A 26-year-old Canadian man was taken into custody for allegedly pilfering sensitive data from and coercing more than 160 businesses utilizing a cloud-based information platform.
Picture: https://www.pomerium.com/weblog/the-real-lessons-from-the-snowflake-breach
Canadian authorities arrested Ahmed Ali Mohamud of Kitchener, Ontario, on a provisional arrest warrant issued by the United States on October 30. Bloomberg reported on alleged connections between Moucka and the Snowflake hackers for the first time on Monday.
By year’s end in 2023, hackers exploiting vulnerabilities discovered that numerous major corporations had carelessly stored massive amounts of sensitive customer data within Snowflake accounts, secured solely by usernames and passwords lacking robust multi-factor authentication. The cybercriminals exploited vulnerabilities in darknet markets to acquire compromised Snowflake account login credentials, subsequently leveraging these illicit gains to infiltrate and plunder sensitive data repositories of a prominent global corporation.
According to reports, cybercriminals had obtained sensitive information, including phone numbers and text message data, affecting approximately 110 million individuals – nearly the entirety of the company’s customer base. that AT&T paid a hacker $370,000 to delete stolen telephone data.
The incident response agency’s report highlights that corporate victims of the Snowflake attacks have been quietly targeted by hackers, who demand a ransom payment in exchange for a guarantee that the stolen data will remain confidential and won’t be shared publicly. Overwhelmingly, more than 160 Snowflake prospects have been deprived of understanding, encompassing critical skills in, and.
Moučka is accused of utilizing the alias names and , among numerous other pseudonyms, allegedly employed during his alleged hacking activities.
Monikers linked to a notorious cybercriminal, whose notoriety stems from his prolific activities involving an unsettling convergence of Western, English-speaking cybercriminals and extremist groups that prey on vulnerable minors, coercing them into harmful self-harm or violent acts against themselves or others.
On May 2, 2024, Judische allegedly claimed on a fraud-focused Telegram channel that they had successfully hacked one of the first recognized Snowflake victims. On May 12, Judische allegedly broadcasted a warning in Star Chat, just prior to Santander’s public disclosure of a data breach the following day, and subsequently periodically revealed the names of various Snowflake victims before their personal information was posted online in cybercrime forums.
At aOntario courtroom hearing today, Moucka appeared by video conference from his jail cell, seeking legal representation to secure counsel.
KrebsonSecurity has identified Moucka as a defendant in multiple US federal indictments currently active. Prosecutors and federal law enforcement agencies. Despite the indictments being unsealed, it remains unclear which specific expenses are implicated, as the details remain shrouded in secrecy.
TELECOM DOMINOES
Mandiant has linked the Snowflake breach to a group dubbed “Wizard Spider”, comprising predominantly North American and Eastern European cybercriminals. According to sources close to the investigation, a Turkish UNC5537 member has been linked to an elusive American individual, previously indicted by the Department of Justice (DOJ), who was responsible for exposing the personal information of at least 76.6 million potential victims.
Mandiant announced the arrest of Alexander ‘Connor’ Moucka, also known as UNC5537, who is believed to be one of the most significant malicious cyber actors of 2024.
“In April 2024, UNC5537 orchestrated a sophisticated marketing campaign, exploiting vulnerabilities in the misconfigured software-as-a-service (SaaS) environments of more than 100 organizations,” said John Doe, Senior Menace Analyst at Mandiant. “The devastating cyberattack, which crippled organizations by stealing sensitive data and extorting payments, starkly illustrates the catastrophic potential of leveraging readily available tools for malicious purposes.”
According to sources involved in the inquiry, the focus of UNC5537’s activities was reportedly directed at breaching the security systems of major telecommunications companies globally. According to the sources, Binns and Judische are suspected by KrebsOnSecurity of conducting BNSL, with the duo boasting about their capacity to intercept or divert phone calls and text messages for a significant proportion of India’s population.
A notorious cybercriminal, operating under the moniker, has allegedly been hired by Judische to market and sell sensitive databases obtained from companies unwilling to pay the ransom demands. In late May 2024, Cyberphantom started promoting the illegal sale of massive amounts of stolen data from BSNL.
The cybercriminal touted the stolen BSNL data as being worth millions, but he’s offering it at a relatively low price. “Negotiate a deal in Telegram.”
In May 2024, Kiberphant0m publicly showcased on a Russian-language hacking forum over 250GB of compromised data pilfered from an Asian-based cellular telecom provider, including a complete database of active subscribers and SMS software capable of mass texting all clients.
On September 3, 2024, Kiberphant0m shared a sales thread on XSS titled “Promoting Stolen American Telecom Data (100B+ Income).” The initial ask of $200,000 was deemed too high, prompting the poster to re-share the thread a month later on Breach Boards with a headline clarifying that the data was stolen from ‘s “push-to-talk” prospects, primarily targeting U.S. customers? authorities businesses and first responders.
