Scribd
Upload
261 views35 pages

Censored

T

Uploaded by

picic12076
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
261 views35 pages

Censored

T

Uploaded by

picic12076
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
You are on page 1/ 35
Court Fie no. 7 ‘SUPERIOR COURT OF JUSTICE (CENTRAL SOUTH REGION) IN THE MATTER OF an application pursuant to section 13 of the Extradition Act for a ‘warrant for the provisional arrest of CONNOR RILEY MOUCKA a.k.a. ALEXANDER ANTONIN MOUCKA a.k.a, JUDISCHE a.k.a, CATIST a.k.a. WAIFU a.k.a. ELLYEL8 AND IN THE MATTER OF an Application fora sealing order prohibiting public access to this Application BETWEEN: ‘THE ATTORNEY GENERAL OF CANADA (ON BEHALF OF THE UNITED STATES OF AMERICA Applicant and CONNOR RILEY MOUCKA a.k.a. ALEXANDER ANTONIN MOUCKA a.k.a. JUDISCHE a.k.a, CATIST a.k.a, WAIFU a.k.a. ELLYELS Person Sought for Extradition AFFIDAVIT |, Cot. QD Whitington of the Royal Canadian Mounted Police, MAKE OATH [AND SAY AS FOLLOWS: 1 | am currently employed withthe National Cybererine Investigative Team vith the Royal Canadian Mounted Police (ROMP). | am assigned to assist withthe request {rom the United States of America for he extration of CONNOR RILEY MOUCKA a.k.a. ALEXANDER ANTONIN MOUCKA aka, JUDISCHE aka. CATIST aka. WAIFU aka. ELLYELS (‘MOUCKA’) As such, | have knowiedge ofthe matters deposed ton this affidavit. | beliave the information contained inthis affidavit to be tue. 2 | affirm this affidavit in support of an application by the Attorrey General of ‘Canada for a warrant forthe provisional arrest of MOUCKA, pursuant to section 13 of the Extradition Act (the “Act. |. The Minister of Justice Canada has authorized the Attorney General of Canada to apply for a warrant of provisional arrost. 3 ‘Attached as Exhibit" is a copy of the Minister's authorization in this matter, dated October 25, 2024 It states that ‘The United States of America has requested that Canada seek the provisional arrest of CONNOR RILEY MOUCKA a.k.a. ALEXANDER ANTONIN MOUCKA. aka, JUDISCHE a.ka. CATIST a.k.a, WAIFU a.k.a. ELLYELB, ‘The Attomey General of Canada is authorized to apply for a provisional arrest warrant. IL It is Necessary in the Public Interest to Arrest MOUCKA, including to prevent him from escaping or committing an offence 4. Attached as Exhibit *B" is a copy of the Request for Provisional Arrest to Canada, which includes the Statement of Facts and Urgency (‘Request’) inthis matter, which | have read. 5. | believe it is necessary in the public interest to issue a warrant for the arrest of MOUCKA. My boli is based on the following information set out inthe Request a) Sefiousness ofthe allegations: MOUCKA is wanted for prosecution in the U.S. for alleged computer intrusioniransom offences. MOUCKA and his co- ‘conspirators, including John Erin Binns, hacked into at least 10 companies’ protected computer networks, stole sensitive information, threatened to leak the stolen data unless the victims paid a ransom, and published, sold, or offered to soll this stclen data online." b) To date, MOJCKA and his co-conspirators have gained unlawful access to billions of sensitive customer records, including non-content call and text history records, banking information, ‘medical information, Social Security * Stent of ace tp 9 °) °) 9 9) h) numbers, payroll records, and other personally identifiable information. The co- conspirators have successfully extorted atleast $2.5 milion from atleast three Victims and cantinue to attempt to extort victims. Finally, the co-conspirators. have posted, and continue to post, offers to sell vicims’ stolen data on cybereriminal forums.* Risk of fight: VOUGKA poses a serious risk of fight. He has the means to fle. He has earned at least approximately $2.5 milion in ransom payments for stolen data from Victim-1 customers already interviewed by the PDI." Based on lawfully obtained screenshots from MOUCKA's iCloud account, MOUCKA controls a significant amount of cryptocurrency stored in wallets that have not yet been found by law enforcement, including an unknown bank account or crypto wallet showing a balance of $3,496,076.97. These funds could be used fo facilitate his fight and would support him afterwards,* Evidence also indicates MOUCKA is aware ofthe gravity ofthis case and the exposure he wil face upon extradition to the United States. He has repeatedly ciscussed his operational security measures and attempts to delete evidence in order to evade identifcation and apprehension. MOUCKA has repeatedly purchased new laptops and deleted and created new accounts over the course of his offences > ‘The investigation has also revealed that MOUCKA has considered obtaining foreign citzenship. For example, in February 2024, he sent a message stating, "lean gat dua citizenship to Czech Republic prety sure, |want an eu passport.” ‘The U'S. authorities have no information about whether he has actually sought todo so® ‘Additionally, media outlets have contacted U.S. authorities about this matter ‘and one outet indicated it intends to name MOUCKA in an article to be ‘submitted for publication on October 25, 2024. U.S. authorities believe that this publication would increase risk of fight and lead MOUCKA to destroy evidence {and publish stolen information.” Risk of further criminality: Evidence gathered over the last several months also establishes fiat MOUCKA continues to be actively engaged in hacking activiies, MCUCKA's campaign has involved the theft of terabytes of sensitive data from tens. if not hundreds, of victims. Additionally, MOUCKA has repeatedly exloried and re-extorted his vicims, resulting in enormous and 2 Semen of Fst at 2 Soement of Fata 916 * Ststetent