A Massachusetts man who previously pleaded guilty to a cyberattack on PowerSchool, exposing data on tens of millions of students and teachers, was sentenced to four years in prison Tuesday — half the amount federal prosecutors sought in sentencing recommendations submitted to the court.

Matthew Lane, 20, stole data from PowerSchool belonging to nearly 70 million students and teachers, extorted the California-based company for a ransom, which it paid, causing the education software vendor more than $14 million in financial losses, according to prosecutors.

U.S. District Judge Margaret Guzman sentenced Lane to four years in prison, followed by three years of supervised release. Lane was also ordered to pay almost $14.1 million in restitution and a $25,000 fine for crimes involving the attack on PowerSchool and an undisclosed U.S. telecommunications company.

Federal prosecutors were seeking a sentence of eight years for Lane, arguing that the crimes he pleaded guilty to follow a series of cybercriminal activity dating back to 2021. “The government has serious concerns that Lane poses an ongoing threat to the community and remains in denial about the scope of his criminal activity,” prosecutors said in a sentencing memo filed Oct. 7 in the U.S. District Court for the District of Massachusetts. 

Prosecutors cited multiple examples of other cybercriminals who committed and were convicted of less serious crimes. In those cases, the lighter sentences cybercriminals received did not sufficiently deter them from reengaging in cybercrime upon their release from jail. Lane’s attack on PowerSchool put 10 million teachers and 60 million children, some as young as five years old, at risk of identity theft for the remainder of their lives, prosecutors said. 

The PowerSchool attack, which Lane committed in September 2024 by using a PowerSchool contractor’s credentials to gain unauthorized access, is reportedly the single largest breach of American schoolchildren’s data on record. Lane threatened to release the data in December 2024 if PowerSchool didn’t pay a ransom valued at nearly $2.9 million at the time.

Multiple school district customers of PowerSchool received follow-on extortion demands linked to the stolen same data, the company said in May. The downstream extortion attempts underscore how cybercriminals, affiliated or not, will continue to exploit sensitive data for financial gain.

Lane forfeited almost $161,000 traced to his crimes, but about $3 million in illicit proceeds remains unaccounted for, according to court documents. “The money he returned is barely one percent of the financial loss he caused,” prosecutors said in the court filing.

Lane is required to surrender to the Federal Bureau of Prisons by Dec. 1.

The post PowerSchool hacker sentenced to 4 years in prison appeared first on CyberScoop.

Salesforce says the extortion attempts are related to past or unsubstantiated incidents, and not to fresh intrusions.

The post Hackers Extorting Salesforce After Stealing Data From Dozens of Customers appeared first on SecurityWeek.

The software giant’s investigation showed that vulnerabilities patched in July 2025 may be involved.

The post Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks appeared first on SecurityWeek.

Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.  

The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen. 

“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”

Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.  

The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.  

“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.

“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”

In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.” 

This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.

The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days. 

“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”

The full text of the email is below:

Dearest executive,

We are CL0P team. If you haven’t heard about us, you can google about us on internet.

We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.

But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.

So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.

We always fulfil all promises and obligations.

We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.

Lower you see our contact email addresses:

[REDACTED]

[REDACTED]

As evidence, we can show any 3 files you ask or data row.

We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.

We are not interested in destroying your business. We want to take the money and you not hear from us again.

Time is ticking on clock and in few days if no payment we publish and close chat.

Please convey this information to your executive and managers as soon as possible.

After a successful transaction and receipt of payment we promise

1) technical advice

2) We will never publish you data

3) Everything we download will be delete w/proof

4) Nothing will ever disclose

Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.

KR CL0P

Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.

The post Here is the email Clop attackers sent to Oracle customers appeared first on CyberScoop.

Attackers appearing to be aligned with the Clop ransomware group have sent emails to Oracle customers seeking extortion payments, claiming they stole data from the tech giant’s E-Business Suite, according to researchers who spoke with CyberScoop. 

