Background
Lapsus$ (stylized as LAPSUS$) is a cybercriminal and data extortion group that burst onto the global stage in late 2021 and conducted one of the most brazen series of corporate breaches in recent cybersecurity history. In a span of just a few months in early 2022, the group compromised some of the world's largest technology companies, including Microsoft, Nvidia, Samsung, Okta, T-Mobile, Uber, and Rockstar Games. What made these breaches particularly remarkable was that many were carried out by teenagers, with the group's alleged ringleader, a 16-year-old from Oxford, England, identified online as "White," "breachbase," and "WhiteDoxbin."
Unlike traditional cybercriminal groups motivated purely by financial gain, Lapsus$ appeared driven by a mixture of notoriety-seeking, chaos, and financial opportunism. They ran a public Telegram channel with over 45,000 followers where they polled subscribers on which company's data to leak next, taunted victims, posted screenshots of compromised internal systems, and recruited corporate insiders. This brazen style was simultaneously their greatest strength (generating massive media attention) and their ultimate vulnerability (enabling law enforcement identification and arrests).
The group's core members were primarily teenagers and young adults based in the United Kingdom and Brazil. In March 2022, the City of London Police arrested seven individuals aged 16 to 21 in connection with Lapsus$ activities. The alleged ringleader, Arion Kurtaj (17 at the time of his most notable attacks), along with another minor, were later found guilty by a UK jury in August 2023 on multiple charges including unauthorized computer access, fraud, and blackmail. Kurtaj was deemed unfit to stand trial due to his severe autism and was sentenced to an indefinite hospital order.
The CISA Cyber Safety Review Board (CSRB) conducted a comprehensive review of Lapsus$ in 2023, concluding that the group exploited systemic weaknesses in identity verification endemic across the technology ecosystem. Despite the arrests, the broader "Com" community that Lapsus$ emerged from continues to spawn similar threat actors, most notably Scattered Spider.
Notable Campaigns
Brazilian Government and Telecommunications (December 2021)
Lapsus$ first appeared publicly in December 2021 targeting Brazilian organizations, breaching the Brazilian Ministry of Health and deleting COVID-19 vaccination data for millions of citizens from the ConecteSUS platform. The group defaced the ministry's website and posted a ransom message. They also compromised Claro, Embratel, and NET (major Brazilian telecom providers owned by America Movil), claiming to have exfiltrated 10TB of data including customer records and internal systems. These early attacks established the group's willingness to target government infrastructure and their preference for maximum public disruption and attention. The Brazilian origins of these initial attacks suggested at least some founding members had ties to Brazil.
Nvidia Breach (February 2022)
In late February 2022, Lapsus$ breached Nvidia and stole approximately 1TB of proprietary data, including employee credentials (over 71,000 employee email addresses and NTLM password hashes), proprietary GPU source code, schematics, firmware, drivers, and documentation related to upcoming products. In a bizarre and unprecedented twist, Lapsus$ demanded that Nvidia open-source their GPU drivers for Windows, macOS, and Linux, and permanently remove the Lite Hash Rate (LHR) cryptocurrency mining limitations from their GeForce 30-series GPUs.
When Nvidia reportedly attempted to counter-hack the attackers by deploying ransomware on their compromised system, Lapsus$ publicized the attempt on their Telegram channel, generating significant media coverage and public amusement. They subsequently leaked Nvidia's code-signing certificates, which were immediately abused by other malware authors to sign malicious binaries with legitimate Nvidia signatures, creating a supply chain pollution problem that persisted for months.
Samsung Source Code Leak (March 2022)
In early March, the group leaked approximately 190GB of Samsung data split into three compressed archives distributed via torrent. The leaked material included source code for Galaxy device bootloaders, algorithms for all biometric unlock operations (face recognition and fingerprint processing), Qualcomm confidential source code provided to Samsung under NDA, Samsung Knox authorization and authentication server code, Samsung's TrustZone environment implementation, and source code for Samsung Accounts authentication. The leak represented one of the most significant exposures of a major vendor's proprietary mobile security architecture ever made public.