of Fstop 3 and 1, “Samet of Pte tp 16. > Stent of ace a 16 ‘ongoing harm not only to the corporations Impacted but also the millions of Individuals whose data was stored by these corporations. ® |) MOUCKA and nis conspirators continue to sell, publish, and otherwise leak this dala onlina, and avery day that he is allowed to remain free, his harms will continue. As recently as October 2024, MOUCKA attomptod to re-oxtor at laast ‘one victim, repeatedly threatening o release more ofthis company's data even after the company paid @ ransom. MOUCKA has also continued to publish private data stolen from victims online, and to aggressively market this data for sale, Stolen data was posted publicly at least as recently as on or about September 20, 2024.9 1) Risk of danger to the public, to police, and to himself: MOUCKA poses an ‘ongoing danger to the publec, to police, and fo himself. On January 10, 2024, MOUCKA, using his Nutz Discord Account, sald ‘I think Id make a really good serial killer" and repeatedly referenced committing mass kilings and obtaining firearms, k) MOUCKA also discussed committing suicide and suicide by cop on both January 11, 2024, and January 18, 2024; on the latter occasion, MOUCKA Stated, "I think | want to do suicide by cop." In another message, MOUCKA stated, I need guns to kil Canadians." I, MOUCKA\ts in Canada 6 | belive that MOUCKA\s in Canada and resides CD, Kitchener, Ontario, My belies based on the folowing 2) The Request states that MOUCKA's adcress s QIN Kichener, Ontario, b) The Request states that MOUCKA's Apple account provides ovidence of his identity, location and criminal activity. Specifically i. Apple records produeed in response to legal process showed MOUCKA's ‘account (i) was accessed from IP address 24,246.30.67 [the Canadian IP Adcrass’] over 500 times between April 1, 2023, and August 20, 2024; (i) nad a residential address of Kitchener, Ontario, N2A 1X4, a phone number (250) ‘and a machine ID of (i) reflected numerous purchases using the Canadian IP Address between June 22 and July 8, Senet of act a p17, * Stent of Face tp 17-18 ‘Siren of Fact xp 18 5 2024, including purchases of an iPhone 15 Pro, MacBook Air, and (Pad 4 all ofwhich were billed to “Alexander Moucka" and shipped n Kitchener, Ontario, Canada ("Target Location’). and (jv) reflected paymants on the account by an "Alexander Moucka” using both PayPal and Mastercard, some of which used the Canadian IP ‘Address;"? ii U.S. authorities reviewed information stored in the Apple account's iGioud storage. loud is a file hosing, storage, and sharing sence provided by Apple. Numerous photos in the Apple account’ iCloud provide direct end circumstantial evidence of MOUCKA’s involvement in {he criminal actviy and his locaton. For example, the iCloud account contains mutiple photes of MOUCKA’s Canadian passport, including one with full name Connor Riley Moucka, passport numbe QD. dato ofbih 18 August 1989, in Kitchener, Canada;"* i MOUCKA’s Apsle ilo account coisins (1) a screenshot ano feospt fran Pad Prothalshipped "Ateneo (@@wichoner, ON N2A 1x4; and (2) a Best Buy order receipt from July Stora Sisters wctees gaming newcet, tobe sipped “Alexander Mout" 2 MID oner, ON NOAA 6) The Request nudes evidence that MOUCKA's Google acount and Discord TeScunthave ao Boon accessed atthe same Garodion I Address |. AWHOIS lookup showed that the Canadian IP Address is provisioned by TekSavvy Solutions Inc., a Ganadian service provider, and geolocates to Watertoo, Ontario, Canada.“ J. Google account connormouckasjatlgmailcom has also used the ‘Canadian IP Address as recently as August 26, 2024."° ii, IP records from Discord showed that the user of the Nutz Discord ‘Account logged into the account from the Canadian IP Address over 3,360 times between October 28, 2023, and April 4, 2024, © 4) On October 21, 2024, officers of the RCMP attended a Kitchener, Ontario, to confirm that MOUCKA resides at that location. Shorty after 2:20pm, a plain clothes officer kntocked on the front door and rang the bel MOUCKA answered the door and identified himself as “Alex. At one point, * Stet of Fass at pp 12 "State Fact tp 2 Statement of Pete tp 18. "Staten of Fate tp 1. "Statament of Pas tp 1. MOUCKA said “You woke me up Sir’. The plain clothes officer observed that MOUCKA was disheveled and very obviously freshly-awoken. @) Attached as Exhibit "C" are photographs of MOUCKA taken by the surveillance team on Ocober 21, 2024. | have compared these photographs to the photographs attached to the Request and confirm and itis one and the same person 7 “The Requcst doseribes the poreon cought with tho following identifiors: Name (include AIK/As): Connor Riley Moucka a.k.a. Alexander Antonin Moucka Countries) of Citizenship: Canada Date(s) of Birth: August 18, 1999 Place of Birth: Kitchener, Ontario, Canada Race: White Gender: Male Hair Coior: Brown Eye Color: Brown IV. A Warrant for MOUCKA’s Arrest has been issued 8. Included at Exhibit Bin the Requests a copy ofthe warrant forthe arrest of MOUCKA issued by the United States District Court for the Westem Distict of ‘washington on October 10, 2024 V. Sealing Order 9. tis requested that this cour file be sealed, until MOUGKA is arrested, at which point the cour fle can be unsealed. The grounds fr the sealing order are as follows: If MOUCKA wore to become aware of his cout fle and its contents before his artes, the tisk of ight would increase, as would the rik that he might attempt to delete or destroy evidence in ofder to evade apprehension and identification, Furthermore, as stated above, MOUCKA poses a danger othe public, o police, and to himself, and those risks ‘would be elevated if he were to beceme