3rd Party Risk Management , Governance & Risk Management , Incident & Breach Response
US Prosecutors Charge Hackers in Snowflake Data Theft
DOJ Accuses Alleged Hackers of Stealing Terabytes of Data From Snowflake VictimsThe U.S. Department of Justice on Wednesday unsealed an indictment against alleged hackers Connor Moucka and John Binns, accusing them of stealing terabytes of data from cloud platform Snowflake in a major breach impacting over 165 organizations and involving roughly 50 billion call and text records.
See Also: Cyber Insurance Assessment Readiness Checklist
Moucka was arrested earlier this month in Canada after Binns was detained in Turkey over a 12-count indictment from 2022 that charged him with hacking telecom giant T-Mobile the year prior (see: Canadian Cops Bust Suspected Hacker Tied to Snowflake Hits). Google Cloud's Mandiant incident response team began assisting Snowflake in June with investigating a breach by the group UNC5537, otherwise known as Scattered Spider, which stole data from approximately 165 customers, with millions of individuals affected from accounts lacking multi-factor authentication.
The indictment charges Moucka and Binns with stealing "approximately 50 billion customer call and text records" and successfully extorting "at least 36 bitcoin" - worth approximately $2.5 million at the time of payment. The alleged hackers generated revenue by "posting offers to sell victims' stolen data on cybercriminal forums for millions of dollars," the indictment reads.
Federal prosecutors say Moucka and Binns committed computer fraud and aggravated identity theft from November 2023 through October 2024, obtaining stolen access credentials to cloud computing services and downloading terabytes of private data, including text history records, banking and other financial information, Social Security numbers and other personally identifiable information.
"The co-conspirators gained unlawful access to billions of sensitive customer records," the indictment reads. Publicly identified victims from the Snowflake hack include Santander Bank, automotive parts supplier Advance Auto Parts, Live Nation Entertainment's Ticketmaster, Neiman Marcus, the Los Angeles Unified School District and Bausch Health.
Reports indicated the attackers behind the Snowflake hack began shaking down victims in June, demanding ransom and threatening to post sensitive data online (see: Victims of Snowflake Data Breach Receive Ransom Demands). Mandiant reported at the time that it had identified up to 10 Snowflake customers targeted by ransom demands ranging from $300,000 to $5 million.
The hackers demanded payments in cryptocurrency and "conducted complex cryptocurrency transfers in order to hide the source and destination of their funds," the indictment adds. Moucka and Binns allegedly used virtual asset service providers located across the globe, including in the United States, to carry out their transactions.