7 teenagers arrested in connection with the LAPSUS$ hacks

Sicherheit (Pexels, allgemeine Nutzung)[German]A few hours ago, I reported in the article Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected? that security researchers believe they have uncovered the mastermind of the LAPSUS$ gang. It has now been revealed that British police have arrested seven teenagers in connection with the LAPSUS$ gang's activities.


The Lapsus$ group has only been causing a furore with spectacular hacks since the beginning of 2022 (the group first appeared in autumn 2021). Nvidia, Samsung, Microsoft, Okta are names of companies that appear as victims of hacks in this context. I have reported on the hacks of the Lapsus$ group several times in recent days – see links at the end of the article.

In this article, Microsoft explains at some length how the Lapsus$ attackers (called DEV-0537 there) proceed when hacking companies and organisations. Four security researchers have investigated a series of attacks by the Lapsus$ hacker group on technology companies, including Microsoft Corp. and Nvidia Corp. on behalf of the companies under attack. The cyber researchers used forensic evidence from the hacks as well as publicly available information to find out and name the perpetrators. I had reported the details in the article $ hacker group debunked? Teenager from Britain and Brazil suspected?

Arrests in Britain

The BBC reports in this article, which came to my attention via the following tweet, that seven teenagers have been arrested in connection with the activities of the LAPSUS$ gang.

7 Teenagers arrested in connection to LAPSUS$

Among them is probably the now 17-year-old teenager who lives near Oxford and is considered the mastermind of the LAPSUS$ gang. The teenager, who is said to have looted 14 million dollars (10.6 million euros) through hacking, was exposed by rival hackers and security researchers.


Under his online name "White" or "Breachbase", the teenager, who suffers from autism, is said to be a member of the hacker group Lapsus$, which also appears to have members in South America. City of London police say they have arrested seven teenagers in connection with the LAPSUS$ gang, but will not say whether White is one of those arrested.

Seven people aged between 16 and 21 have been arrested in connection with the investigation into a hacking group. They have all been released under investigation. Our investigation is still ongoing.

The teenager, whose name cannot be given by the BBC for legal reasons, attends a special school in Oxford, according to the article above. The teenager's mother, who was contacted by reporters, claims to have been unaware of the activities. The boy's father, who I understand lives separately from his mother, told the BBC: "I had never heard of it until recently. He's never talked about hacking, but he's very computer literate and spends a lot of time on the computer. I always thought he was playing games.

But it may also be a protective claim, because one doxing site says that the father must have been aware in conversations that the son is a hacker. Now the father wants to try to keep the boy away from the computer. According to my information, however, the police had been on the trail of the group for some time and possibly reacted now to the publication of the information about the hacker.

Findings from Palo Alto Networks

I have received some more information from Palo Alto Networks that rounds out the picture on the LAPSUS$ gang. Their security researchers are amazed that this threat actor has gone from a handful of destructive attacks to stealing and publishing source code from several leading technology companies in just a few months..

No ransomware group

I find the classification of the group interesting, as I had read indications that ransomware had also been used. Palo Alto Networks writes that Lapsus$ is sometimes referred to in reports as a ransomware group, which is distinguished by the fact that it does not use ransomware in extortion attempts.

In today's environment, threat actors favour the use of ransomware to encrypt data and systems, often extorting victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes increasing the pressure by threatening to release stolen data. However, Lapsus$ is unusual in its approach – for this group, notoriety rather than financial gain seems to be the goal.

Social engineering as leverage

Unit 42 has helped organisations respond to several Lapsus$ attacks. The Lapsus$ group, according to Palo Alto Networks. does not deploy malware in victim environments, does not encrypt data and, in most cases, does not use extortion. They focus on using a combination of stolen credentials and social engineering to gain access to victims. Security researchers have also seen them ask employees on Telegram for their credentials at specific companies in industries including: Telecoms, software, gaming, hosting providers and call centres. However, this was all previously known.

Damages can be high

However, the group's attacks and release of stolen data can be very damaging even without blackmail. In addition, the security researchers and forensic experts have seen destructive Lapsus$ attacks where the actors gained access to a company's cloud environment, wiped systems and destroyed over a thousand virtual machines.

Summary of Unit 42 findings

There are no public indicators of compromise (IoCs) and no tactics, techniques and procedures (TTPs) unique to the Lapsus$ Gang. However, security researchers have created a summary of what is known about this threat actor to enable defenders. The goal should be to better understand attacks and mitigate the threat (from similar attacks). Recent publicly known victims have included:

  • Samsung
  • Ubisoft
  • Vodafone
  • Microsoft
  • LG
  • Okta

However, there are additional (presumably many more) victims who have been the target of attacks, but this has not been publicised. The December 2021 attack on the Ministry of Health in Brazil was not widely discussed here on the blog or in the media. Nor did I address the attack on the Portuguese media company Impresa here on the blog – there are simply too many hacks, vulnerabilities and ransomware cases every day. Security researchers first observed Lapsus$ in mid-2021, and the first attack activity under this name took place in August 2021, when some British mobile phone customers reported receiving threats.

It is likely that some victims are not the intended end target, but rather are breached to gain access to their customers or to help bypass multi-factor authentication (MFA), for example.  In this regard, Unit 42 has observed this actor's involvement in vishing, SIM swapping and soliciting third parties from providers for insider access. The breach of authentication service Okta is used as evidence to support this theory, as the threat actor aht stated on the Lapsus$ group's Telegram channel: "… our focus was ONLY on Okta customers."

The key takeaway is that because the group uses a variety of techniques for attacks, no single technique can protect against Lapsus$ or detect its attacks. For this reason, the security researchers recommend that companies focus on following general information security best practices. And there seems to be a lot wrong with that, seeing that some teenagers were able to use financial enticements and tricks to break into the IT systems of well-known companies such as Microsoft or the authentication service Okto.

Unit 42, together with researchers from Unit 221b, identified the main actor behind the Lapsus$ Group nickname in 2021 and assisted law enforcement agencies in their efforts to prosecute this group. The summary in English, enriched with many screenshots of the group, was published by Palo Alto Networks in this article.

Similar articles:
Ubisoft hacked by Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft
Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected?

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *