Alleged Canadian hacker unmasked after threatening cybersecurity researcher

CTV News

a day ago

When an alleged hacker known as 'Waifu' violently threatened her online, cybersecurity researcher Allison Nixon set out to unmask them.
Now Connor Riley Moucka, a 25 year old from Kitchener, Ont., is being held in Canada as he awaits extradition to the U.S. to face multiple criminal charges. U.S. authorities accuse Moucka and his accomplices of hacking into at least 10 organizations and stealing troves of sensitive records like payroll and banking information. By holding stolen data for ransom, they allegedly extorted US$2.5 million in Bitcoin from three of their victims.
'I was not working on him until he started posting threats about me,' Nixon told CTVNews.ca from New York City.
Nixon is the chief research officer and co-owner of Unit 221B, a U.S. cybersecurity firm named after Sherlock Holmes' apartment. Like the fictional detective, Nixon and her colleagues investigate cybercrimes and expose culprits.
'I've seen cybercriminals cause their own downfall,' Nixon, a dual Canadian-U.S. citizen, said. 'But this is probably the most ridiculous instance of it.'
'He couldn't stop threatening people'
In 2024, hiding behind pseudonyms like 'Waifu,' Moucka purportedly used Telegram group chats to boast of his alleged crimes and threaten Nixon and her company. Nixon believes Moucka was trying to get her attention to find out what Unit221B knew about him – which she admits wasn't much at the time. Those threats, however, quickly made him a target for Unit221B and would be a crucial misstep in his undoing.
'He was drawing attention to himself and causing more people to work on his case and causing his case to become the higher priority,' Nixon said. 'He couldn't stop threatening people that weren't initially working on his case.'
Nixon adds that threatening investigators 'is a really great way to get prioritized.'
Working with Unit221B colleagues and partners like Mandiant, a cybersecurity company and subsidiary for Google, it took several months of labour-intensive digital sleuthing to reveal Moucka's identity, which was passed on to law enforcement.
Nixon would not disclose exactly how Moucka was identified.
'I know that these threat actors try to learn intel collection methods so that they can try to protect their anonymity, so they can continue doing crimes,' she said. 'So I don't want to publicly discuss the details, because I want to continue using the same techniques again against these guys.'
'One of the biggest cybersecurity breaches'
Moucka was arrested at his grandfather's house in Kitchener in October 2024 following a request from U.S. authorities. In March, he agreed to be extradited to the U.S., where he faces 20 federal charges, including several counts of conspiracy, computer fraud, wire fraud, extortion and aggravated identity theft.
According to a U.S. indictment, Moucka and accomplices accessed personal records belonging to millions of people, including financial information, passport details and social security numbers.
The indictment alleged their goal was 'to enrich themselves by: (a) accessing computers without authorization; (b) stealing sensitive personal identifying, financial, and other valuable information from those computers; (c) threatening to leak the stolen data unless the victims paid ransoms; and (d) offering to sell the stolen data online to other criminals.'
While specific companies are not mentioned in court documents, the details largely match the massive 'Snowflake' hack from 2024, which targeted users of a cloud-based storage platform. Companies that used Snowflake and were affected by the breach include AT&T, Live Nation, Ticketmaster, Advance Auto Parts and Pure Storage, many of which had Canadian customers.
'It is certainly one of the biggest cybersecurity breaches that we've had in history,' David Jao, a mathematics professor and member of the University of Waterloo's Cybersecurity and Privacy Institute, told CTV News Kitchener last November. 'The case is not over, there are still other criminals that are out there that have not been caught yet.'
Court documents also link Moucka to the case against Cameron John Wagenius, a U.S. Army soldier accused of selling hacked AT&T data, including call records allegedly belonging to Donald Trump and Kamala Harris. Wagenius reportedly plead guilty earlier this year.
Nixon says Moucka knew he would eventually be arrested, so he prepared what she refers to as 'insurance policies.'
'He gave packages of money and files to various contacts of his,' she said. 'One of these involved a package of sensitive call details belonging to the former vice-president, Kamala Harris, and the current president, Donald Trump, and multiple members of the Trump family.'
'Money-making schemes and violence'
Moucka, Wagenius and other alleged accomplices are reportedly members of 'The Com' hacking community, which is predominantly comprised of young men from English-speaking countries like the U.K., the U.S. and Canada. According to cyberthreat intelligence firm Intel471, individuals and groups within 'The Com' have engaged 'in cybercriminal activities such as subscriber identity module (SIM) swapping, cryptocurrency theft, commissioning real-life violence, swatting and corporate intrusions.'
Nixon says 'The Com' shares many traits with 'pre-internet teenage street gangs.'
'Teenagers with nothing better to do, rough home life, they meet each other, they congregate, they form a critical mass and they perpetrate money-making schemes and violence, and they're a negative impact on their local communities, right?' she said. ''The Com' is the same phenomenon, but playing out on the internet.'
As he awaits extradition, Moucka was reportedly being held at the Maplehurst Correctional Centre in Milton, Ont. According to Canada's Department of Justice, 'the matter has now proceeded to the Ministerial phase of the process.'
The case is expected to be heard at a federal court in Seattle.
Moucka's lawyer did not respond to a request for comment. The charges against Moucka have not been proven in court.
'All this terrible stuff that I'm telling you about, I actually really enjoy investigating it,' Nixon said. 'It's like a puzzle every single time – and I love puzzles.'
With files from Reuters and CTV News Kitchener's Krista Simpson