Canadian law enforcement has apprehended Alexander “Connor” Moucka, aka ‘Judische’ and ‘Waifu,’ who is suspected of conducting a series of hacks tied to a high-profile breach of the data management platform Snowflake earlier this year. The arrest took place on October 30, 2024, under a provisional warrant issued at the request of US authorities. The charges against Moucka have yet to be disclosed.

In June, Snowflake acknowledged that a “limited number” of its clients were impacted by a targeted hacking campaign. Google-owned cybersecurity firm Mandiant later linked the breach to a financially motivated threat group it dubbed UNC5537.

According to Mandiant’s report, UNC5537 is composed of members operating in North America and collaborates with an additional operative in Turkey. The group is believed to have affected approximately 165 organizations worldwide, leveraging stolen customer credentials, often obtained through prior stealer malware infections, to access Snowflake accounts and sensitive client data.

Victims include well-known corporations such as Advance Auto Parts, AT&T, LendingTree, Neiman Marcus, Santander, and Ticketmaster’s parent company, Live Nation. In certain cases, the hackers allegedly attempted to extort the targeted companies, threatening to sell the stolen data on criminal forums if ransom demands were not met. Notably, AT&T reportedly paid $370,000 to the attackers to ensure the deletion of the compromised data.

Initial access to Snowflake customer instances was often achieved through the native web-based UI (Snowflake UI, also known as SnowSight) and/or the command-line interface (CLI) tool (SnowSQL) operating on Windows Server 2022. Mandiant identified additional access using a malicious utility named “rapeflake,” which they track as FROSTBITE.

More information on the charges and potential extradition of Moucka is expected to emerge as the investigation proceeds.