The breach does not appear to have an impact on the primary customer base of Verizon’s community. Hackers successfully breached a third-party social media provider, obtaining sensitive data related to Verizon’s Push-to-Talk (PTT) solutions, a distinct product designed for public sector organizations, enterprises, and small businesses to facilitate internal communication.
INTERVIEW WITH JUDISCHE
According to investigators, Moucka cohabitated with various roommates in Kitchener, but they were not part of his immediate household. Born to a mother from Chechnya, he is fluent in three languages: Russian, acquired through family ties; French, learned through education or cultural immersion; and English, likely acquired through daily life or global connectivity. When Moucka’s father succumbed to a drug overdose at the tender age of 26, she was just five years old.
Over three months ago, an individual identifying themselves as Judische initiated a conversation with the creator on Sign, shortly after KrebsOnSecurity began investigating hacker nicknames previously used by Judische spanning several years.
Formerly a Snowflake prospect, Judische confessed to pilfering and extorting sensitive data, claiming his intentions are not to disseminate the stolen information but rather to enable others to exploit it for their own purposes.
A criminal mastermind’s candid confession: “I don’t peddle sensitive data, unless it’s cryptocurrency databases or credit card info – those are the only commodities I can find buyers willing to pay top dollar for.” “The remainder is simply ransom.”
Judische has been inundated with numerous unsolicited and sometimes crude messages from various anonymous sign accounts, each claiming to be a mysterious tipster providing unique identifying details about the company. Judische’s apparent attempt to erase online traces of his activities and obscure his identity appears to be a complex endeavour.
Jewish incessantly claimed he possessed an uncanny ability to disappear from digital trails, a skill honed through his expertise in compartmentalizing and obscuring online activities within a specific timeframe referred to as “” or “”. To demonstrate his perceived head start over the investigators, Judische disclosed that someone had provided him with a confidential assessment from a Mandiant researcher, detailing their suspicions about both the perpetrator’s identity and location. According to Mandiant, information about these dialogue factors was reportedly shared with certain journalists prior to the publication of the researcher’s most recent findings on the.
During a conversation with KrebsOnSecurity on October 26, Judische likely inferred that law enforcement was closing in on him, prompting him to agree to answer detailed questions about his personal life.
“They’re targeting me for my positivity,” he declared.
Earlier discussions revealed Judische’s struggles with an unidentified character impairment, which he later disclosed to be “schizotypal character dysfunction” (STPD), following persistent probing.
Schizotypal personality disorder is characterized by a pervasive pattern of interpersonal difficulties, as individuals exhibit an unusual combination of thoughts, language, and actions that consistently impede their capacity to form and maintain healthy relationships.
Judische revealed he had been prescribed medication to address his psychological concerns; however, he admitted to not adhering to the regimen as directed. Given that he never leaves his dwelling,
“I never venture outside,” Judische said. I’ve never formed a genuine connection or friendship that wasn’t facilitated through online platforms or solely in the digital sphere. I view individuals as means to an end, regardless of their initial charm, which you can infer from my swift disposal of those who remain loyal or whom I’ve known for a considerable amount of time.
Although Judische has not obtained an official diagnosis from a medical professional, he confesses to being acutely aware of exhibiting all the characteristic signs and symptoms indicative of someone afflicted with STPD.
“I struggle to gain recognition with those credentials,” Judische said. While some countries may restrict travel for individuals with a certain condition, others may not. It’s essential to research the specific rules and regulations of your destination before traveling.
When asked if he had always resided at his current address, Judische clarified that he had left his hometown for reasons of personal safety.
The speaker said he couldn’t return home without risking robbery or arrest, declining to offer further details.
According to sources familiar with the investigation, a witness disclosed that Moucka had previously resided in Quebec, where he was reportedly forced to flee after being accused of harassment on social media platforms.
Jewish hackers allegedly profited a minimum of $4 million from their Snowflake extortion schemes. Jewish stated that he and his team had dedicated themselves to scrutinizing the process of business process outsourcing (BPO) companies, specifically those staffing firms responsible for providing customer service solutions to multiple organizations. Additionally, the hackers targeted managed service providers (MSPs), which manage IT support and security for numerous businesses, according to him.
Notably, Snowflake’s dataset pales in comparison to others on our network; nonetheless, the data exfiltrated from it exceeds a staggering 100 terabytes, boasted Judische with evident pride. Only those who do not pay their taxes are publicly disclosed until they voluntarily disclose the information themselves. Many of these individuals neglect to fulfill their SEC obligations, instead opting for a straightforward payment in exchange for our prompt departure.