Researchers haven’t confirmed the veracity of Clop’s claimed data theft, but multiple investigations into Oracle environments belonging to organizations that received the emails are underway.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Clop hasn’t made the claims public through its leak sites.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The extortion activity involves targeted emails sent to company executives from hundreds of compromised third-party accounts beginning on or before Sept. 29, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group.

“It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” Stark told CyberScoop.

While the tactics and contact email addresses align with Clop, researchers have yet to verify if the financially-motivated group is behind the attacks.

Clop is a highly prolific and notorious ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. 

The financially motivated threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The extortion emails originate from hundreds of compromised third-party accounts at various legitimate websites, and not from one specific vendor, said Austin Larsen, principal analyst at GTIG. “The claim within those emails is that they have stolen data from the Oracle E-Business Suite of the targeted organizations,” he added. 

The emails observed by researchers don’t contain a specific demand, but pressure victims to contact the threat group to start negotiations.  

“The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site,” Stark said. “At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign.”

Investigators are working through the night to confirm if and how attackers gained access to Oracle’s E-Business Suite and the extent to which Oracle customers may be impacted.

Update: 10/02/25, 5:30 p.m.: This story has been updated with information about Oracle’s security alert.

The post Oracle customers being bombarded with emails claiming widespread data theft appeared first on CyberScoop.

Authorities arrested 260 cybercrime suspects during a two-week operation spanning 14 African countries, Interpol announced Friday. The globally coordinated summertime crackdown dubbed “Operation Contender 3.0” targeted criminal networks that facilitated romance scams and sextortion, officials said. 

Interpol said total losses attributed to the scam syndicates amounted to about $2.8 million, involving almost 1,500 victims. Authorities seized USB drives, SIM cards, forged documents and dismantled 81 cybercrime infrastructure networks across the continent.

“Cybercrime units across Africa are reporting a sharp rise in digital-enabled crimes such as sextortion and romance scams,” Cyril Gout, acting executive director of police services at Interpol, said in a statement. “The growth of online platforms has opened new opportunities for criminal networks to exploit victims, causing both financial loss and psychological harm.”

Authorities in Ghana arrested 68 people, seized 835 devices and identified 108 victims who lost a combined $450,000, $70,000 of which was recovered. The suspects allegedly used fake profiles, forged identities and stolen images to deceive victims using multiple schemes, including fake courier and customs shipment fees, and sextortion for blackmail.

Police in Senegal arrested 22 suspects who allegedly defrauded 120 victims on social media and dating platforms of about $34,000 combined. 

In Cote d’Ivoire, police arrested 24 suspects and identified 809 victims who were allegedly manipulated to share intimate images before they were blackmailed. Angola authorities arrested eight people for allegedly scamming 28 domestic and international victims via social media. 

Group-IB and Trend Micro assisted in the investigation, and other countries participating in the effort included Benin, Burkina Faso, Gambia, Guinea, Kenya, Nigeria, Rwanda, South Africa, Uganda and Zambia.

“By working closely with our member countries and private sector partners, we remain committed to disrupting and dismantling the groups that prey on vulnerable individuals online,” Gout said.

Operation Contender 3.0 occurred, in part, during a much larger Interpol cybercrime crackdown in Africa that resulted in the arrest of 1,209 alleged cybercriminals. Authorities said financial losses attributed to cybercrime rings disrupted during Operation Serengeti 2.0 neared $485 million from almost 88,000 victims.

The post Interpol operation disrupts romance scam and sextortion networks in Africa appeared first on CyberScoop.

A teenage boy suspected of participating in cyberattacks on multiple Las Vegas casinos in late 2023 was arrested last week. The Las Vegas Metropolitan Police Department said the minor turned himself in Wednesday at the Clark County Juvenile Detention Center, where he was booked on multiple charges. 

The suspect, who is unnamed because he’s a minor, is charged with extortion, conspiracy to commit extortion, unlawful acts regarding computers and three counts of obtaining and using personally identifiable information to harm or impersonate another person.

Authorities did not describe the teenager’s alleged involvement in the cyberattacks, but they specifically linked the boy to the high-profile casino attacks attributed to Scattered Spider, which included devastating attacks on MGM Resorts International and Caesars Entertainment between August and October 2023.

