Canadian authorities have arrested Alexander “Connor” Moucka, a 25-year-old man from Kitchener, Ontario, for allegedly stealing data from and extorting more than 160 companies. Moucka was apprehended on a provisional arrest warrant from the United States. At the end of 2023, hackers discovered that many large corporations had uploaded significant volumes of sensitive customer data to cloud accounts that were often protected with only a username and password, without multi-factor authentication.
The cybercriminals exploited these vulnerabilities and began accessing and pilfering data from these repositories. The hackers managed to steal personal information, including phone and text message records, affecting roughly 110 million people. It was reported that AT&T paid a hacker $370,000 to delete stolen phone records.
The victims included well-known companies such as TicketMaster, Lending Tree, Advance Auto Parts, and Neiman Marcus. Moucka, who allegedly used several hacker handles, is linked to this data extortion ring and has been connected to various cyber operations and extremist groups. In May 2024, it was revealed on a fraud-focused Telegram channel that Santander Bank was also a victim, marking one of the first known breaches.
Canadian hacker linked to data breaches
At a court hearing in Ontario, Moucka, calling in from a prison phone, indicated he was seeking legal aid to hire an attorney. He is currently named in multiple indictments issued by U.S. prosecutors, though the specific charges have not been disclosed as the cases remain under seal.
Sources close to the investigation have attributed the data breaches to a group named UNC5537, with members based in North America and elsewhere. UNC5537 has been implicated in numerous data thefts, including a major security breach that exposed personal information of 76.6 million customers. In a statement on Moucka’s arrest, Mandiant, a cybersecurity firm, described UNC5537, aka Alexander Moucka, as one of the most consequential threat actors of 2024.
The group systematically compromised over a hundred organizations, resulting in significant data loss and extortion attempts. The investigation has also revealed links to other telecommunications hacking incidents purportedly involving another cybercriminal, John Erin Binns. Binns and his associate, known as Judische, are suspected of hacking several telecom companies and intercepting communications in countries such as India.
Judische has apparently outsourced the sale of stolen data to another cybercriminal known as Kiberphant0m. As authorities close in on the involved parties, the broad implications of these data breaches continue to unfold, marking a significant episode in the ongoing struggle against cybercrime.