Chats show: LAPSUS$ had probably also hacked T-Mobile several times

Sicherheit (Pexels, allgemeine Nutzung)[German]The hacker group, which is allegedly made up of teenagers (at least some teenagers were arrested in the UK in this regard), has probably also hacked T-Mobile in the USA several times. The group had access to T-Mobile's Atlas system (used to manage customer accounts). This is shown by chat records that security blogger Brian Krebs was able to view.


Security blogger Brian Krebs probably got access to the chat logs of conversations of the members of this hacking group and then came across the references to T-Mobile (US phone provider). Here are the logs from March 19, 2022 with entries pertaining to T-Mobile.

Lapsus$ Chat logs

The private chats show that LAPSUS$ members had access to T-Mobile's Atlas system. That's an internal tool T-Mobile uses to manage customer accounts. Brian Krebs already disclosed the facts last Friday in various tweets as well as in this article.

LAPSUS$ hacked T-Mobile

The group had probably managed to buy a T-Mobile employee's credentials for this Atlas system on the darknet. Once a member gained access to Atlas, it searched for T-Mobile accounts associated with the FBI and the Department of Defense. However, these accounts were listed as requiring additional verification procedures before changes could be made.


The successful hack led to discussions within the group. Attempting to gain access to the FBI and other government accounts via SIM swapping was considered quite risky. In fact, the other LAPSUS$ members were eager to perform SIM swaps for some targets in the T-Mobile customer database who were believed to be wealthy. The goal was to get money by hacking this targets.

Therefore, the hacker cut successful access to the VPN connection that allowed access to the T-Mobile network. He wanted to focus on using the illegal T-Mobile access to steal source code. This seems to have been successful, because the hacker named White posted screenshots in the private chat. These showed that an automated script had downloaded more than 30,000 source code repositories from T-Mobile.

Brian Krebs suspects that the hacker hoped to find security vulnerabilities through the source code in order to exploit them. Krebs writes that T-Mobile says no customer or government data was stolen. Details can be found in Krebs' article.

Background of the Lapsus$ group

The Lapsus$ group was able to gain some media attention due to a series of attacks on technology companies, including Microsoft Corp and Nvidia Corp. The group had been active since mid-2021, and their strategy was to gain access to systems by buying up employee account credentials. They were quite successful – I reported about the hacks of the Lapsus$ group several times – see links at the end of the article.

In the meantime, four security researchers, who investigated a series of attacks by the Lapsus$ hacker group on behalf of the attacked companies, were able to find out the identity of some members of the Lapsus$ group. I had reported on this in the blog post Lapsus$ hacker group debunked? Teenager from Britain and Brazil suspected. In the meantime, there have been arrests in the UK and also charges against defendants.

Similar articles:
Ubisoft hacked by Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *