On Nov. 5, 2024, Bloomberg and 404 Media reported that Alexander “Connor” Moucka was detained Oct. 30, 2024, by Canadian authorities on a provisional arrest warrant by request of the U.S. Charges against Moucka have been released. He is alleged to be a threat actor who went by nicknames including @judische and ellyel8 and is suspected to have been behind the most prominent data breach event in 2024. The incident involved the compromise of login credentials for clients of Snowflake, a data warehousing and cloud infrastructure provider. The actor ellyel8 falls in the sphere of “Com,” or “TheCom,” which are terms used by threat actors themselves to describe online criminal communities that associate on cybercrime forums and messaging platforms including Telegram and Discord. The Com (believed to be the origins of well-known intrusion clusters such as Scattered Spider, Starfraud, 0ktapus, UNC3944, Scatter Swine and Muddled Libra), is associated with data breaches, ransomware, extortion, identity theft, cryptocurrency theft and at times real-world violence. Actors in these online communities use online platforms to coordinate attacks, sell stolen data, trade tools and techniques and engage in never-ending streams of misogynistic, racist and threatening banter. This post will examine ellyel8’s activity across these platforms, intrusions the actor claimed credit for and how enterprises can defend against Com-related tactics, techniques and procedures (TTPs).
The ellyel8 persona was registered on the Raid Forums cybercrime forum in June 2020. The actor initially offered leaked databases and credentials but was active on the forum for less than a month before being banned for allegedly scamming. The ellyel8 persona has been active on Telegram since December 2022 and demonstrated knowledge of actors and researchers engaged in Com investigations. The actor was a member of more than 25 Telegram channels and groups, authoring more than 1,400 posts from 2023 to 2024. The groups and channels are associated with adult content, leaked datasets, malware logs and subscriber identity module (SIM) card-swapping. On chat channels, ellyel8 made unverifiable claims of data breaches and intrusions and was often unable to provide proof to back up claims. This tendency, which is a common trait among underground threat actors, somewhat clouded the initial picture surrounding the Snowflake-related breaches. However, the actor appeared to be skilled in mounting attacks centered on the compromise of authentication credentials, allowing the actor entry into systems in search of high-value data stores for exfiltration. The actor has used many monikers, including zfa, catist, elly el8, elly-el8, waifu, noctulian, Laplanius$Support and lavrentiy_beria_1488. This list is not exhaustive.
The actor ellyel8 has been a key figure within Telegram channels and groups, including Star Sanctuary and Star Chat — also known as the Star Fraud Telegram group — which collectively is one of the biggest SIM-swapping communities operating on Telegram since August 2022. SIM swapping involves tricking telecommunications companies into transferring someone’s phone to a new SIM card or virtual SIM. Controlling a victim’s phone number gives attackers leverage, allowing them to receive multifactor authentication (MFA) codes and opening other avenues for account takeovers. This technique has often been used in thefts of cryptocurrency and enterprise intrusions. These Telegram groups are also associated with other types of underground activity, including caller services, checker services, other MFA bypass methods, phishing-as-a-service (PhaaS), access brokering, personal information lookup services, SMS spamming and violence. Two other suspected high-profile actors with the Star Sanctuary ecosystem, Noah Michael Urban (Sosa) and Tyler Buchanan (Tylerb), have been arrested.
Similar to other Com actors, ellyel8 frequently made racist and misogynistic comments and threatened information security professionals. Those comments, some made under other monikers linked to ellyel8 and zfa, have included calling for slitting the throat of a prominent information security company founder and for waterboarding a security researcher.
The most far-reaching data breach of 2024 was not a single breach but rather a string of breaches involving Snowflake. In May 2024, large organizations that used Snowflake began disclosing data breaches. However, Snowflake found no vulnerabilities in its systems. Incident response investigations conducted by Mandiant concluded the intrusions occurred following the theft of login credentials for the affected organizations’ Snowflake accounts by information-stealing malware, including Vidar, RisePro, Raccoon stealer, Lumma, RedLine and Meta (see blog post “RedLine and Meta: The Story of Two Disrupted Infostealers”). In some cases, those credential thefts occurred on work computers that had been used for gaming or software downloads, which often result in the inadvertent installation of malware. The credentials, some of which were collected by infostealers as far back as 2020, accessed accounts that did not have MFA enabled. Mandiant notified 165 organizations whose Snowflake accounts may have been unlawfully accessed. It is conceivable, however, considering Snowflake’s large customer base, that many more organizations may have been affected. Mandiant attributed the activity to the group UNC5537, which it determined was systematically compromising Snowflake customers, then mounting extortion attempts and selling the data on cybercrime forums. Mandiant attributed UNC5537 to individuals in North America who collaborated with another individual in Turkey whom this post will address later.
