Man allegedly behind Ticketmaster hack arrested over software breaches that affected millions of Australians

Possibly one of the world’s worst cybercriminals, who allegedly stole the data of millions of Australians earlier this year, has been arrested in Canada and will face an extradition hearing in the early hours of Wednesday morning.

The Nightly understands cybersecurity researchers and international law enforcement, including the Australian Federal Police, have been working together for months to identify and hunt down the hacker who breached cloud data warehousing platform Snowflake in April.

Canada’s Department of Justice confirmed to Bloomberg that suspected cybercriminal Alexander “Connor” Moucka was taken into custody on a provisional arrest warrant last week.

Moucka – who used online aliases Judische, Waifu and ellyel8 – is believed to have been behind “the biggest data breach incident of 2024”.

“We can now confirm that, following a request by the United States, Alexander Moucka (a.k.a. Connor Moucka) was arrested on a provisional arrest warrant on Wednesday, October 30, 2024,” the DOJ said.

“He appeared in court later that afternoon and his case was adjourned to Tuesday, November 5, 2024.

“As extradition requests are considered confidential state-to-state communications, we cannot comment further on this case.”

The Nightly understands Mr Moucka, a 26-year-old software engineer living in Ontario, is due to face an extradition hearing in Ontario’s Superior Court of Justice at 10am local time on November 5, which is 2am on Wednesday in Sydney.

Mr Moucka is alleged to be behind a recent wave of high-profile data breaches impacting 165 Snowflake customers including Ticketmaster (Live Nation), AT&T and LendingTree.

Snowflake Inc. is an American cloud-based data storage company.

This hack was one of the biggest in history due to the scale of personal data stolen in the breaches.

The Ticketmaster breach alone, reported in early July 2024, affected more than 560 million customers.

The hacker/s allegedly attempted to extort the companies by threatening to sell their stolen data on criminal forums if they didn’t pay up.

Bloomberg has reported that a person claiming to be behind the attacks told the outlet, over Telegram earlier this year, that they were hoping to get $20 million for the full set of data they had stolen.

Austin Larsen, a senior threat analyst at the cybersecurity firm Mandiant, this week told Bloomberg that Mr Moucka “has proven to be one of the most consequential threat actors of 2024”.

Mandiant was the company that Snowflake brought in to investigate the incident.

Larsen said Moucka’s campaign against more than 100 organisations had left them “reeling from significant data loss and extortion attempts”.

He added that it “highlighted the alarming scale of harm a single individual can cause using off-the-shelf tools.”

Cyber Threat Intelligence Executive Editor Jeremy Kirk last night wrote on LinkedIn that Mr Moucka’s arrest was a “culmination of a global investigative effort by private companies including Mandiant (part of Google Cloud) and public sector organizations, including in Australia, which are bringing new momentum and capabilities to international cybercrime investigations”.

Journalist Joseph Cox reported that before his arrest, Mr Moucka told 404 Media about “his alleged origin story and entry into the hacking and crime ecosystem known as The Com”.

The Com reportedly includes groups engaging in cybercriminal activity including violence, extortion, kidnappings, shootings and robberies.

Cox also reported that in mid-October, Mr Moucka said he was “worried that they would be arrested soon”.

“I’ve destroyed a lot of evidence and well poisoned the stuff I can’t destroy so when/if it does happen it’s just conspiracy which I can bond out and beat,” Mr Moucka reportedly told the outlet.

Another hacker called John Binns, who was arrested in Turkey in May 2024, is believed to have collaborated with Mr Moucka, according to The Hacker News.