When the accused Kitchener-based hacker known online as “Waifu” threatened a woman on the messaging app Telegram, it was the beginning of his downfall.
R16;Waifu” had been bragging about his criminal exploits in open groups on Telegram. But when he threatened Allison Nixon, the chief research officer at the U.S. cybersecurity firm Unit221B, his days were numbered.
Nixon is the co-owner of the U.S.-based cybersecurity firm named after the home address of the fictional detective Sherlock Holmes, and when she saw the violent threats against her, Nixon tasked one of her researchers to uncover his real identity.
After making a critical mistake in what cybersecurity types call “operational security,” a member of NixonR17;s team was able to follow the digital bread crumb on the internet, the dark web and messaging apps to reveal “WaifuR17;s” real identity.
She did not want to talk about how Unit221B did that, saying hackers learn from the mistakes of other cybercriminals, making it more difficult to catch them in the future.
It was not easy and took several months, she said. “Waifu” is associated with a subculture of cybercriminals that includes thousands of creative hackers deploying sophisticated ways to steal data and extort money from their victims, she said.
But Unit221B and Mandiant, the cybersecurity company owned by Google, found out who he was and passed the information to law enforcement.
“We put some time into that this year, and we are basically half of the reason he got identified,” said Nixon during a telephone interview. “We have had that name for months; we have been waiting for the arrest.”
A Washington court issued an arrest warrant for Connor Riley Moucka, 25, for conspiracy, computer fraud and abuse, extortion in relation to computer fraud and aggravated identify theft.
Moucka, 25, was arrested in a Stanley Park house in suburban Kitchener on Oct. 30. He is scheduled to appear in a Kitchener court on Friday, Nov. 29. American law enforcement wants him extradited to stand trial in Washington.
Moucka is alleged to be the mastermind behind the Snowflake hack — one of the biggest data breaches in history.
Nixon first became aware of “Waifu” in 2019 when the New York Police Department called her for information. The hacker identified as a member of “The Com,” a criminal subculture online she had been tracking for years.
“R16;The Com,R17; which is short for R16;The Community,R17; includes a geographically diverse group of individuals, primarily young actors operating mostly from Canada, the U.S. and the U.K., that engage or were coerced to engage in cybercriminal activities such as subscriber identity module (SIM) swapping, cryptocurrency theft, commissioning real-life violence, swatting and corporate intrusions,” says Intel471, an American provider of cyberthreat intelligence.
Nixon said other members of “The Com” in Ontario remain active, including one from this area who uses the alias “Multiple.”
“There is also a shift happening in law enforcement, they are taking R16;The ComR17; seriously at this point as a major, criminal threat because the stuff coming out of this criminal community ranges from financial fraud and high-dollar theft and ransomware to violence and extortion,” said Nixon in a telephone interview.
During the April-July period of 2024, the American cloud service provider Snowflake was hacked. The hacker accessed the accounts and data of many companies using Snowflake, including AT&T, Ticketmaster, Advance Auto Parts, Santander, LendingTree and Neiman Marcus, among many others.
About 165 customers of Snowflake were hacked. The hacker stole the call logs and texts of 100 million customers at AT&T, and the account information for 560 million users of Ticketmaster. The hacker used stolen log-in information to access the accounts.
In the more than 10 years Nixon has spent identifying cybercriminals, the man known as “Waifu” stands out for the jaw-dropping stupidity that brought the police to the quiet residential street in Kitchener where he lived in his grandfatherR17;s house.
He made one error in what Nixon calls “operational security” and the game was up — Unit221B figured out who he was.
In response, “Waifu” started writing Telegram posts full of false and misleading information under different names. But he was also bragging about his crimes, and then he started attacking Nixon.
“All this accomplished was to draw a tonne of attention from a bunch of people he should never have attracted attention from,” said Nixon.
Moucka remains in jail at the Maplehurst Correctional Complex. His court appearance on Friday is about scheduling future court dates. It is not known when the extradition hearing will begin.
How the case unfolds from this point depends on whether Moucka has access to the internet from inside Maplehurst, said Nixon. If he can access his cryptocurrency to pay for lawyers, it could be a long legal fight to get him out of the country and into a courtroom in Washington.
“The whole situation is so ironic for this Moucka person,” said Nixon.
He repeatedly threatened her and her company on Telegram, which were not even working on the Snowflake hack at the time.
“Why would he target a company that is not working on his case and specializes in identifying cybercriminals?” said Nixon. “It is just the stupidest thing ever.”
To join the conversation set a first and last name in your user profile.
Sign in or register for free to join the Conversation