The attacks brought multiple casino properties owned by MGM Resorts International to a standstill, resulting in $100 million in lost revenue and $10 million in one-time expenses related to response and recovery, the company said in a regulatory filing. Caesars reportedly paid a $15 million extortion demand at the time, which it alluded to in a regulatory filing. 

The minor suspected of participating in these attacks surrendered himself to authorities one day after two teenagers — Thalha Jubair, 19, of London, and Owen Flowers, 18, of Walsall, England — were arrested in the United Kingdom for their alleged involvement in many attacks attributed to Scattered Spider. 

Scattered Spider, an unbound cybercrime collective composed of young, native English-speaking people, is responsible for at least 120 cyberattacks since 2022, according to officials. Threat researchers pin many high-profile cyberattacks to the cunning threat group, including a more recent spree of attacks on Marks & Spender in the United Kingdom, United Natural Foods, WestJet and Hawaiian Airlines. 

The nebulous offshoot of The Com is notorious for using social engineering and phishing to break into critical infrastructure and business networks. Researchers said multiple people are typically involved in these attacks, providing specific technical, social engineering and extortion skills to accomplish their objectives.

The Justice Department last week said Scattered Spider was responsible for extortion attacks on 47 U.S.-based organizations from May 2022 to September 2025, adding that victims of those attacks paid at least $115 million in ransom payments.

Cybercrime experts are unsure about the identity of the teenager arrested in Las Vegas or the specific crimes he allegedly committed. “I wasn’t previously aware of a local [resident] that assisted with that hack,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop.

“It is within the typical [modus operandi] of that group to recruit local people that can provide physical assistance for a hack,” she added. 

Zach Edwards, senior threat analyst at Silent Push, said it’s possible the minor “felt that they were in significant risk of being outed by someone else who was arrested, and maybe just wanted to preempt the arrest so it would be easier on their family and maybe lead to leniency in the eyes of the court.”

Officials said Las Vegas detectives working with the FBI’s Las Vegas Cyber Task Force identified the teenage boy as a suspect during their investigation into the casino attacks. Local police have not shared additional information about the case, and the FBI declined to provide further comment.

Las Vegas police said the Clark County District Attorney’s Office is seeking to transfer the juvenile to the criminal division to try him as an adult for his alleged crimes.

The post Las Vegas police arrest minor accused of high-profile 2023 casino attacks appeared first on CyberScoop.

The FBI released a trove of research on The Com last week, warning that the sprawling cybercriminal network of minors and young adults is growing rapidly and splintering into three primary subsets described by officials as Hacker Com, In Real Life Com and Extortion Com.

The warnings lay out how The Com’s thousands of members, typically between 11 and 25 years old, pose a rising threat, especially to youth online, the FBI said. Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes, the bureau said.

“The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification and notoriety,” the FBI said in a public service announcement.

Crimes attributed to members of The Com have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. The Com generally targets young and impressionable people for recruitment on gaming sites and social media platforms to indoctrinate them into their ideology, officials said.

Various subsections of this group have been linked to high-profile crimes over the past few years. In April, two men accused of leading a Com offshoot known as “764” were charged with operating an international child exploitation enterprise. Scattered Spider, another offshoot, tends to focus on cybercrime like ransomware and data extortion. 

Allison Nixon, chief research officer at Unit 221B, commended the level of detail the FBI shared across the series of PSAs, noting that the agency left nothing of importance out of its warnings. Nixon has studied domestic and English-speaking cybercrime and tracked its rise for more than a decade.

“The assessments in this PSA are consistent with what we have seen. There has been a population explosion in The Com and it is good to see law enforcement respond to this — not just with a PSA but with real crackdowns,” she said.

“Hopefully this PSA helps the public understand that many cybercrime arrests nowadays implicate gang violence and sexual crime against children, by children.”