aware of this cout fle and its contents before police are able to execute his arrest. ‘SWORN REMOTELY pursuant to O.Reg 431/20 Whitington stated as being located inthe City of Ottawa in the Province of Ontario, before me at the City of Vaughan, in the Province of Ontario on (October 28, 2024, Whittingtor Tate (00207711 Tynne Amit itingion ‘A-commissioner in and for the Province of Ontario, Cty of Toronto {or the Goverment of Canada, Department of Justice Expires January 11, 2026 ‘This is Exhibit’ refered to in the afidavit ‘of Jaclyn Whitington sworn before re this 28th day of October, 2024. Axmith, Lynne === ~ Form = Section 2-Auhorty opps fre A Commissioner for taking Affidavits ‘provisional arrest warrant ‘TO: The Attorney General of Canada Inthe matter ofan extradition request pursuant to the provision of the Extradition Act SC 1999, 618 SUPERIOR COURT OF JUSTICE BETWEEN: ‘THE ATTORNEY GENERAL OF CANADA (on behalf of the United States of America) -and- CONNOR RILEY MOUCKA AKA ALEXANDER ANTONIN MOUCKA; JUDISCHE; ‘CATIST; WAIFU; AND ELLYEL®. AUTHORIZATION TO APPLY (Section 12 Extradition Act) ‘The United States of America has requested that Canada seek the provisional arrest of Connor Riley Moucka AKA Alexander Antonin Mouckat judische; ‘atist; waif; and ellyel®, ‘The Attorney Gereral of Canada is authorized to apply fora provisional arrest warrant. DATED at Gatineau, Quebec, on the 25¢ day of October 2024, vil (lim Vieky tif, Counsel, International Assistance Group for the Minister of Justice of Canada ‘This is Exhibit B* referred to in the affidavit Cf Jaclyn Whitington sworn before me tis 2a ay of October, 2024. eourst ron movsona. aad oT ee Comnssone for aang Aas RETURN COMPLETED FORM 10: Office of international Affairs Phone: (202) 514-0000 (Criminal Division Fax: (202)514-0080 US. Department of Justice ‘STATEIDISTRICT REQUESTING PA: US. Attorney's Office forthe Westom District of ‘Washington; Computer Crime & Intellectual Property Section, Criminal Division IDENTIFICATION OF FUGITIVE: ‘Name (ichule A/K/AS: Conor Riley Mouska, da Alezander Antonin Moucka Couns) of Citizenship: Canada Date) of Bh: August 18,1999 Place of Birth: Kitchener, Oni Canada Proof of Cizenship atached (FUL. citizen):___(e, passport, naturalization or bith cate) Race: White Gender: male _X__ female —_ eight,_183om___Weight_Uslaown Mair Color. Brown Bye Color: Brown, ScarlOther Chaacterstics:_N/A. Photograph Attached._Yes___ Fingerprints Attached; No Drivers License No: CD ste issued: Onatio Passport No QED Date & Place Issued: _Jan. 16, 2017, Denver (Canadian passport) Natl ID Card No:.N/A__ Date & Place Issued: _N/A Specific AddesExact Location in Canad: ISI hens, Onsio N2AL4. in custody in Canada, Charges & Anticipated Date of Release: _NUA. (Canadian law enforeement contact in Canada (NOT US. contact in Canada) with knowledge of facts, fugtive's location. Namo & Title: Cp David Kennealy ‘Agency: _Roval Canadian Mounted Police Law enforcement contact n U.S, with knowledge of facts, fugitive's location a [Name & Title: Special Agent Hannah Trepte ‘Agency: Federal Bureau of Investigation (CHARGES AND BASIS FOR REQUEST ‘US, Charging Or Commitment Document (th cops) Check One. X__ Indictment Superseding Indictment Complaint judgmentconviction order ‘Other (DESCRIBE) mbes Cia 160 ccs Date Filed: _Octoper 10,2024 [Name and Location of Cour U.S_Disivie Court forthe Wester Distt of ‘Washington: Seatte, Washington Has the Charging Document been unsealed (or, been unsealed for the limited purpose of sharing the U.S. State Department and a foreign government for purposes 0° extradition)? YES_X_ NO Offenses for which extradition is requested are punishable by atleast one year in prison: YES_X NO Statute of Limitasions (attach py) ‘Does statue of linitations preclude prosecution or incarceration? YES NO _X! rest Warrant (attach copy) Fugitive is wanted o (check one): X___ Stand Trial Be Senfenced Serve a Sentence Serve Remaining Sentence (indicate how much eto serve) Number: _CR24-180-1 LK. Date Filed:” _Oxiober 10,2024 Issued By: U.S, District Court for he Wester Disc af Washington ‘Name and Location of Court: U.S, District Court forthe Wester District af Washington Seattle, Washington C.__ REQUESTING AUTHORITY, AUTHORIZATION, AND FINANCIAL, COMMITMENTS. 1, Requesting Authority Federal District _U.S. Atlomey's Office forthe Western Distt of Washinaton 2, Prosecutor Authorization Provide the name ofthe proseeutor authorizing this PA request Name: _George 3rown Title: "Trial Atomey, Computer Crime & Intellectual Property Sector BY SUBMITTING TILS FORM, THE PROSECUTOR COMMITS TO: (1) PREPARING A FORMAL EXTRADITION REQUEST WITHIN THE TIME SPECIFIED BY OTA UPON THE, ARREST OF THE FUGITIVE IN CANADA; AND (2) ACCEPTING RESPONSIBILITY FOR EXTRADITION-RELATED COSTS. Statement of Facts if Connor Riley Moucka Statement of Facts ‘The information set forth in this request has been gathered by U.S. authorities from approximately April 2024 through the present and includes information from (a) USS. and foreign vietim companies, including information from interviews and victim computer systems; (6) US. and foreign service provides, including information lawfully obtained via search warrants, court orders, and other legal demands; and (e) open-source information and information provided by private sector incident response companies and other persons. US. authorities ae investigating MOUCKA, who also uses various online monikers, but not Limited to, judische, cats, waifu, and ellyel8. MOUCKA also claimed fo an isname to Alexander, but his “birth name” “is actually Connor.” Discord s an online communications and messaging company. MOUCKA and his co-conspirators, including