact of the Snowflake data breach continues to have worldwide ramifications, including in Australia.

The Australian Cyber ​​Security Center issued an advisory about the breach, warning Snowflake customers to take steps to protect themselves.

“Australian organizations using Snowflake should reset credentials for active accounts, disable inactive accounts, enable Multi-Factor Authentication (MFA) and review user activity,” they said.

“(The Cyber ​​Security Center) is monitoring the situation and is able to provide assistance and advice as needed.”

In a statement, Snowflake said it was aware that many of its customers were compromised during the hack.

“To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity in the Snowflake product,” a spokesperson said.

“During our ongoing investigation, we promptly notified the limited number of customers we believe may have been affected.”

The fallout continues

Customers of Ticketmaster and Live Nation recently filed a class-action lawsuit in California over a hack of the business that took place during the same period mentioned in the indictment.

The plaintiff alleged that the businesses did not adequately protect their private information.

Ticketmaster previously assured customers that their data was safe, but warned them to beware of identity theft.

“We take data protection very seriously and have worked with the relevant authorities, including law enforcement, as well as credit card companies and banks,” a spokesman said.

It’s still unclear how the hack happened, but Google analysts previously said it was likely due to a threat actor using credentials previously stolen via infostealer malware.