Surveillance photos of Connor Moucka included in an affidavit filed in court.Supplied
Connor Moucka, a Kitchener, Ont., resident accused of participating in a massive hacking scheme targeting customers of cloud storage provider Snowflake Inc. SNOW-N, allegedly posted online about obtaining firearms and conducting mass killings, according to court documents.
Mr. Moucka, who U.S. authorities are seeking to extradite, posed a danger to the public and himself and was a flight risk, having acquired a substantial sum of cryptocurrency, Canadian and U.S. law enforcement officials allege in an unsealed arrest warrant filed in a Kitchener court last month.
The 25-year-old allegedly used racial slurs online and wrote about killing Black people, for instance by “mass mailing” them sodium-nitrate pills; acquiring “guns to kill Canadians”; and wanting to commit “suicide by cop,” according to court documents.
On Jan. 11, a username allegedly belonging to Mr. Moucka mused on the online platform Discord that he would be “a good mass shooter,” the documents state. The user described a plan to buy a box van and mount an M134 machine gun inside it, controlling it with a remote control, “then just mow down a crowd.” He could remain hidden the whole time, he wrote.
The documents also contain evidence such as chat logs allegedly linking Mr. Moucka to a hacking scheme that began last spring and targeted customers of a U.S. cloud-based storage provider believed to be Snowflake.
The scheme involved using stolen login credentials to access private data – such as banking information, medical records, driver’s licence numbers, passport numbers and Social Security numbers – stored in the cloud and belonging to businesses and their users, then extorting those companies for ransoms by threatening to leak the stolen data online.
The U.S. indictment against Mr. Moucka and his alleged co-conspirator, Turkey resident John Erin Binns, doesn’t name Snowflake or the other victim companies, although the cloud storage provider is widely believed to be Snowflake because it has publicly acknowledged breaches affecting its customers.
Mr. Moucka and Mr. Binns are accused of having hacked into at least 10 companies’ protected computer networks, gaining access to billions of sensitive customer records, successfully extorting at least $2.5-million from at least three companies and posting offers to sell stolen data on cybercriminal forums.
In one attack, hackers obtained 50 billion phone-call and text-message records belonging to the customers of an unnamed U.S. telecom giant. The telecom paid the ransom but was extorted again several months later in October, according to court documents.
U.S. authorities say they are aware of more than 100 other companies that may have fallen victim to related breaches conducted by some of the same co-conspirators using similar methods.
Companies that have publicly announced breaches linked to Snowflake include U.S. telecom giant AT&T Inc., luxury retailer Neiman Marcus Group Ltd., Ticketmaster Entertainment, Santander Bank and more.
Attempts to reach Mr. Moucka for comment or identify a lawyer representing him were unsuccessful. Ontario court records list him as “unrepresented,” and the Department of Justice Canada previously told The Globe that Mr. Moucka was awaiting a decision from legal aid.
U.S. authorities were able to locate Mr. Moucka and connect him to criminal activity through his Apple iCloud account, they allege.
An arrest warrant for Mr. Moucka was issued in Seattle on Oct. 10 for conspiracy, computer fraud and abuse, extortion in relation to computer fraud, wire fraud and aggravated identity theft.
The unsealed Ontario court records identified Mr. Moucka’s Kitchener address. Images online show that it is a small red brick home with white siding on a tree-lined street in Kitchener’s Stanley Park neighbourhood.
On Oct. 21, shortly after 2:20 p.m., a plainclothes RCMP officer knocked on Mr. Moucka’s front door and rang the bell. The man who answered was dishevelled and identified himself as Alex. “You woke me up, sir,” Mr. Moucka said, according to an affidavit sworn by Constable Jaclyn Whittington of the RCMP.
Photographs taken that day by the RCMP’s surveillance team depict a young man with messy dark hair and a mustache and beard wearing a striped collared T-shirt standing in the doorway.
Several days later, on Oct. 29, the Ontario Superior Court issued a warrant for Mr. Moucka’s provisional arrest. He was taken into custody the following day and appeared in court later that afternoon, then again on Nov. 12.
The arrest warrant was initially sealed in order to prevent Mr. Moucka from becoming aware of the file’s contents, which authorities feared could cause him to flee or attempt to delete or destroy evidence.
“Based on lawfully obtained screenshots from Moucka’s iCloud account, Moucka controls a significant amount of cryptocurrency stored in wallets that have not yet been found by law enforcement. These proceeds could be used to facilitate his flight and would support him afterwards,” court documents state. One bank account or crypto wallet shows a balance of $3.496-million, according to U.S. law enforcement.
In February, Mr. Moucka wrote online that he was “pretty sure” he could obtain citizenship to the Czech Republic, authorities allege.
Law enforcement were also concerned that the danger that Mr. Moucka allegedly poses to the public, the police and himself would be elevated if he became aware of the contents of the court file. The documents were unsealed after his arrest.
Mr. Moucka, whose full name is Connor Riley Moucka, goes by several aliases, authorities allege, including “Alexander Antonin Moucka,” “judische,” “catist,” “waifu” and “ellye18.”
One of those aliases is connected to a criminal matter in Quebec. According to court documents obtained by The Globe, a 25-year-old Kitchener resident named Alexander Antonin Moucka was criminally charged in November, 2023, for allegedly harassing a woman “by means of telecommunication” and threatening to kill her or cause bodily harm to her. The alleged incidents occurred in Montreal between July 1 and Sept. 30 of that year.
The person controlling a Discord account linked to the hacks states that he has changed his birth name from Connor to Alex, that he lived in Wyoming when he was younger and that he was raised by his grandparents until he was 11 years old, then lived with them again for several years when he was 16, according to the court documents.
Mr. Moucka is scheduled to appear in court again on Nov. 29.