Court files reveal inner workings of hackers accused in ShinyHunters data breach

Court documents surrounding the arrest of two men accused of links to an international hacking syndicate have revealed how they allegedly accessed “billions” of sensitive customer records.

Canadian Connor Moucka, also known as Alexander Moucka, and Turkish citizen John Binns were arrested and charged with computer fraud, wire fraud and aggravated identity theft for the attack on the cloud storage facility Snowflake.

Although the names of the victims are not mentioned in the indictment, Snowflake’s customers included US telecommunications company AT&T, Neiman Marcus and Mitsubishi.

The attack allegedly resulted in the theft of the individual’s text history, banking information, payroll records, driver’s license numbers, passport numbers and other personal information.

US prosecutors said the charges relate to the period between November 2023 and October 2024.

“Moucka, Binns and their collaborators used stolen access credentials to access the Cloud Computing Instances of at least 10 different organizations and obtain data,” the indictment said.

The indictment details how Mr. Binns and Mr. Moucka allegedly blackmailed the victims by threatening to sell or distribute the data, and that three victims allegedly paid the ransom.

The scheme is believed to generate net proceeds of US$2.5 million or AU$3,814,988.

Accused hackers used many aliases

Mr Moucka allegedly used a number of different personas online, including judische, catist, waifu and ellyel8.

Mr Binns allegedly used irdev and j_irdev1337.

The indictment alleges that these people frequently change accounts to maintain their anonymity and work on offshore servers that do not regularly record their IP addresses.

Loading…

It is alleged that they rented technological infrastructure, including servers and IP addresses, using fake information and payment methods for the conspiracy.

They would advertise the stolen data on the dark web and demand payments in cryptocurrency so they could hide the source and destination of their money, US prosecutors said.

victims

The data breach victims are not named in the indictment, instead being referred to as “Victim 1” through “Victim 6.”

While affected parties remain anonymous, the impact of the Snowflake data breach continues to have consequences worldwide, including in Australia.

The Australian Cyber ​​Security Center issued advice regarding the breach, warning Snowflake customers to take steps to protect themselves.

“Australian organizations using Snowflake should reset credentials for active accounts, deactivate inactive accounts, enable Multi-Factor Authentication (MFA) and review user activity,” they said.

“(The cybersecurity center) is monitoring the situation and can provide assistance and advice when necessary.”

Snowflake said in a statement that it was aware that many of its customers were compromised during the hack.

“To date, we do not believe this activity was caused by any vulnerability, misconfiguration, or malicious activity in the Snowflake product,” a spokesperson said.

“Throughout our ongoing investigation, we immediately notified a limited number of customers we believe may have been impacted.”

The decline continues

Customers of Ticketmaster and Live Nation recently filed a class-action lawsuit in California over a hack that occurred at the business around the same time period outlined in the indictment.

The plaintiff claimed that the businesses failed to adequately protect his private information.

Ticketmaster has previously reassured customers that their information is safe, but warned them to be wary of identity theft.

“We take data protection very seriously and work with relevant authorities, including credit card companies and banks, as well as law enforcement,” a spokesperson said.

It’s not yet clear how the attack occurred, but Google analysts have previously said it was likely because a threat actor used previously stolen credentials via information-stealing malware.