Hacker Behind Snowflake Data Breaches Continues Activity, Extorts Millions

The hacker responsible for the massive data breaches of Snowflake customers, extorting up to $2.7 million, is still actively targeting businesses, according to cybersecurity experts.

COTTSDALE, Ariz. – The individual behind the high-profile cyberattacks on Snowflake customers earlier this year remains active, with recent evidence showing ongoing efforts to infiltrate software-as-a-service (SaaS) providers. Austin Larsen, a senior threat analyst at Mandiant, revealed this during SentinelOne’s LABScon security conference on Friday.

The hacker, who uses the aliases "Judische" and "Waifu," has continued to target a variety of SaaS companies and other organizations, according to Larsen’s findings. While Larsen refrained from identifying the hacker by name, cybersecurity journalist Brian Krebs recently linked "Judische" to a 26-year-old software engineer residing in Ontario, Canada. Mandiant reports they have “moderate confidence” that this information is accurate.

This hacker played a significant role in the breach of up to 165 Snowflake customers, which occurred in April. The attack exploited credentials stolen through infostealer malware. While fewer companies were actually extorted — only “dozens,” according to Larsen — major names like AT&T, Ticketmaster, and Santander have been confirmed as victims.

Larsen presented private communications obtained by Mandiant that provided insights into how "Judische" and their associates planned and coordinated these cyberattacks. These conversations included specific details, such as IP addresses for dumping stolen data.

The hacker and their group have managed to extort as much as $2.7 million from victims. However, in a conversation with journalist Joseph Cox from 404 Media, "Judische" claimed the amount was closer to $2 million.

Notably, "Judische" collaborated with hacker John Binns on a separate attack targeting AT&T in 2022. AT&T confirmed that the breach involved the records of nearly all its customers over a six-month period. Binns, who was also involved in a major 2021 T-Mobile data breach, was arrested in Turkey following the AT&T incident and remains in custody.

Larsen’s research also uncovered that Binns used the stolen AT&T data to track individuals assigned to investigate him, along with rivals and other high-profile figures. Both "Judische" and Binns are connected to the online cybercriminal ecosystem known as "The Com," a community known for its involvement in extortion, kidnappings, and other illicit activities.

The FBI and the Royal Canadian Mounted Police declined to comment on this ongoing investigation as of Friday.