Here’s what we know about the suspected Snowflake data extortionists

Here's what we know about the suspected Snowflake data extortionists

November 12, 2024 at 04:15PM

Two men, Connor Moucka and John Binns, are indicted for compromising multiple organizations’ Snowflake cloud environments, stealing sensitive data, and extorting over $2.5 million from at least three victims. They face multiple charges, including computer fraud and aggravated identity theft, connected to extensive data breaches and ransom demands.

**Meeting Takeaways: Snowflake Data Breach and Indictment**

1. **Incident Overview:**
– Two individuals, Connor Riley Moucka (Canada) and John Erin Binns (Turkey), allegedly compromised multiple Snowflake-hosted cloud environments.
– They are accused of stealing sensitive data and extorting at least $2.5 million from three victims.

2. **Legal Action:**
– An indictment unsealed by the U.S. government charges Moucka and Binns with 20 counts, including conspiracy, computer fraud, wire fraud, and aggravated identity theft.
– The indictment was filed in a Seattle federal court.

3. **Compromised Data:**
– Allegations include access to billions of sensitive customer records, including:
– Call and text logs
– Banking and financial details
– Payroll records
– Personal identification information (driver’s licenses, passports, Social Security numbers).
– At least 165 Snowflake customers reportedly faced compromises, with notable victims including AT&T, Santander Bank, Ticketmaster, and Advance Auto Parts.

4. **Methodology:**
– The suspects allegedly used stolen credentials to access cloud environments.
– They employed a software named “Rapeflake” to identify and steal valuable information and extorted victims by threatening to leak or sell this data.
– They advertised stolen files on underground marketplaces such as BreachForums and XSS.is.

5. **Arrests and Ongoing Investigations:**
– Moucka was arrested on October 30 in Canada.
– Binns, previously arrested in Turkey, faces additional scrutiny due to connections with other cybercrimes, including a breach of T-Mobile US in 2021.
– Google’s Mandiant has been tracking these cyber threats, designating them as UNC5537, and indicated significant consequences from their operations.

6. **Implications:**
– This incident underscores the risks posed by cybercriminals using readily available tools, leading to significant data loss and extortion attempts across multiple industries.
– Ongoing investigations and potential extradition of the suspects remain uncertain.

7. **Next Steps:**
– Monitor developments regarding the extradition process for Moucka and Binns.
– Follow updates from Mandiant and law enforcement regarding the broader implications and potential connections to other cybercriminal organizations.

Full Article