Canadian authorities late last month arrested a man suspected of hacking and extorting dozens of companies whose data was compromised in a breach of the cloud storage systems of data warehousing firm Snowflake.

According to reports, a 26-year-old Canadian native named Alexander “Connor” Moucka, a resident of Kitchener, Ontario, was arrested at the request of U.S. investigators on charges stemming from a series of cyberattacks that followed the Snowflake breach earlier this year.

Bloomberg first broke the news, reporting that Moucka – who used the online monikers “Waifu” and “Judische” – was taken into custody on a provisional warrant from the United States. The charges against Moucka were undisclosed and he was expected to be brought into court this week.

Snowflake first disclosed the data breach in May and it began to snowball, engulfing as many as 160 companies that used the vendor’s cloud storage systems. According to cybersecurity vendor Brian Krebs, at the end of last year, bad actors learned that major companies had storage large amounts of sensitive customer data in Snowflake systems that were highly vulnerable to compromised. They were protected by usernames and passwords, but no multi-factor authentication.

“After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations,” Krebs wrote.

Major Corporations Victimized

The ripples from the Snowflake breach rippled through major corporations like AT&T, Niemen Marcus, Progressive, Advance Auto Parts, Pure Storage, Santander Bank, State Farm, and Ticketmaster.

Researchers with Google’s Mandiant cybersecurity unit and security firm CrowdStrike in June attributed the attacks to the UNC5537 threat group, which they said didn’t breach Snowflake but used credentials that had previously been stolen – some as far back as 2020 – to get into the Snowflake accounts of companies that didn’t have MFA activated.

Snowflake didn’t require organizations to use MFA. The hackers stole data and began extorting the victim companies.

In some cases, the hackers threatened to sell the data on the dark web if they weren’t paid a ransom, with AT&T reportedly paying the bad actors $370,000 to delete the stolen data. AT&T announced that essentially all 110 million customers from 2022 had their phone metadata stolen from Snowflake.

Suspect on the Radar

Krebs noted a column that he wrote in September in which the hacker handles that Moucka allegedly used were part of a larger trend of the overlap of cybercriminals and what he said call “harm communities,” extremist groups that target minors and try to get them to harm themselves or others.

In that column, Krebs wrote that a bad actor called Judische in May boasted a couple of times on a Telegram channel Star Chat of hacking Santander, days before the bank itself disclosed that hack. Judische later bragged about attacks on other companies before their data was put up for sale.

Krebs determined that Judische was the same person using the moniker Waifu and who was known for SIM-swap scams, in which a threat actor trick a mobile carrier into transferring the phone number to a new SIM card. Calls and messages meant for the victim instead are sent to the bad actor’s device.

In the column, Krebs said Judische was a 26-year-old software engineer in Ontario, Canada. In addition, Krebs and 404 Media linked Judische to a hacker called John Binns, a 21-year-old American who was arrested in Turkey in May.