John Brin Binns, hacked into atleast 10 companies’ protected computer networks, stole sensitive information, threatened to lak the stolen data unless the vietims paid a ransom, and published, sold, or offered to sell this stolen data online. Many of the victins in this investigation were storing data with a US. software-as-a- service company (Vietim-1). Vietin-1 provides cloud computing “instances” to its customers, which provide cloud date analysis capebiltes. These cloud computing instances store data of Vietin-I's customers, and Vietim-1 generally collects some IP logging information on behalf of its customers. Vietim-2 dough Victim-S are customers of Vietim-1 MOUCKA and his co-conspirators targetod companies with a common utility dubbed “rapefiake” by the ackers and “Frostbite” by security researchers). This uty isa software tool thatthe co-conspirators used to perform reconnaissance on Victim instances. Private sector security researchers have determined that “rapeflake” could be used fo query information from, databases, To date, MOUCKA and his co-conspirators have gained unlawful acess to billions of sensitive customer records, incuding non-content call and text history records, banking ‘information, medical information, Socal Security numbers, payroll records, and other personally identifiable information, The co-conspirators have suecessflly extorted at least $2.5 millon from at lest three vietims and continue to attempt to extort vitims, Finally, the co-conspirators have ‘posted, and continue o post, offers wo sll vit sole das gu eyes or Infiltration and Stealing of Data from Victim companies Vietim-1 customers targeted by MOUCKA and his co-conspratorshave provided evidence ofthe following hacking and extortion activities. Victim 2 Vietim-2 is a majo: US. tlecommunications company and wireless network operator. As Aiscussed below, US. authorities determined that MOUCKA and at last one co-conspirator, John Erin Binns, successfully hacked into Vietim-2's computer systems and stole approximately SO billion cll and text record (but not the content of the calls or texts) belonging to Victim-2 and its customers, which MOUCKA and his co-conspirators monetized by extorting Vietim-2 ‘On April 19,2024 the FBI received information suggesting that threat actor had obtained ‘unauthorized access to Vistim-2's computer networks. The FBI lawfully obtained screenshots of ‘Telegram chat messages with a user serving as an intermediary, Individual, as well as another user labeled "I (indey),” ster discovered tobe John Erin Binns. Binns confirmed to Individual-1 that he had call rcords wth “14 billion entries” from Vietim-2 and requested the phone number of an FBI agent who had previously investigated Binns for another breach into a different USS. telecommunicatons prover, for which Binns was previously charged inthe Western District of Washington, ‘The FBI approached Victim-2, which confirmed that it had been breached and that the sample data Individual-1 csv inthe Telegram chats was real Vitim-2 customer data. The FBI also lawfully obtained copies of Telegram communications between Individual-1 and the Telegram usemame @jud sche (labeled with the display name “catist") which contained a sample ‘of Vietim-2's data, Viet 2 confirmed the data i authentic: TT Judische Telegram account was later determined to be MOUCKAA, as described below. Vietim-2 used an outside incident response firm to conduct an investigation and determined that a machine-to-machine credential had been compromised and used to access Victim-2’s cloud instance without authorization, Furthermore, the fim determined that particular IP addresses were ‘sed by the threat actors access Vietim-2's cloud instance and exfiltate hundreds of gigabytes 2 ‘of Vietm-2's information. These included a specific IP addess ("malicious IP address”) from ‘which the malicious actor connected to Victim-2's cloud instance on approximately April M4 and 15, 2024, Information from Vietim-2 indicated that the malicious IP address was hosted by a U.K. provider. The U.S. author tes also sent legal process tothe U.K. provider. As discussed below, Binns logged into one of his communications accounts from the malicious IP addres around the same time thatthe data exiltraion occurred, “The FRI obtained Ings of sesions, authentication, and jabs from Vietim-1. Combined with logs from Vietim-2 shown the amount of data exfiltated from its cloud instance, these logs provided details about theintrusions that occured between at least April 14 through atleast April 28, 2024, during which time malicious IP addresses that were not part of Vietim-2's normal activities conducted unaudhorized activites on its system. Vietim-2’s logs further show that Ihundreds of gigabytes of cata were exiltated. ‘Vietin-1 also has recess to its customer’s logs. These logs provide IP adresses used by ‘the threat actrs. The FBI combined information from the logs of Vietim-1 and Vietim-2 to confirm that Vietim-2's data was sucessfully exfiltrated on April 14, 2024, April 15,2024, and April 24, 2024, and to confirm the IP addresses used in the intrusions. ‘The lawfully obtcined Telegram chats between MOUCKA, Binns, and Individusl-1 contain detailed, inculpatery information about the activity of MOUCKA and Binns and confiem that MOUCKA was actively inside of Vietim-2's systems. For example, on April 23, 2024, a person using the @juische moniker, later determined to be MOUCKA as explained below, told Individval-1, “I can searct yeah, or he [Binns] can. He understands the structure of the data better than I do, [just provided cccess to him.” The FBI determined that “he” refered to Binns because cof the information above