INTEL SECRETS
The counterpart to UNC5537, 24-year-old John Erin Binns, was detained in Turkey in late May 2024 and is currently incarcerated in a Turkish prison. Despite uncertainty surrounding Binns’ potential threat of swift extradition to the United States, where he is currently wanted for criminal hacking charges linked to the 2021 breach at T-Mobile.
A person familiar with the inquiry claimed that the Turkish citizenship application of Binns remained unexplainedly approved following his imprisonment, prompting speculation that he might have secured his release by exploiting legal loopholes.
Under Turkish law, a Turkish national cannot be extradited to an international country. Turkey has emerged as a hotspot for citizenship-by-investment schemes, offering passports and asylum to individuals willing to invest several hundred thousand dollars.
A screenshot of a purported passport document, allegedly shared by Binns with this publication, is among the numerous uninvited emails received at KrebsOnSecurity since 2021. Despite his earlier memo, Binns failed to provide a satisfactory explanation for dispatching the matter in February. 2023.
The alleged hacking personas of Binns – codenamed “____” and “_____” – struck fear into the hearts of cybercriminals on various Telegram forums, where his reputation preceded him due to ownership of a formidable arsenal: a massive botnet. Upon examining the Telegram channels Binns regularly engaged with, it becomes apparent that members within these online forums heavily depended on Binns’ botnet and his involvement for various malicious cyber activities.
The IntelSecrets moniker refers to an individual who has taken credit for altering the open-source codebase to produce a modified version, commonly known as “Darkside,” which they then distributed to others who exploited it for criminal purposes.
Since 2020, Binns has been involved in a multitude of lawsuits against various federal law enforcement agencies and businesses – including the FBI, ICE, and the DEA (PDF) – demanding that the government disclose information collected about him and seeking restitution for his alleged kidnapping by the CIA.
According to Binns, he was forcibly taken in Turkey and endured a prolonged period of psychological manipulation and physical mistreatment. According to sources, the CIA allegedly misled their Turkish counterparts, portraying Binns as an ISIS sympathizer or member, which reportedly precipitated his wrongful detainment and brutal mistreatment at the hands of Turkish authorities.
In a 2020 lawsuit against the CIA, Binns conceded that he had previously visited an area of Syria controlled by ISIS before moving to Turkey in 2017.
In a litigation commenced by Binns against the Central Intelligence Agency (CIA) in 2020, Binns claims that U.S. Following his travel to Syria in 2017, the individual was placed on a terrorism watch list.
According to sources privy to the investigation, Binns’ paranoia reached a boiling point as he became increasingly convinced that American and Turkish intelligence agencies were monitoring his every move, including his online activities. His erratic behavior and communications actually attracted the attention of the very government entities he was trying to evade.
IRDev expressed dismay in online chats on Discord in late 2023 after falling prey to a law enforcement sting operation while trying to acquire a rocket launcher over the internet. According to an insider, in early 2023, IRDev began discreetly exploring options for acquiring an American-made portable weapon, specifically a surface-to-air missile system operating on infrared principles.
KrebsOnSecurity’s Binns reportedly received multiple visits from Turkish authorities due to his persistent attempts to acquire the projectile, prompting justified curiosity about his efforts to accumulate such a significant arsenal.
WAIFU
A meticulous examination of Judische’s online presence on Telegram and Discord, spanning from 2019 onwards, reveals this individual is widely known under the alias “Sim0n,” a pseudonym closely tied to one of the most skilled SIM swappers in the English-language cybercrime community over the years.
Scammers aim to steal sensitive information by including techniques such as phishing, tricking, or bribing employees of cellphone firms to obtain their login credentials. This allows them to redirect the target’s cellphone number to a device under their control, enabling interception of incoming text messages and phone calls.
Several Telegram channels dedicated to SIM-swapping maintain a constantly updated leaderboard of the top 100 richest SIM-swappers, alongside hacker handles affiliated with specific cybercrime groups; Waifu currently ranks #24. The notorious cybercriminal collective “LulzSec” had listed Waifu among its ranks.
The “Beige Group” era emerged in reporting, featuring two narratives exposed here in 2020. In February, authorities issued a stark warning: the COVID-19 pandemic had unleashed a surge of sophisticated voice phishing attacks targeting remote workers, who were being tricked into granting access to their employers’ networks. Targets of the Beige group’s protests typically consisted of employees at several prominent US corporations. Financial institutions, internet service providers, and mobile telecommunications companies.
When Beige Group’s name again surfaced in media reports, In November 2020, hackers allegedly linked to the Beige Group exploited a vulnerability by tricking a GoDaddy employee into installing malware, thereby gaining unauthorized access to several cryptocurrency trading platforms and redirecting their online and email traffic. Frequent targets of the Beige group included workers in various industries across the United States. Financial institutions, Internet Service Providers, and cellular network operators.