Hacker Com

Hacker Com members are involved in a vast array of cybercrime activities, including distributed denial-of-service attacks, personally identifiable information theft, the sale of government email accounts, ransomware attacks, phishing, malware development and deployment, cryptocurrency theft, intrusions and SIM swapping, according to the FBI.

Scattered Spider, which is responsible for attacks on more than 100 businesses since 2022, is included in this subset.

This subset of The Com uses remote access trojans, phishing kits, voice over internet protocol providers, voice modulators, virtual private networks, cryptocurrency cash-out services, live-streaming services and encrypted email domains, officials said.

“Open-source information indicates Hacker Com groups are responsible for high-profile attacks and intrusions and have affiliations with ransomware organizations,” the FBI said in a PSA dedicated solely to Hacker Com.

The group also has been observed using the same attack methods against each other. The FBI warning details how internal conflicts are common among members of The Com. Personal disputes or rivalries — often over cryptocurrency — frequently lead Hacker Com members to attack and steal from one another, the FBI said.

In Real Life (IRL) Com

Some Com subgroups have gone beyond digital means, offering swat-for-hire services and targeting members for swatting and doxxing, kidnapping and physical extortion, which the FBI refers to as “IRL Com.” 

“The intensification of these online conflicts has resulted in the emergence of a new layer of The Com known as In Real Life (IRL) Com, which includes subgroups that aim to facilitate real world acts of violence, oftentimes resulting from online conflicts,” the FBI said.

Acts of physical violence have intensified and expanded to other layers of The Com, as multiple subgroups adopt similar methods of retaliation, the FBI said in a PSA dedicated solely to IRL Com. Some subgroups advertise contracts on messaging apps or other social media networks to commit violence or swatting for payment. 

“IRL Com groups also see swatting as a way of gaining credibility among members; the more attention a swatting incident gets, the more attention the member receives from the group,” the FBI said. “Leaders from IRL Com groups may use swatting to ensure members of the group remain obedient. When members of the IRL Com group disobey orders or refuse to comply with demands, the member or the member’s family may become the target of swatting.”

Extortion Com

The FBI also released a PSA about a subgroup it calls “Extortion Com,” which “systematically targets underage females” and vulnerable populations, including children and those who struggle with mental health issues.

“Victims are typically between the ages of 10 and 17 years old, but the FBI has seen some victims as young as 9 years old,” the FBI said in its PSA. “Threat actors often groom their victims by first establishing a trusting or romantic relationship before eventually manipulating and coercing them into engaging in escalating harmful behavior designed to shame and isolate them.”

Officials said these acts are driven by a range of personal motives, including the pursuit of social status, sexual gratification or a sense of belonging. 

The FBI warns that members of this subgroup manipulate or coerce their victims to produce pornographic material or other videos depicting animal cruelty and self-harm, oftentimes further threatening to share the material with victims’ families, friends or other public communities on the internet.

Two alleged leaders of the child sextortion group 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Officials advised people to look for warning signs that a victim may be targeted by The Com and shared resources for help, including the National Center for Missing and Exploited Children’s CyberTipline and Take It Down service. Victims are encouraged to retain all information about an incident and immediately report to the FBI’s Internet Crime Complaint Center and an FBI Field Office.

The post FBI alerts tie together threats of cybercrime, physical violence from The Com appeared first on CyberScoop.

An Armenian national is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Wednesday.

Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.

Prosecutors charged Vardanyan with conspiracy, fraud in connection with computers and extortion in connection with computers. He faces a maximum of five years in federal prison and a fine of $250,000 for each charge.

Vardanyan and his co-conspirators — a pair of 53-year-old Ukrainian nationals, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, and 45-year-old Armenian national Levon Georgiyovych Avetisyan — are accused of illegally accessing computer networks to deploy Ryuk ransomware on hundreds of compromised servers and workstations between March 2019 and September 2020.

Avetisyan is awaiting a U.S. extradition request in France, while Lyulyava and Prykhodchenko remain at large. 