that Binns had already exfiltrated some Victim-2 information approximately a week before these messages, Binns also messaged Individual-1 on Apeil 22,2024, stating, “My partner i trying to got more data"—referring to MOUCKA. MOUCKA, while using the @judische Telegram weraame, had the following conversation with Individual-I on April 23, 2024: MOUCKA: ..Did he el you how many tines he has? Individvl-1: 4tilion or something like that MOUCKA: —thismany forthe curent month 24356004473 /34 Billion Individval-t; Wait what? You have access to lve data? MOUCKA: yes Individual-1: ‘Or you can just se it MOUCKA: live Individual: And you ean download it)?? MOQUCKA: —Yes/ean download or query Individual; Whoa MOUCKA: Ieanalso delete and add The same day, MOUCKA also talked about the dat that “he as exiltrated and indexed at 148,” suggesting Binns Ind already downloaded 14 billion records. The next day, MOUCKA discussed his ongoing exfltration of approximately 4 billion records: MOUCKA: “He [Binns] has 14B September and Ill have 35B October” Individval-1; “ok well get what you can. it just adds more value” -MOUCKA: “okay good. I'l vet as much as I ean" MOUCKA: “Can ty o get 34B sept and 358 Oct” ‘On April 24, 2024, MOUICKA, Binns, and Individual-t started a Telogram group chat to discuss selling Vieim-2's information, As noted above, Victim-2 provided the US. authorities with information confirming a large amount of data was exflrated on April 14, April 15, and April 24, Victim-2 also communicated and negotiated with Individual-1 about a ransom demand in May, 2024, Ic ultimately guid a ransom to have the stolen data deleted from the server on which the co-conspirators were staring it Vietim-2 confirmed that thas been re-extorted inthe lst few weeks. Specifically, Individual-1 contacted them again, on behalf of “eatist” (MOUCKA), and engaged in ransom negotiations. Vietio 3 ‘Vietm-3 isa majo retailer located inthe United States, On or shout May 23, 2024, a well ‘known compute seeunity and incident response company notified Vietim-3 that it was a potential victim ofa similar compu intrusion, On May 29, 2024, representatives from Victim-3 met with the FBI and confirmed that three categories ofits information had been stolen from its cloud instance, including customer information for approximately 20 million customers, git card information, and intemal ompany business documents. Vitim-3 also stated that it was actively negotiating through the same intermediary, Individual, that negotiated with Vietim.2. ‘The FBI also reviewed logs provided by Vietm-1, which indicated that Vitim-3’s instance was accessed without authorization from approximately April 14, 2024, through May 24, 2024 and tht the rapeflake utility was deployed on Vietim-3's computer systems. (As discussed below, MOUCKA claimed to hve written the rapeftake utility.) Vietim-3 hired an incident response company to investigate the breach and confirmed its instance had been compromised using stolen Jogin credentials belonging toa former contactor located outside the United States. According to the incident response fim's investigation, this former contractor's credential was. likely compromised via a credential stesler in approximately 2021 and available in cybercriminal ‘marketplaces as early as May 2021. Stolen redentils are generally available for free and for purchase on the dark web, US. authorities obsined and reviewed written records provided by Vietim-3, including cxails with Individual-1, On May 24,2024, two members of Victm-3”s information security team ‘were contacted via Linkedin by Individial-1, who used his true name. Indvidual-1 offered to broker a deal withthe hacker and provided a sample ofthe data, Individval-t later requested a 4 phone call with Vietim-3 and spoke to Vietim-3's counsel, On May 29, 2024, Individual-1 Indicated that he thought ‘hey “c{ould] close around ($]27ST,000].” Then, on or about May 30, 2024, Individual-1 emailed Viet thatthe threat actor wanted $450,000, Individeall subsequently informed Vietim-3 that another victim had paid a substantial som. After several email exchanges and at least one telephone call with Individual, Vietim-3 ceased communications Im or about June 2724, co-conspirator creaed a post on BreachForums and sated they ‘were making the Victim-} database available for download after Vietim-3's refusal to pay & ‘ransom. The FBI discovered this post, which included a link for download. The FBI accessed this, link end dovenloaded approximately 10.6 GB of compressed materials. When unpacked, the data ‘was approximately 86,1 G3 and contained numerous fils with filenames that matched queries run by the treat actors in Victin-1's logs for Vietim-3”s instance. The FBI downloaded the data from BreachForums and verified that it was consistent with the information from Vietim3's investigation. Specifically, the downlosded data included customer names, emails, billing addresses, personal identifying information, purchase information, and fll giftcard numbers with expiration dates, ‘The FBI sent the first 30 lines ofthe tables of the downloaded data to Vietim-3, which confirmed that it was a te and accurate representation ofits data, with minor modifications (ihe timestamps were off in some instances and there were some duplicted rows). {As part of ongoing extortion efforts involving Vietim-3 deta, a co-conspirator posted on BreachForums another sample of Vietim-3"s data for sae in or about July 2024 ‘The post demanded a ransom payment, which Victim-3 never paid Victim 4 ‘Vietim-4 is « major U.S, entertainment and marketing company. The FBI obtained logs about Vietim-4's cloud computing instance from Vietim-1, According to those