Accused Ticketmaster hacker Connor Moucka facing extradition and decades in jail

A Canadian man who allegedly stole the personal information of millions of Australian Ticketek and Ticketmaster customers is facing decades in jail if found guilty of the litany of charges against him.

The Nightly can reveal that an indictment, filed in the United States District Court on October 10 but only unsealed this week, reveals that Connor Riley Moucka is facing 20 charges in relation to this year’s Snowflake cyber-attacks.

Snowflake is software that allows organisations to upload and store data within online storage environments.

US prosecutors allege that Moucka and another man, John Erin Binns, allegedly hacked into the computer networks of at least 10 of the world’s largest corporations in this year’s most far-reaching data breach.

This hack was one of the biggest in history due to the scale of personal data stolen in the breaches.

The pair’s crimes — conspiracy, computer fraud and abuse, extortion, wire fraud and aggravated identity theft — are alleged to have been committed between November 2023 and last month.

The indictment, filed in the District Court at Washington, alleges that Moucka and Binns “devised and executed international computer hacking and wire fraud schemes” to hack into the victim organisations’ protected computer networks, steal sensitive information, threaten to leak the stolen data unless the victims paid ransoms, and offer to sell online, and sell, the stolen data.

“Through this scheme, the co-conspirators gained unlawful access to billions of sensitive customer records, including individuals’ non-content call and text history records, banking and other financial information, payroll records, Drug Enforcement Agency registration numbers, driver’s licence numbers, passport numbers, Social Security numbers, and other personally identifiable information,” it says.

“Moucka, Binns and their co-conspirators profited from these schemes through several means, including by successfully extorting at least 36 bitcoin (worth approximately US$2.5 million at the time of payment) from at least three victims, and by posting offers to sell victims’ stolen data on cybercriminal forums for millions of dollars.”

Over a number of months, Snowflake customers — including AT&T, Santander bank, Live Nation Entertainment, TEG Pty Ltd, Lending Tree, Advance Auto Parts and Neiman Marcus — had their data exposed or stolen in the cyber-attacks.

Live Nation owns Ticketmaster and TEG owns Ticketek.

The indictment does not name the 10 victims but “Victim-1” — described as a US-based software-as-a-service provider that lets customers upload and store data in online storage environments — is understood to be Snowflake Inc.

Another victim, believed to be AT&T Inc, is described in the court documents as a large US-based telecommunications company, from which Moucka and Binns allegedly accessed “approximately 50 billion customer call and test records, including dialled numbers, for commercial advantage.”

The indictment also lists a major retailer, an entertainment company and a health-care provider among the victims.

Court documents say the co-conspirators, including Moucka and Binns, used software they dubbed “Rapeflake” to identify valuable information residing within the victims’ Cloud Computing Instances

After stealing the data, Binns and Moucka allegedly tried to extort the companies they had breached.

“The co-conspirators, including Moucka and Binns, through intermediaries, extorted victims by threatening to sell or otherwise distribute their stolen data unless the victims paid ransoms, which at least three victims paid.

“In at least one instance, the co-conspirators attempted to re-extort one of these victims with threats of further disclosure of the victim’s stolen data.”

The indictment says Moucka and Binns used a range of communication methods “in furtherance of their crimes” and changed these accounts frequently “to protect their anonymity”.

The alleged offenders used communication platforms that cater specifically to cybercriminals, including a number of online cybercrime forums, as well as Telegram channels dedicated to online frauds and other cybercrimes.

Moucka — who used online aliases including Judische and Waifu — then bragged online about successfully extorting the companies.

A months-long international investigation involving cybersecurity researchers and international law enforcement, including the Australian Federal Police, identified Moucka and traced him to Kitchener, Ontario, where he was arrested on October 30.

Last week the 25-year-old software engineer faced an extradition hearing in Ontario’s Superior Court of Justice, appearing remotely via an audio link from prison

Moucka told the court he did not yet have a lawyer and would have to apply for legal aid.

Binns, who also used various online aliases, was recently arrested in Turkey and is also awaiting a potential extradition to the US.