Microsoft and Okta Compromises (March 2022)
In their most technically significant operations, Lapsus$ compromised Microsoft's internal Azure DevOps environment and leaked approximately 37GB of partial source code for Bing, Bing Maps, and Cortana. Microsoft confirmed the breach, tracked the actor as DEV-0537, and stated that their investigation found only a single account was compromised and no customer code or data was involved. Microsoft published a detailed blog post on the group's tactics, providing one of the first comprehensive public analyses of Lapsus$ operations.
Concurrently, Lapsus$ breached Okta through Sitel (now Sykes), a third-party customer support contractor with access to Okta's support tools. The attackers accessed a support engineer's workstation and used Okta's internal administrative tools, potentially affecting up to 366 customers. The incident was particularly damaging because Okta is an identity provider for thousands of organizations. Okta's initially dismissive response drew widespread criticism, and CEO Todd McKinnon later apologized for the handling of the disclosure.
Uber and Rockstar Games (September 2022)
Even after the initial wave of UK arrests, operations linked to Lapsus$ members continued. In September 2022, an attacker later confirmed as Arion Kurtaj compromised Uber's internal systems through an MFA fatigue attack on an external contractor. After bombarding the contractor with push notifications for over an hour, the attacker contacted them via WhatsApp claiming to be Uber IT and instructing them to approve the MFA prompt. Once inside, the attacker accessed Uber's Slack, internal dashboards, cloud infrastructure, and code repositories, posting a message to the company-wide Slack channel announcing the breach.
Days later, the same individual breached Rockstar Games and leaked approximately 90 development videos and source code for Grand Theft Auto VI, one of the most anticipated video games in history. The leaked footage showed early gameplay, source code, and development tools. Kurtaj reportedly carried out the Rockstar breach while under police bail and under supervision in a Travelodge hotel in Bicester, using only an Amazon Fire Stick, a mobile phone, and a temporary monitor provided by the hotel. This extraordinary detail underscored both the resourcefulness of the attacker and the fundamental challenge of containing a motivated threat actor through physical monitoring alone.
Tactics, Techniques & Procedures
Lapsus$ demonstrated to the world that devastating corporate breaches do not require advanced technical sophistication, zero-day exploits, or nation-state resources. Their operations relied on exploiting human trust, identity system weaknesses, and the fundamental challenge organizations face in verifying digital identities.
Initial Access was achieved primarily through social engineering and insider recruitment (T1566 Phishing, T1078 Valid Accounts, T1199 Trusted Relationship). The group's methods included actively soliciting corporate insiders via their public Telegram channel, openly offering payments of up to $20,000 per week for VPN credentials, Citrix access, AnyDesk sessions, or any form of corporate network entry point. They purchased credentials and session tokens from infostealer log markets (Redline, Raccoon Stealer, Vidar). They conducted SIM swapping attacks against employees to intercept SMS-based MFA codes. They targeted IT service providers and contractors (Sitel, Sykes) as an indirect route into high-value targets, exploiting the trust relationships between organizations and their outsourced support providers.
Credential Theft and Privilege Escalation focused on rapid access to high-value internal resources (T1552 Unsecured Credentials, T1078 Valid Accounts). Once inside a network, Lapsus$ moved quickly to access source code repositories (GitHub, GitLab, Azure DevOps, Bitbucket), internal wikis and knowledge bases (Confluence, SharePoint, internal documentation portals), identity platforms (Active Directory, Okta admin panels, Azure AD), and cloud management consoles (AWS, Azure, GCP). They searched repositories and documentation for hardcoded credentials, service account passwords, and API keys to escalate access. They also exploited help desk processes to reset passwords and enroll attacker-controlled MFA devices.
Data Exfiltration was direct and massive in scale (T1213 Data from Information Repositories, T1567 Exfiltration Over Web Service). The group cloned entire source code repositories and downloaded complete database dumps to personal cloud storage. They transferred hundreds of gigabytes in single sessions with no concern for stealth. In some cases, they also deleted data and created rogue administrative accounts (T1136 Create Account, T1098 Account Manipulation) to maintain access and maximize disruption.
