Court documents in the arrest of two men accused of being associated with an international hacking syndicate have revealed how they allegedly got access to "billions" of sensitive customer records.
Canadian Connor Moucka, also known as Alexander Moucka, and Turkish citizen John Binns were arrested and charged with computer fraud, wire fraud and aggravated identity theft over the hack on cloud storage facility Snowflake.
While the victims were not named in the indictment, Snowflake's customers included US telecommunications business AT&T, Neiman Marcus and Mitsubishi.
The hack allegedly resulted in the theft of individual's text history, banking, payroll records, driver's licence numbers, passport numbers and other personal information.
US prosecutors said the charges related to a period between November 2023 and October 2024.
"Moucka, Binns and their co-conspirators accessed and obtained data from at least 10 different organisations' Cloud Computing Instances using stolen access credentials," the indictment said.
"The co-conspirators … used software they dubbed 'Rapeflake' to identify valuable information residing within the victims' Cloud Computing Instances, including organisation names, user roles and [IP] addresses, among other information."
The indictment detailed how Mr Binns and Mr Moucka allegedly extorted victims by threatening to sell or distribute the data, and three victims paid the ransom.
The scheme is believed to have netted $2.5 million USD, or $3,814,988 AUD.
Accused hackers used many aliases
Mr Moucka allegedly went by a number of different personas online, including judische, catist, waifu and ellyel8.
Mr Binns allegedly went by irdev and j_irdev1337.
The indictment alleges the men frequently changed accounts to protect their anonymity, and operated on off-shore servers that would not regularly log IP addresses.
It is alleged they leased technological infrastructure using fraudulent information and payment methods for the conspiracy, including servers and IP addresses.
US prosecutors said they would advertise stolen data on the dark web and demand payments in cryptocurrency so they could hide the source and destination of their money.
The victims
The individual victims of the data breaches were not named in the indictment, and were instead named as "Victim 1" to "Victim 6".
While the affected parties remain anonymous, the impact of the Snowflake data breach continues to have worldwide ramifications - including in Australia.
The Australian Cyber Security Centre issued advice about the breach, warning Snowflake customers to take steps to protect themselves.
"Australian organisations who utilise Snowflake should reset credentials for active accounts, disable non-active accounts, enable Multi-Factor Authentication (MFA), and review user activity," they said.
"The [cyber security centre] is monitoring the situation and is able to provide assistance and advice as required."
In a statement, Snowflake said it was aware many of its customers had been compromised during the hack.
"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," a spokesperson said.
"Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted."
Fall-out continues
Ticketmaster and Live Nation customers have recently filed a class action lawsuit in California, regarding a hack on the business that happened during the same period outlined in the indictment.
The plaintiff has alleged the businesses failed to adequately protect their private information.
"Plaintiff's and class members' personal information — which they entrusted to defendant on the mutual understanding that defendant would protect it against unauthorised disclosure — was compromised in a data breach," the lawsuit alleged.
Ticketmaster has previously assured customers their details were safe, but warned them to keep an eye out for identity theft.
"We take data protection very seriously and have been working with the relevant authorities, including law enforcement, as well as credit card companies and banks," a spokesperson said.
It is still unclear how the hack occurred, but Google analysts previously said it was likely due to a threat actor using credentials previously stolen via infostealer malware.
