The U.S. government has charged Connor Moucka and John Binns with being the individuals responsible for the cyber intrusion into AT&T’s systems, resulting in the theft of approximately 50 billion records related to customer calls and text messages.
In July, AT&T reported that hackers had compromised the phone records of “nearly all” its cellular and landline customers, including details of calls and text messages—specifically, the identities of the parties involved—though the actual content of the messages remained secure. At that time, AT&T indicated it would inform around 110 million customers about the breach, which involved records taken from its systems hosted on Snowflake, a cloud service provider specializing in data analysis.
Prior to the indictment issued by the Department of Justice against the two alleged hackers on Sunday, the total number of compromised AT&T customer records had not been disclosed.
The indictment does not explicitly name AT&T; instead, it refers to “Victim-2,” characterizing it as “a major telecommunications company located in the United States,” which experienced a breach around April 14. AT&T had previously acknowledged the breach, stating it became aware of the incident on April 19. This alignment in the description of Victim-2 and the timeline of the breach strongly suggests that Victim-2 is indeed AT&T. AT&T has not provided a response to requests for comment, and DOJ spokesperson Emily Langlie also declined to offer any remarks.
According to the indictment, Moucka and Binns allegedly accessed billions of sensitive customer records and successfully extorted at least three victims, obtaining a total of 36 bitcoin (approximately $2.5 million at the time of payment) over nearly a year, from November 2023 to October 10 of this year. Prosecutors have identified Moucka, a resident of Canada, by several online aliases including “judische,” “catist,” “waif,” and “cllyels.” Binns, who resided in Turkey, was known as “irdev” and “j_irdev1337.” Moucka was apprehended in Canada last week, while Binns had previously been arrested in Turkey, as reported by 404 Media.
In August, Binns claimed responsibility for the AT&T breach in an interview with The Wall Street Journal. Moucka, using the alias “Judische,” expressed to 404 Media his belief that his arrest was imminent.
AT&T is among several victims whose sensitive data was compromised from their Snowflake instances. In recent months, hackers have also infiltrated Santander Bank, Ticketmaster, and approximately 165 other corporate clients, all of whom utilize Snowflake services.
Prosecutors contend that by breaching the victim companies’ Snowflake instances, the hackers acquired vast amounts of sensitive personal and corporate information, including social security numbers, driver’s license numbers, passport numbers, and banking details, categorizing these breaches as some of the most severe cyberattacks of the year. In certain instances, the hackers demanded ransom from victims, threatening to leak the stolen data, a threat they occasionally acted upon.
Wired previously reported that AT&T paid a hacker $370,000 in an effort to have the stolen records deleted. The indictment also states that Victim-2 made a ransom payment to the hackers.