Public Extortion and Chaos distinguished Lapsus$ from virtually every other known threat actor. Rather than following the ransomware playbook of encrypting data and demanding payment through a negotiation portal, Lapsus$ made erratic demands (demanding Nvidia open-source their drivers), polled their Telegram audience on what to leak next, and released data regardless of whether victims engaged. This unpredictability made them exceptionally difficult for corporate incident response teams to manage.
Tools & Malware
Lapsus$ relied on social engineering, purchased access, and living-off-the-land techniques rather than custom malware development:
- Infostealer Logs: Purchased bulk credential logs from Redline Stealer, Raccoon Stealer, Vidar, and other infostealer operations distributed via underground markets and Telegram channels. These provided the initial credentials for many target organizations.
- SIM Swapping Infrastructure: Social engineering scripts and insider contacts at mobile carriers for transferring victim phone numbers to attacker-controlled SIM cards, enabling SMS MFA interception.
- AD Explorer / ADRecon: Legitimate Active Directory tools used to enumerate domain structure, identify privileged accounts, and map trust relationships after initial network access.
- Mimikatz / DCSync: Standard credential extraction tools for dumping NTLM hashes, Kerberos tickets, and cleartext passwords from domain controllers, enabling privilege escalation and lateral movement.
- Native Cloud Tools: Azure CLI, AWS CLI, and GCP command-line tools used with compromised credentials to access cloud resources, enumerate storage buckets and repositories, and exfiltrate data from cloud-hosted source code and databases.
- MFA Fatigue / Push Spam: Bombarding target users with repeated MFA push notifications until they approve out of frustration. Often combined with a WhatsApp or SMS message impersonating IT support instructing the user to approve.
- Telegram: Primary platform for member coordination, public victim shaming, data leak distribution, and insider recruitment. Served as both operational tool and marketing channel.
Indicators & Detection
Detecting Lapsus$-style attacks requires organizations to fundamentally rethink their assumptions about threat actor sophistication and refocus security investments on the human elements and identity infrastructure of their security programs.
Insider Threat Monitoring: Monitor for employees or contractors accessing unusual systems or downloading abnormally large volumes of data. Implement DLP controls that alert on bulk downloads from code repositories, SharePoint, and Confluence. Since Lapsus$ actively recruited insiders, behavioral analytics must account for the possibility of a cooperating employee with legitimate credentials.
Help Desk and Identity Controls: The CISA CSRB report on Lapsus$ recommended that organizations implement phishing-resistant MFA (FIDO2/WebAuthn) and abandon SMS-based authentication. Help desk procedures must include robust identity verification: mandatory callback to numbers on file, video verification for sensitive operations, supervisor approval for privilege changes, and cooling-off periods for password resets on privileged accounts.
MFA Fatigue Detection: Monitor for repeated MFA push failures followed by a successful authentication. Alert on more than three push rejections within a short window. Implement number matching in push notifications so users must enter a code from the login screen. Where possible, migrate to phishing-resistant FIDO2 authentication that eliminates push notifications as an attack surface.
Source Code Repository Monitoring: Implement audit logging on all source code platforms (GitHub, GitLab, Azure DevOps, Bitbucket) and alert on bulk repository cloning, access from unexpected IPs or devices, and creation of personal access tokens or SSH keys. Large git clone operations against multiple repositories in rapid succession should be treated as high-priority alerts.
Credential Exposure Response: Proactively monitor for corporate credentials appearing in infostealer logs and breach databases. Given that purchased credentials were a primary initial access vector for Lapsus$, early detection of compromise can prevent intrusions before they begin. Implement automated credential rotation when exposure is detected, and investigate any access that occurred between the estimated compromise time and detection.
Telecom Account Security: Implement SIM locks, port-out PINs, and additional verification on all mobile accounts associated with privileged IT and security staff. SIM swapping remains a viable attack vector. Use authenticator apps or hardware security tokens instead of SMS for all MFA implementations across the organization.