3 min Security

Strategy behind Snowflake hackers revealed in court document

Strategy behind Snowflake hackers revealed in court document

Recently, the alleged Snowflake hackers Connor Moucka of Canada and John Bins from Turkey were arrested. Now this has led to an actual indictment from the U.S. Justice Department. The indictment reveals more details about the modus operandi of the hack.

Both suspects are still in custody in Canada and Turkey. In the recently released U.S. indictment, they are accused of conducting an international hacking and extortion operation against more than 10 companies and organizations.

The stolen data included logs of phone calls and text messages, bank records and other financial information, paychecks and other data, Drug Enforcement Agency registration numbers, driver’s licenses and passport information.

Therefore, The U.S. prosecutor holds both defendants responsible for computer, transaction, and extensive identity fraud.

Although the indictment does not specify victims, they appear to align with known victims of the hack who are already known and are customers of Snowflake. Examples include Ticketmaster, AT&T and the bank Santander.

Also read: Canada arrests possible hacker behind Snowflake hacks

Modus operandi clearer

The indictment also details how both individuals proceeded in hacking and extortion activities. Under a series of pseudonyms, both suspects sought access to the affected companies’ Snowflake cloud instances between November 2023 and October 2024 using previously stolen login credentials.

They then used so-called “Rapeflake” software to identify and steal interesting, sensitive data on these instances. They then approached the victims to extort them. At least three companies reportedly actually paid, and the hackers allegedly raised about $2.5 million in the process.

Both suspects also advertised the stolen data on hacker forums such as BreachForums, Expoloit.in and XSS.is. In the process, the data was offered for sale for monetary amounts or crypto-currency.

According to Google security experts, the hackers are this year’s most dangerous. Moucka and Bins are also said to have connections to the notorious ransomware gang ScatteredSpider. Among other things, this gang is said to be responsible for the infamous hacks on major casinos in Las Vegas last year. In addition, John Bins is also said to be involved in a hacking attack on T-Mobile USA in 2021.

Lawsuit against Ticketmaster

The major hack is still having repercussions. In October this year, aggrieved customers took Ticketmaster and parent company LiveNation to California court in a class action lawsuit. They accused both companies that because of the hack, they did not take proper care of personal data security.

Possibly 560 million Ticketmaster customers worldwide fell victim to the theft of their personal data as a result of the hacking attack.

Read more: Canada arrests possible hacker behind Snowflake hacks