Ryuk ransomware was prevalent in 2019 and 2020, infecting thousands of victims globally across the private sector, state and local municipalities, local school districts and critical infrastructure, according to authorities. This includes a wave of attacks on U.S. hospitals and a technology company based in Oregon, where federal prosecutors are trying their case against Vardanyan. 

Victims of Ryuk ransomware attacks include Hollywood Presbyterian Medical Center, Universal Health Services, Electronic Warfare Associates, a North Carolina water utility and multiple U.S. newspapers.

Ryuk ransomware operators extorted victim companies by demanding ransom payments in Bitcoin in exchange for decryption keys. Justice Department officials said Vardanyan and his co-conspirators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies.

The post Ryuk ransomware operator extradited to US, faces five years in federal prison appeared first on CyberScoop.

A 21-year-old former Army soldier pleaded guilty Tuesday to charges stemming from a series of attacks and extortion attempts last year on telecommunications companies, including AT&T. 

Cameron John Wagenius, who identified himself as “kiberphant0m” and “cyb3rph4nt0m” on online criminal forums, conducted extensive malicious activity for years, including while he was on active duty, the Justice Department said. 

Wagenius pleaded guilty to conspiring to commit wire fraud, extortion in relation to computer fraud and aggravated identity theft. He faces a maximum of 27 years in prison for the charges and is scheduled for sentencing on Oct. 6. Wagenius previously pleaded guilty to two counts of unlawful transfer of confidential phone records information in connection with this conspiracy, the Justice Department said.

“This is one of the most significant wins in the fight against cybercrime,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. “The cybersecurity workers helping the victims through a storm, federal law enforcement with the fastest federal arrest I have ever witnessed, and the prosecutors now destroying them in court — all brought their A game and they deserve to celebrate tonight.”

Details prosecutors shared about Wagenius as part of their ongoing investigation underscore the bold actions cybercriminals take to extort multiple victims at scale and evade capture. Prior to his arrest in December, Wagenius attempted to sell stolen information to a foreign intelligence service as part of a broader attempt to defect to Russia or another country that he believed would allow him to avoid arrest.

Officials said Wagenius and co-conspirators attempted to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ networks. In November, Wagenius made multiple attempts to extort $500,000 from a major telecommunications company while threatening to leak call records of high-ranking public officials, according to court documents filed in February.

“[Wagenius’] greatest significance is in how absolutely destroyed he’s getting,” Nixon said, adding that he was part of a gang that made threats against Nixon and Unit221B, which specializes in breaking the anonymity of English-speaking cybercriminals.

“He was in the Army, living on base in Texas, when he leaked the hacked call records of President Trump and his family in a failed bid to extort AT&T,” Nixon said. “He pled guilty without even a plea bargain, and the government might still file additional charges. Amazing.”

Authorities did not name Wagenius’ alleged victims in court filings. AT&T in July confirmed cybercriminals accessed the company’s Snowflake environment in April and stole six months of phone and text records of “nearly all” of its customers. 

Wagenius’ alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Moucka, a Canadian citizen, consented to extradition to the United States in March to face 20 federal charges stemming from his alleged involvement in a series of attacks targeting as many as 165 Snowflake customers, one of the most widespread and damaging attack sprees on record.

Some of the records allegedly in Wagenius’ possession were stolen in the attack spree on Snowflake customer databases, according to cybercrime researchers. Federal law enforcement also found evidence on seized Wagenius’ devices indicating he had access to thousands of stolen identification documents and large amounts of cryptocurrency.

Justice Department officials said Wagnius and his co-conspirators attempted to extort at least $1 million from victim data owners. “They successfully sold at least some of this stolen data and also used stolen data to perpetuate other frauds, including SIM-swapping,” officials said in a news release.

“Cybercriminals are shockingly slow to update their threat model, and still operate on the assumption that they won’t be jailed and will get a job in the industry afterwards,” Nixon said. “As multi-decade sentences pile up, reality will set in: Brazen cybercriminals are much more likely to die in prison than they used to, and anonymity isn’t real.”

The post Former Army soldier pleads guilty to widespread attack spree linked to AT&T, Snowflake and others appeared first on CyberScoop.