On May 2, 2024, the actor ellyel8 — using the @judische Telegram username — made the first Snowflake victim-related comment, claiming to have hacked Santander bank. Three weeks later, new threat actor personas appeared on cybercrime forums attempting to sell stolen data from large companies. On May 23, 2024, the actor whitewarlock posted an offer on the Exploit underground forum to sell a dataset allegedly exfiltrated from Santander. The actor claimed the compromised data impacted subsidiaries in Chile, Spain and Uruguay and sought 30 bitcoins (about US $2 million) for the information. A week later, the actor lowered the price to US $1 million.
On May 27, 2024, a new member of the Exploit cybercrime forum, the actor SpidermanData, offered to sell a dataset allegedly with 560 million user records purportedly exfiltrated from Live Nation Entertainment Inc. and the Ticketmaster Entertainment LLC subsidiary. The actor claimed the leaked data included email addresses, full names, partial payment card data, residential addresses, phone numbers and ticket order information for customers. The total volume of exfiltrated data allegedly was 1.3 TB. The actor sought US $500,000 for the dataset and claimed to be ready to conduct a transaction via an escrow provider.
[Image: Spidermandata - An advertisement on the Exploit cybercrime forum on May 27, 2024, for data stolen from Ticketmaster and Live Nation.]
Another moniker, Sp1d3r, was registered on the BreachForums cybercrime forum, which also offered to sell information from intrusions linked to ellyel8. Additionally, the actor ShinyHunters posted an advertisement for the Ticketmaster data.
[Image: Shinyhuntersadvert - An advertisement on BreachForums on May 28, 2024, for data stolen from Ticketmaster and Live Nation.]
On June 5, 2024, sp1d3r offered to sell a 3 TB dataset, which allegedly included personal data for 380 million customers, data from 44 million loyalty cards, sales history and employee personal data exfiltrated from the North Carolina, U.S.-based automotive aftermarket retailer Advance Auto Parts Inc. The actor sought US $1.5 million for the dataset and claimed to be ready to conduct a transaction via the forum’s escrow service. A sample was provided as proof of the claim.
As all of this stolen data appeared on cybercrime forums, in the background were ongoing extortion attempts aimed at coaxing victims into paying ransoms for data to be deleted. These negotiations did not appear to be occurring directly between ellyel8 and those affected but instead in part via a cyber threat intelligence researcher going by the moniker Reddington. Reddington offered a negotiation service, acting as a go-between for attackers and victims. This arrangement surfaced publicly in a 404 Media story Sept. 20, 2024.
In some cases, it appears that intrusion victims were successfully extorted. On July 12, 2024, the Texas, U.S.-based telecommunications company AT&T Inc. disclosed a data leak of phone and text records of "nearly all" of its customers. In a press statement and in a Form 8-K filing with U.S. authorities, AT&T revealed the “customer data was illegally downloaded from [a] third-party cloud platform” between April 14, 2024, and April 25, 2024. Not long before AT&T’s given time span for the breach, ellyel8 — posting under yet another alias, Gelöschtes Konto — claimed April 3, 2024, to have compromised AT&T (see image below).
[Image: Ihackedatt]
Wired reported July 14, 2024, that based on blockchain data and comments from the actor Reddington, a bitcoin ransom of about US $370,000 was paid to have the data deleted.
The actor ellyel8 is believed to have conducted most of the Snowflake-related intrusions alone save for one partner: the actor John Erin Binns aka IRDEV, IntelSecrets, V0rtex, SubVirt. Binns, a U.S. citizen, was arrested in May 2024 in Turkey. Binns was indicted in the U.S. in March 2022 for allegedly breaching the systems of T-Mobile in 2021, exposing data on 48 million subscribers and then trying to sell it on. The indictment, which is under seal, surfaced in the media, and a related court document not under seal was published. The U.S. continues to seek Binns’ extradition.
