For much of this summer, a mysterious group of hackers carried out a landmark spree of major data breaches, all targeting customers of the cloud data storage company Snowflake. Now one alleged hacker—whom experts believe to be the ringleader of that group—has been arrested in Canada, and he may be on his way to a US court.

On Monday, Bloomberg and 404 Media reported that a Canadian man named Alexander Moucka, who also goes by the name Connor Moucka, was detained at the end of October on a provisional arrest warrant. Moucka then appeared in a court hearing today, November 5, as part of extradition proceedings, 404 Media first reported.

Under the hacker handles Waifu and Judische, Moucka is believed to be a notorious figure in the cybercriminal underground, says Allison Nixon, a security researcher and the chief research officer at security firm Unit 221B, who has long tracked his online activity. She alludes to Moucka’s alleged hacking activity going back years prior to the Snowflake breaches. “I was waiting for this one,” says Nixon. “Waifu was the leader of a group who was responsible for many major intrusions over the last half decade.”

Suspicious activity linked to Snowflake customer accounts was first spotted in April, according to a June report by Google-owned security company Mandiant, which was employed by Snowflake to jointly investigate the hacking. The first unknown victim’s Snowflake systems had been accessed using login details that were previously taken by infostealer malware, the report says. Over the next couple of chaotic months more than 165 Snowflake customers, according to Mandiant’s report, potentially had data they stored in Snowflake’s systems exposed or stolen. Hundreds of millions of records from AT&T, Santander, Ticketmaster owner Live Nation Entertainment, and more were accessed in the hacking spree.

Mandiant’s report in June said that the majority of the compromised Snowflake accounts did not have multifactor authentication turned on, and credentials gathered from infostealer logs—some dating back to 2020—were used to access them. Since the breaches, Snowflake has updated its systems to require multifactor authentication to be turned on by default.

A spokesperson for Snowflake tells WIRED it has no comment on the arrest. Ian McLeod, a spokesperson for Canada’s Department of Justice, says Moucka was arrested following a request by the United States. “As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case,” McLeod says.

Services MarketplaceListings, Bookings & Reviews

Entertainment blogs & Forums

Balancing love hormones. Direct hire fdh.