Canadian authorities have arrested a person suspected to be behind a large-scale hacking campaign that targeted Snowflake Inc. users.

TechCrunch reported today that Alexander Moucka was apprehended last Wednesday. He appeared in court shortly thereafter and his case was subsequently adjourned to today.

The arrest followed a request from U.S. authorities. According to cybersecurity journalist Brian Krebs, Moucka is named in several sealed indictments filed by U.S. prosecutors and federal law enforcement agencies. A spokesperson for the Canadian Department of Justice told The Verge that “as extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”

The hacking campaign at the center of the case came to light earlier this year. Researchers from Mandiant, Google LLC’s cybersecurity services unit, found a dataset that had been stolen from an unnamed organization’s Snowflake environment. This organization subsequently hired Mandiant to investigate further, which led to the discovery that more than 160 other Snowflake customers were breached as well.

“Alexander ‘Connor’ Moucka has proven to be one of the most consequential threat actors of 2024,” Austin Larsen, a senior threat analyst at Mandiant who helped investigate the hacking campaign, told TechCrunch. “This arrest serves as a deterrent to cybercriminals and reinforces that their actions have serious consequences.”

The data breaches weren’t the result of a security flaw in Snowflake’s platform. Rather, the cybercriminals used login credentials stolen in earlier cyberattacks to sign into organizations’ Snowflake accounts. According to Mandiant, the breaches occurred because the affected customers failed to refresh their login credentials and enable multifactor authentication.

The 160-plus organizations impacted by the hacking campaign included multiple large enterprises. In May, reports emerged that the cybercriminals had accessed data belonging to about 560 million Ticketmaster Corp. customers. Two months later, AT&T Inc. disclosed that the hacking campaign compromised six months’ worth of text and call logs stored in its systems.

A person who has claimed responsibility for the AT&T breach was arrested in Turkey earlier this year. According to Wired, the individual was apprehended after the U.S. indicted him over a separate cyberattack that targeted T-Mobile US Inc. in 2021.

In response to the hacking campaign against its customers, Snowflake recently upgraded its platform with a set of new cybersecurity features. The company added a setting that allows administrators to turn on multifactor authentication by default. Additionally, the update introduced a dashboard that can highlight when a Snowflake account has access to more data than strictly necessary. 

Image: Unsplash