By early September 2024, ellyel8 appeared to be under increasing pressure, indicating a belief that arrest may be imminent and had a plan to cease criminal activity. The actor claimed to have an inventory of stolen data that encompassed undisclosed managed service providers (MSPs) and telecommunications companies. The actor deactivated some related Telegram accounts in an apparent effort to be less visible.
The Snowflake intrusions highlighted how the pervasiveness of infostealer malware can lead to significant supply chain breaches. Numerous marketplaces and other sources such as Telegram allow attackers to easily purchase login credentials for specific companies and services that have been collected by infostealers. The distribution of infostealers is constant and relentless, as malware distributors disguise infostealers as benign files, software and games. The lack of MFA on the Snowflake accounts allowed these attackers to immediately capitalize on those credentials, successfully extorting some organizations.
These attacks were not sophisticated, but rather represented a highly opportunistic use of cybercrime-as-a-service data available in underground markets and weak identity and access management (IAM) controls. It proved to have a devastating effect on dozens upon dozens of organizations and ultimately, on individuals whose sensitive information was exposed. While awareness of the need to employ MFA on accounts that have access to highly sensitive data is wide, organizations should audit their IAM systems to ensure the security controls are commensurate with the threat environment. These threat actors run highly targeted phishing campaigns often in combination with social engineering to gain access credentials, reset MFA tokens and ultimately gain footholds into organizations to steal valuable data. At the end of this post are recommendations for strengthening defenses against phishing, social engineering and account takeover attempts.
The arrest of this particular actor adds to several others made so far in 2024 in the sphere of Com. However, these dispersed groups of threat actors are very large, collectively comprising as many as 1,000 individuals. Law enforcement investigations continue, but are intensive, long-running and difficult. More broadly, Com-related activity continues at a steady pace. In one example, Intel 471 has monitored a campaign since August 2024 run by a likely Com intrusion cluster that targets reseller stores of large U.S. telecommunications providers. The campaign is primarily aimed at harvesting employees' login credentials and MFA codes, which enables attackers to gain unauthorized access to the victim’s professional resources, which could be used for SIM swapping and looking up personal information. From Aug. 13, 2024, to Oct. 9, 2024, we identified 41 new phishing sites potentially linked to the intrusion cluster.
These sites were sometimes only live for short periods that ranged from 30 minutes to 1 1/2 hours. These short time periods capitalize on the window of opportunity before a site is flagged by anti-phishing blacklists as well as thwart security researcher analysis. When a phishing site goes live, actors quickly call retail employees using Google Voice accounts and try to get them to visit and enter credentials. If entered, the credentials are sent to a group chat via a Telegram bot. While one engages the victim on the call, another quickly inputs the stolen credentials and MFA codes into the actual service website. Despite possessing substantial resources to target company employees, the group's attacks often fail due to victims recognizing irregularities. This may indicate increased awareness among employees in the telecommunications sector regarding phishing attacks. Nevertheless, the group persists, which suggests it still perceives benefits in targeting company employees.
This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework. The actor’s ellyel8’s TTPs include:
Intel 471’s HUNTER471 platform has a collection of detection packages that have been specifically put together to help organizations detect in their security information and event management (SIEM) platforms or other logging systems as well as prevent infostealers such as the ones used related to the Snowflake incident. Register for the Community Edition of HUNTER471 to get access to free threat hunt packages and visibility into other ones that could help your organization. The image below contains a small sampling of the infostealer threat hunting packages in HUNTER471.
[Image: Snowflakethreathunt]
Phishing is one of the most common attack vectors Com-related cybercriminals use. Common mitigation strategies organizations can implement according to the MITRE Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph of cybersecurity measures include:
Harden
Detect
Prevent
In August 2025, two anonymous researchers released 9 GB of data from a workstation of a likely advanced persistent threat (APT) group. Here’s an analysis of the data by Intel 471’s Cyber Geopolitical Risk team.
Initial access brokers (IABs) sell access to compromised organizations on underground forums. Here's an analysis looking at whether these offers can be correlated to ransomware attacks.
In this Studio 471, Jacob Larsen discusses the effects of doxing, how sites like Doxbin take advantage of legal loopholes and how to defend against being doxed.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.