logs, the threat actor breached Vietim-4’s cloud instance from atleast on or about April 14,2024, through at least May 18, 2024, Victim informed FBI that the types of data stolen included names, contact information, partial payment card numbers, and in some instances driver's license numbers and/or passport numbers. Additicnally, Vietim-4 confirmed that only one account on is Vietim-I cloud ‘computing instance had been breached, (On or about May 17, 2024, Vietim-4 leamed about a potential breach, whieh it later confirmed. On May 29, 2024, the FBI interviewed Vietim-4 and discovered it was investigating a breach of its Vietim-1 cloud computing instance in which threat actors may have stolen information related to its cstomers" contact information and payment card information. Vitim-4 viewed logs ftom its cloud instance and learned the actors accessed ther instance without authorization. nor about May 2(24, a co-conspirator postod on the cybercriminal forum Exploit ina sale ‘of Victims data that puportedly included millions of users and payment card details. The post 5 ‘included sample data without any names but with sale order IDs, account numbers, account ereated ata, and partial addresses. The FBI subsequently visited this postin or around June 2024 and September 2024 “The FBI learned thatthe information offered for sle was not the same as the data stolen from Victim-4, but Vitin-4 stated that it appeared to have some overlap with what was stolen from their Vietm-1 instance, suggesting thatthe threat actors were potentially mixing data Daring this same tin poring, Individal-1 contacted Visti saver ines fering tact as anntermediny between Vcim-4 andthe threat actors andor advising about MOUCKAs wae Of the data For example, on lune 20,2024, Indvidalt reached ott two diferent people fssocnted with Vitim4 i ena none communication, Invi tated, [be hacker has recently leaked 1 millon ose records and is wetening teak more, They have also éronped tht price point fo about 100k USD. Atta pre, Liman hey wil slat east 3-tx™ nor about July 2024, Individual indicated tat he had been “extremely successful inthe past in getting his demands down to a more reasonable amount” Individual-I attached a BreachForums post, which included an extortion attempt [As part of continued extortion attempts, a co-conspirator made a subsequent post on a ‘cyboreriminal forum in an attempt to extort Viet, Im easly October 2024, MOUCKA posted a poll on Telegram using another account believed to be controlled by him with display name “scarlet the meow eat” and username @nyakira. Inthe poll he asked people to vote on whether he should leak more of Vietim-4’s data; the post was lawflly reviewed by U.S. authorities. Vietim-4 never paid a ransom. Vietim 5 Victim: is a large foreign corporation headquartered in Europe. On or about May 9, 2024, the FBI notified Victim-S about a potential breach of ts computer systems, In the Telogram chats provided to the FBI by Individual-1, “ellye18", who was later identified as MOUCKA shown below, discussed having ongoing access to Vitim-S as of April 25, 2024, MOUCKA stated: Individual-1: wait. you have access to [Vietim-S]?? MOUCKA: Yes [Victims] ol Individual-l: that might be too big for now. we might want to start smaller Individual-1 and MOUCKA also discussed the nature ofthe data MOUCKA had access to, ‘and MOUCKA stated that he focused on “HR” data fist, MOUCKA later stated, “yeah for [Victim] let me figure out the best way to query that many mssql without the data masks but without altering the schema to remove the mask be they might notice.” ‘The FBI provided Victim-5 with a screenshot of sample HR data from the Telegram chats and initial indicators of compromise. Vietim-S conducted an internal investigation and ‘subsequently validted thedata fom th sereensho, confirmed tat its Vitim-1 instance had been ‘breached, verified that the inital breach occured on or about April 17, 2024, and indicated that ‘the breach continued throuzh at least May 10,2024, According to Vitim-s internal investigation anda review oftheir logs, his breach was the result of compromised credentials of two employees “The stolen data included mames, addresses, company identifieation numbers, and payroll accounts {or employees across multiple countries, eluding inthe United States ‘Vietm-S subsequently informed the FBI that three types of data had been exfiltrated, First, Vietim-5's employee data, including those of employees based in the United States, had been stolen, which included employees’ names, social security numbers, and addresses, es well as ‘company payroll records Vietim-5 provided he extortion emails that it received tothe FBI. These included an email fom the same intermediary, Individual-l, On May 13, 2024, Inividual-I notified Vietim-S that the “threat actor” was “actively downloading” Vietm-S's data, and provided some sample data and a link t another account with additional data. Victim downloaded sample data from Individval-t and verified that it contained Vietim-5°s data ‘The FBI also compared IP records from Vietim-s's logs with the login records for @ Diseord account controlled by Binns (the Irdev Discord Account). The FBI’s comparison showed that common IP addresses were used to log into both Vietim-ss network and Binns’s Irdev Discord Account, within short timeframes and via one of the same providers, as follows WaAddress | Irdev Discord (UTC) | Vietim-S (UTC) Isp 194.330.148.136 ‘IRR 10AB | —AAWAOA TIO | Sunrise (Switzerland) 194,230,144 136 “TIRIRORE TEST | —a7TR/RODA TTS | Sunrise Switzerland) Adilitional Vietins Based on widespreed reporting, as wel as published analyses by security research firms, US. authorities are