Mandiant referred to the hacker behind the Snowflake customer hacks as UNC5537, and the company’s threat intelligence analyst, Austin Larsen, describes him in a statement to WIRED as “one of the most consequential threat actors of 2024.”
“The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools,” Larsen adds.
While the hacker behind the Waifu and Judische handles has been linked to a Canadian identity for several months, they are believed to not be the only person linked to the Snowflake incidents. As WIRED reported in July, American hacker John Binns was allegedly involved in the Snowflake-related AT&T breach, which saw the company pay out more than $300,000 to have millions of stolen customer records deleted. (Binns was previously arrested in Turkey after the US indicted him for a 2021 breach of T-Mobile). Unit 221B’s Nixon says she’s aware of other members of the cybercriminal gang who remain at large.
According to Nixon, Waifu, now alleged to be Moucka, emerged from a cybercriminal community known as “the Com,” an underground network of young hackers and trolls active on platforms like Telegram and Discord and responsible for hacking and other digital crimes including ransomware, SIM swapping, cryptocurrency theft, sextortion, and harassment. The ransomware group known as Scattered Spider, which is responsible for highly disruptive extortion attacks against victims including MGM Entertainment and Caesars Entertainment, is among several criminal subgroups linked to the Com. “These are people who treat criminal statutes like a checklist,” says Nixon.
“I know that he’s been in the Com for a very long time, closer to a decade. He clearly spent his former teenage years being part of this culture,” Nixon says of Moucka, whom she says is now in his 20s. “When people grow up in the Com, this is how they turn out.”
As Nixon tracked Waifu and his associates over the past year, she says that he at one point made an operational security or “opsec” slipup that may have led law enforcement to his identity—though she declined to say what that mistake was or exactly when it occurred. Waifu subsequently tried to cover up this accidental reveal with false leads and misinformation posted to Telegram, what he described as “well poison.” But Nixon says law enforcement has nonetheless been aware of Moucka’s identity since at least early July. “If you make an opsec mistake, it’s done. You can’t bury it under a lot of bullshit you post later,” says Nixon. “All it’s accomplished is to show that he knew that what he was doing was wrong.”
While Moucka’s arrest is far from the end of the Com, Nixon says she sees it as a potentially important move in responding to the chaos that the larger criminal network has inflicted. Waifu, she says, was an example of a larger principle she’s observed in the cybercriminal world, that a small minority of criminals are often responsible for the majority of harms.
“This particular case is significant because they’ve picked up one of that tiny minority that causes disproportionate harm,” she says. “That’s why this is a good start. We need to arrest more of these disproportionately harmful actors.”
Updated 3:55 pm EST, November 5, 2024: Added a statement from Mandiant.