The U.S. government has accused Connor Moucka and John Binns of being the hackers who broke into the systems of AT&T, stealing around 50 billion customer call and text records.
In July, AT&T said hackers stole the phone records of “nearly all” of its cellular and landline customers, as well as calls and text message records — such as who contacted whom by phone or text — but not the content of the messages. At the time, AT&T said it would notify around 110 million AT&T customers of the breach, and that the records were stolen from its systems hosted on Snowflake, a provider of cloud services for data analysis.
Until the Department of Justice’s indictment against the two hackers, which was filed on Sunday, the total number of stolen AT&T customer records was unknown.
The document does not mention AT&T. Instead, it mentions “Victim-2,” describing it as “a major telecommunications company located in the United States,” which was breached around April 14. When AT&T previously confirmed it was breached, it said the company learned of the hack on April 19. This means that both the description of what kind of company Victim-2 is, and the dates of its breach, align with what AT&T had publicly disclosed, making it almost certain that Victim-2 is indeed AT&T.
AT&T and the DOJ did not initially respond to requests for comment.
Do you have more information about the AT&T breach? Or other Snowflake-related breaches? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Overall, according to the indictment, Moucka and Binns accessed “billions of sensitive customer records,” and were successful in extorting at least three victims of at least 36 bitcoin (around $2.5 million when the victims paid) over a span of almost a year, from around November 2023, until October 10 of this year.
Prosecutors say Moucka, who lived in Canada, is also known online as “judische,” “catist,” “waif,” and “cllyels,” and Binns, who lived in Turkey, was known as “irdev”and “j_irdev1337.” Moucka was arrested in Canada last week. Binns was previously arrested in Turkey, according to 404 Media.
In August, Binns took credit for the AT&T breach with The Wall Street Journal. Moucka, through his moniker “Judische,” told 404 Media that he thought he’d be arrested soon.
AT&T is just one of several victims who had sensitive data stolen from their Snowflake instances. Over the last months, hackers also broke into Santander Bank, Ticketmaster, and around 165 other corporate customers. All these companies use Snowflake.
Prosecutors alleged that by breaking into the victim companies’ Snowflake instances, the hackers stole troves of sensitive personal and corporate data, including social security numbers, driver’s license numbers, passport numbers, and banking information, which makes these Snowflake-related breaches some of the worst cyberattacks of the year. In some cases, the hackers also asked victims for a ransom by threatening them with leaking the stolen information, threats that they followed up on at times.
Wired previously reported that AT&T paid a hacker $370,000 in an attempt to get them to delete the stolen records. Prosecutors said in the indictment that Victim-2 paid a ransom to the hackers.