aware of over 100 other companies that may have been victim to similar computer intrusions conducted by some of the same co-conspirators and using. a similar sethodology. The FBI has communicated with several U.S. and foreign companies who believe they were vitims of sinlar computer intrusions by the same actors and confirmed at least 10 companies’ cloud instances that were accessed without authorization, Victims generally are Vietim-1 customers, mary of whom were targoted using “rapeflake.” Many victims received samples oftheir stolen dai and were extorted in similar ways. ‘Three Key Discord Acevunts Are Controlled by MOUCKA and Linked to the Intrusions USS. authorities reviewed IP logs from the intrusions into vitim companies and identified cious IP adresses a specific times. US. authorities then obtained court orders requiring 7 lectronic communication service providers to identify accounts tht had been accessed by the malicious 1 addresses at specific dates and timestamps. Discord identified accounts accessed fom the malicious IP addresses during the sme time periods ofthe intrusions, and the goverament then obtained search wareantson various accounts, as U.S, authorities learned thatthe treat actor would delete and create aumerous accounts, U.S. authorities determined that three identified accounts were controlled by MOUCKA and provided key evidence of his identity: (i) User ID '547214862313435626, wih unique username azurape (the Azutape Discord Account) i) User TD 1166162525477679110, with prior unique usemane a2zzrrrzzeezzrzrremute (the Nate Discord Account); and (ii) User ID 750491727025930364, with unique username ‘wetworkmakeitain (the Wetwork Discord Account). “Most importantly, he Azurape Discord Account directly links MOUCKAA to the @judische ‘Telegram account that sed the rapeflake too to steal information from companies, as discussed shove, For example, approximately 10 days after a security firm published a report about this hacking campaign, the Amirape Discord Account claimed ownership ofthe @judische Telegram ‘ceount and subsequently sent link to another Discord user to a public report from & computer security company about the Vietim-I hack, stating “you can extrapolate to whom this articles about si} In addition to thie May 2024 example, Azurape identified @judische as his Telegram ‘moniker in February 2024and April 2024 to other users in Discord chat messages. Around late May 2024, the Azurape Discord Account stated that “al ican dois hack” and that “i had [a co-conspirator] post [Vietim-4] sample sales threat and they instantly started to napotint.” Shortly theoate, in mnid-lune 2024, MOUCKA used the Azurape Pera Aremnt to ask a third party for “help deerypfing [Vietim-A]crediteards” in exchange for “2m.” About two days later, the Azurape Discord Account said, “hopefully they do not find the code for rapefiake”™ Decause “is clear i wrote it” Between December 2023 and February 2024, the Azurape Discord Account repeatedly ‘communicated with Bimns's Irdev Discord Account. In the Azorape Discord Account, MOUCKA'’s second onlitegirlfiend called him “Connos” several times. He also pointed to his ‘Telegram username, which cannot be easily changed, at least as early as February 2024: 8 ran 22 vette rere aftr ont whenuran ane aceon cong ajar] as fawn as “The Wetworks Discord Acconnt links the Amape and Nutz. Discord Accounts, Specifically, the Wetwork Discord Accounts user identifies the Azurape Discord Account as his ‘main account. In response to a court order, Discord researched the Azurape Discord Account and the Wetworks Discord Account and linked them by cookie information, meaning thatthe same user account onthe same computer accessed both accounts. The Wetwork Discord Account and the Nutz Discord Accountalso have significant IP overlap, including at leas eight instances where both accounts were logged into fiom the same IP address within 10 minutes of each other. Moreover, non-content header information from Discord showed that the Wetwork Discord ‘Account had communicatad withthe Irdey Discord Account, controlled by Binns, inthe months preceding the computer intrusions under investigation. Discord records also showed numerous connections between the Nutz Discord Account and the Azurape Discord Account, suggesting these accounts were under common control by MOUCKA, including (common IP address was used to access both the Nutz Discord Account and the ‘Azurape Discord Account on April 19, 2024, during the timeframe ofthe intrusion to Vietim-2; (ii) the Nutz Diseord Account sent over 183 messages to, or that included, the Azarape Discord Account in ealy January 2024; ii) common IP addresses were used in November 2023 to access the Nutz Diseord ‘Account ad a fie-hosting account that was later used to host Vietim-2's stolen ata (in or around April 2024); and (jv) _Mallvad,sprivacy-oriented virtual private network (VPN) provider that does not callect or maintain personal identifying information about its users and could be ‘used to hide the identity and locaton of the person accessing this account, was used to access the Azurape Discord Account, the Nutz Diseord Account, and other accounts 0 interes nthe investigation, inluding the file-hosting account ‘The Azurape Discord Account also claimed to control the moniker “ellel8.” which isa moniker that has been linked to @judische by the Telegram chats: ‘7is/aota)— AROGAT|szurapeHO out he Fol agents that ER my dacord accountant [EDR my telegram account 6/19/20] 22.0727 azurapeHO byes 6/49/2028) 22:105ifazurapeno wile then delete hs message na few brs when aes spa one 6/19/2024| va fuck ors Ener ng see ort ot ena sn I cea = “The redaction in te above