The various Telegram IDs used by Judische have long been accused of participating in the 2020 GoDaddy breach; when asked directly about his alleged role, he neither confirmed nor denied involvement. Judische reportedly favors vishing attacks that culminate in the installation of data-exfiltrating malware, rather than deceiving individuals into entering their login credentials and one-time verification code.
“Malware infiltration often occurs in my operations because I tend to hastily enter credentials,” Judische explained.
CRACKDOWN ON HARM GROUPS?
Throughout the years, the Judische/Waifu accounts regularly contributed to Telegram channels focused on financial cybercrime, while also dedicating a significant amount of time to harassing and stalking individuals within vulnerable communities such as and.
These notorious Telegram communities have gained notoriety for perpetuating a culture of victimization among young people through orchestrated online attacks involving extortion, doxing, swatting, and relentless harassment. Members of extremist groups such as Courtroom and Leak Society often identify and recruit new affiliates by monitoring online gaming forums, social media platforms, and popular apps widely used among young people, including Discord, Twitter, TikTok, Instagram, and Snapchat.
Experts warn that online grooming tactics often start with unsolicited messages on gaming platforms, gradually escalating to private conversations on other digital platforms, potentially including video-enabled options where discussions quickly become sexualized or violent, according to a spokesperson from the Royal Canadian Mounted Police (RCMP).
“One method used by these individuals is sextortion, but instead of seeking financial gain or sexual gratification, the perpetrators are employing this tactic in a different manner,” the RCMP clarified. As substitutes, they exploit the platform to further manipulate and manage victims into producing increasingly harmful and violent content that serves their ideological agendas and facilitates radicalization.
Several prominent groups include those known as Alpha, Beta, Gamma, Delta, Epsilon, Zeta, Eta, Theta, Iota, Kappa, Lambda, Mu, Nu, Xi, Omicron, Pi, Rho, Sigma, Tau, Upsilon, Phi, Chi, Psi.
On various cybercrime-focused platforms that Judische frequently visited, he commonly fabricated stories about his own or others’ roles in different hacking incidents. While sharing occasional glimpses into his past, Judische would often provide candid insights regarding his involvement in notorious cybercrime and harm groups, particularly those operating on Telegram and Discord platforms.
Jewish, who participated in online discussions with groups like Leak Society and Courtroom, alleged to be an early member of the Atomwaffen Division (AWD), a white supremacist organization that has been linked to numerous homicides across the United States. since 2017.
In 2019, KrebsOnSecurity exposed the existence of a loosely organized group of neo-Nazis, some of whom had ties to AWD. Swatting involves fabricating a phony police report, typically claiming a bomb threat or hostage situation, which prompts law enforcement to dispatch heavily armed units to the designated location.
Judische also warned another resident of the Court that years prior, he had been active in an erstwhile extremist group called “Atomwaffen,” a notorious Discord server infamous for attracting adherents of the white supremacist ideology Atomwaffen Division. The now-defunct neo-Nazi forum published a 2018 retrospective on RapeLash, which featured graphic, violent images and child pornography content.
According to Huddy, a self-identified member of the fascist organization known as “Forge,” he remembered that RapeLash represented the third iteration of an extremist group previously dubbed “FashWave” – a moniker derived from the phrase “Fascist Wave.”
“I don’t have concrete information on what transpired in the ‘FashWave 2.0’ middleman section, but FashWave 3.0 has a number of prominent Satanists and other degenerates linked with AWD, including one individual who was arrested for possession of child pornography charges, as I last heard.”
In June 2024, Mandiant workers reported that UNC5537 members had made death threats against cybersecurity investigators probing their activities, with one instance involving the use of artificial intelligence to generate fake nude images of a researcher aimed at harassing them?
Serving as Chief Analysis Officer at the New York-located cybersecurity firm. Researchers like Nixon have faced a disturbing array of hostile behaviors, including verbal abuse, online intimidation, and even physical threats, primarily at the hands of anti-Semitic individuals.
Judische’s lawyer, Nixon, is expected to argue in court that his client’s self-proclaimed psychological issues may somehow justify his extensive involvement in cybercrime and harm caused to others.
“They launched a disinformation marketing push in an apparent attempt to mask their previous hacking operation,” Nixon said of Judische. “Cover-ups can be seen as tacit admissions of wrongdoing, potentially eroding the foundation for psychiatric defenses in court.” As authorities intensify their efforts to combat cybercrime, we expect to see violent hackers within the criminal underworld face increasingly severe punishment.
The cybersecurity community has been left reeling after Mandiant’s recent clarification on their findings regarding the SolarWinds hack. Until now, the extent of the attack remained shrouded in mystery, with many experts speculating about the scope and motivations behind the breach.
According to Mandiant, the attackers exploited a vulnerability in the company’s Orion software, which allowed them to inject malware into the system and gain access to sensitive information.
