Stephen Arthuro Solis-Reyes had been charged only with unauthorized use of a computer and mischief in relation to data, in the revenue agency case.
An expanded RCMP investigation produced more charges in the revenue case, plus new allegations of other attacks both in Canada and abroad.
The Mounties now allege Solis-Reyes transferred sensitive data from the revenue agency's network and have charged the computer science student with obtaining a computer service directly or indirectly, and intercepting a function of a computer system.
They also allege he attacked several other unrelated computer networks.
The additional charges include illegally obtaining computer services, illegal interception of computer functions, five counts of possessing unauthorized computer passwords, three counts of possession of devices used to hack computers and two more counts of mischief to data.
Solis-Reyes is scheduled to appear in court in Ottawa on Dec. 19.
The RCMP release Wednesday offered no other details.
"In order to respect the court process, we will not be providing any further comments," the force said in a statement.
When the Heartbleed bug surfaced last April, it prompted the revenue agency to temporarily suspend public access to its electronic services. People were prevented from filing tax returns.
Other government agencies also halted public access temporarily.
The bug exploited a flaw in software which was commonly used on the Internet to provide security and privacy.
Also on HuffPost