screenshot also shows that Azurape requested help decrypting credit cards obtained from Vietin-4, whose name is redacted, ‘The FBI conducted analysis of IP adress information obtained through legal process concerning the Azurape, Wetwork, and Nutz Discord Accounts. While many accounts used ‘Mallvad VPN, the FBI identified various IP address overlaps connecting these accounts to other indicators associated with the computer intrusions. For example, the stolen Vietim-2 data was uplosded to a filesharing service with an account registered using the email address ibizacarbombings{atprotenmailcom, The FBI analyzed IP logs from the ibizacarbombings{atrotenmail com file-sharing account (the Ibiza File-Sharing Account) and the Nutz Discord Account and discovered that oth were accessed from the same IP address within four minutes or less on two occasions, months before the intrusions occurred: ‘Account TP Address Date Time Nutz Discord Account 198.44.140.172 | aa v2023_| 15:32:00 ‘Nutz Discord Azcount| 199.44.140.172 [1212023 | 1537.00 Tiza File- Sharing Account 198.44.140.172 | 12/34/2023 | s:41:04 ‘Nutz Diseord Azeount 198.44,140.172 | 12812023 | 15:44:00 ‘Nutz Discord Account| 198.44.140.172_| 12812023 | 154600 Ibiza File-Sharing Account y9s.a4.140.172 | 12/91/2023 _| 15:50:07 ‘Nutz Discard Account| tos.aa.140.172 | 12/31/2023 | 16:02:00 ‘According to information obtained from Discord, in June 2024, MOUCKA, using the ‘Aaurape Discord Account, sent a message to another user with his monero address, apparently because the recipient had “leftover” monero, (Monet i an anonymity-enhanced eryptocurrency.) ‘The monero address MOUCKA supplied is directly traceable tothe ransom payment made by ‘Vietim-2; specifically, atleast some ofthe bitcoin ransom paid by Vietim-2 was converted into ‘monero and sat tothe same address MOUCKA provided in the Discord chat. Linking the Intrusions te MOUCKA and Binns USS. authorities cbiained screenshots of Telegram chat messages among three key ‘individuals: (1) @judische, who labeled this account with other display names, including “ellyel8” and “cats,” who has boor identified as MOUCKA; (2 “Irdey,” identified as co-conspirator John Erin Binns, a dual U.S. and Turkish citizen residing in Turkey, and (3) Individual, who has negotiated with vitim companies “The Telegram chats obtained lawfully by the PDK include information that was not knows tthe public and was likely only known by those involved inthe intrusions. For example, Binns and MOUCKA, using Tslogram username @judische, labeled here with moniker “ellyel8,” discussed breaching Vietin-2's systems and obtaining ens of billions of customer records in chats dated April 24, 2024, before any public announcement ofthe intrusion into Vietim-2. 24 Apt 2024 etyets 641 | potently found another 258 for October 2022 Going tocheckieit includes previous months or that's ust 06.42 October tyes 12.08 Can the current buyer afford to keep buying these after the 148 1 keep exiting? Because 'm 20% done onthe 258. 30 you shoul el him to jst get 1M ready jst in eae hese are monthly 30 we dont have te wat mute days again, there's 358 per month ‘need you to send 300k for ied to send the 1480 keep 12:17, texfteatng though Beene this xine consuming andthe dati ‘Additionally, MOUCKA and Binns posted screenshots and samples of data belonging to Vietin-2 and Vietim-S ithe Telogram chats on April 29, 2024. Both Vietim-2 and Vietim-S confirmed the samples were actual daa stolen fom their respective systems. MOUCKA discussed having breached other victims’ computer systems, which the FBI subsequently confirmed had been breached: vetims had not yet disclosed their breaches at the time ofthe Telegram messages. MOUCKA’s Apple Account Provides Evidence of His Identity, Location, and Criminal Activity US. authorities discovered an Apple account with email address nanddddwowdffgeaa[atficloud com, which Apple identified in response toa court order based ‘on shared login IP addresses with MOUCKA’s Nutz Discord Account, Apple produced records in response to legal process showing thatthe account () was accessed from IP address 24.246.30.67 u (the Canadian IP Addkess) over 500 times between April 1, 2023, and August 20,2024; (i) had a residential address Kitchener, Oniario, N2A 1X4, a phone number (280 2845735), and a machine ID of 2101216876af0172203830fecef532851517eo6; (i) reflected ‘umerous purchases using the Canadian IP Address between June 22 and July 8, 2024, including purchases of an iPhone 15 Pro, MacBook Ait, and iPad Pro 1, all of which were billed to “Alexander Moucka” and shipped EID n Kichoncs, Ontario, Canada ("Target Location”); and (iv) reflected payments on the account by an “Alexander Moucka” using both PayPal and Mastercard, some of which used the Canadian IP Address. While the fist name on the account details is “Dai” andthe lastname is “Dd,” Apple provided ‘Tunes Music Store information that indicates “Alexander Moucka" made Tunes purchases using his Apple account in October 2023 from the Canadian IP Address, and stated his address was the Target Location. According to the information fom Apple, the Apple ID nnnnddédwwwalfgsa[at]icloud.com was ‘rented on February 25, 2020, Additionally, U.S. authorities reviewed information stored in the Apple account's iCloud storage, iCloud is file hosting, storage, and sharing sorvico provided by Apple. Numerous photos in the Apple account's iCloud provide direct and circumstantial evidence of MOUCKA’S involvement in the criminal activity and his leaton For example, the iCloud account contains multiple photos of MOUCKA’s Canadian passport, including this one with full name Connor Riley Moucke, passpoct numt

You might also like