Alleged Snowflake hacker detained in Canada at DOJ's request

The hacker suspected of launching a series of major breaches involving data stored on Snowflake accounts was arrested in Canada last week after a request was issued by U.S. officials.

Canada’s Justice Department confirmed to Recorded Future News that Alexander Moucka, who also goes by the name Connor, was detained on a provisional arrest warrant on October 30.

The arrest of Moucka was first reported by Bloomberg and 404Media on Monday evening. 

“He appeared in court later that afternoon and his case was adjourned to Tuesday November 5, 2024,” Canada’s Justice Department said. 

“As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”

Canada’s Justice Department declined to answer other questions about what charges Moucka is facing, whether he will also face charges in Canada, whether any devices were seized during his arrest and whether he was arrested alongside anyone else. 

The officials directed Recorded Future News to the Ontario Superior Court, which did not respond to requests for comment. The U.S. Justice Department and FBI declined to comment about Moucka. 

At least two sources told Bloomberg that the charges against Moucka are related to a string of about 165 data breaches earlier this year — when hackers stole login information to employee accounts on Snowflake. Those affected include AT&T, Ticketmaster, Advance Auto Parts, one of the largest school districts in the U.S., Neiman Marcus, Santander, LendingTree and more.

The breaches caused alarm globally due to the sizable amount of information stolen. The AT&T hacker stole the logs of calls and texts to more than 100 million customers. The Ticketmaster breach involved about 560 million users. 

Shortly after the Bloomberg story was released, 404Media said it had allegedly been speaking to Moucka but had not gotten a response from him over the last week. Moucka reportedly told the outlet that he expected to be arrested and had been destroying evidence in advance of his detainment. 

In May, Snowflake hired Mandiant to investigate the incident and confirmed that there was no issue with their platform’s security. The hackers, according to Mandiant, stole still-valid credentials dating back to 2020 and were able to access company accounts through those login details.

Mandiant said at the time that the hackers behind the campaign are “based in North America, and collaborates with an additional member in Turkey.” 

At least one of the alleged Turkey-based hackers, John Erin Binns, was detained by Turkish authorities in May after being indicted for his role in a previous hack of telecom T-Mobile.