New cyber extortionists on the block: the Lapsus$ gang


Lapsus$’s timeline

The cyber gang made its debut on the hacking scene with an attack on Brazil’s Ministry of Health on 10th December 2021, during which the group claims to have stolen 50 TB of data and erased it from the Ministry’s systems. Between the end of December 2021 and the beginning of February 2022, Lapsus$ carried out a string of cyberattacks targeting exclusively Brazilian and Portuguese organisations, including Brazil’s state-owned postal service Correios, the Brazilian telecommunication companies Claro, Embratel and NET, the Portuguese media conglomerates Confina and Impresa, and the Portuguese car rental company Localiza. The predominant focus on Brazilian targets witnessed during Lapsus$’s initial hacking activity, has led researchers to believe that the group, or at least some of its members, may be based in Brazil.

Towards the end of February, the Lapsus$ group carried out an attack on its first US-based victim, the multinational graphics and computing chip manufacturer, Nvidia. The gang claimed to have exfiltrated 1 terabyte of data, including some of Nvidia's proprietary information, and the credentials of over 71,000 employees. Lapsus$ leaked around 20 GB of data and threatened Nvidia to publish the remaining stolen data. As part of its extortion tactic, the gang made a list of demands to the US company, asking that the company remove a security feature called Lite Hash Rate, which makes crypto mining harder, and that the company make its GPU drivers open source.

The attack on Nvidia marked a change in Lapsus$’s victimology, as the group’s focus shifted from targets mainly based in South America, to global high-profile targets, especially in the high-tech industry. The last target based in South America was the Argentinian e-commerce MercadoLibre, which confirmed it had suffered an attack resulting in the theft of its source code and the data of 300,000 users. Following the attack on Nvidia, Lapsus$ claimed to have obtained 200 GB of source code from Vodafone, allegedly representing 5,000 GitHub repositories, during an attack in previous months. On its popular channel on Telegram, Lapsus$ started a poll asking its over 59.000 subscribers (at the time of writing) which stolen data to leak first, with the three options being Vodafone’s source code, Impresa’s source code and database, or MercadoLibre’s source code with 24,000 repositories.

Lapsus$ carried out its most high-profile attacks in the month of March, targeting Samsung, Ubisoft, Microsoft, and the US-based authentication service provider Okta. Following the attack on Samsung, the gang published around 190 GB of internal files, and claimed to have obtained the source code for Galaxy devices. The extortion gang however, did not make any monetary requests or other demands to Samsung, raising questions as to what the goal of the attack was. The next target for Lapsus$ was the French video game company Ubisoft, which in mid-March confirmed the occurrence of a cyber incident that caused temporary disruption to its games, systems and services. It appeared that no data was exfiltrated nor leaked by Lapsus$, again making the reasoning behind the attack unclear.

On 19th March, Lapsus$ compromised Microsoft, and posted a screenshot as proof on its Telegram channel while the attack was still underway. This allowed Microsoft to discover the attack and intervene to stop further malicious activity, but not before the gang was able to exfiltrate data, including portions of source code. On 21st March, Lapsus$ posted a torrent for a 9 GB 7zip archive, which the gang claimed included the source code for 250 Microsoft projects, in particular for Bing, Bing Maps and Cortana. Just days later, Lapsus$ disclosed its new victim, the US identity management platform Okta. It appeared that the gang initially gained access to Okta in late January, by compromising Sitel, one of the company’s sub-processors. The gang disclosed it was only interested in the company’s customers, and not in the company’s data. Okta confirmed that 2.5% of its customer base (around 366 business clients) was compromised.

Following the attack on Okta, which generated many headlines, Lapsus$ announced it would be taking a week-long vacation. The gang announced its return by leaking data allegedly belonging to Globant, an IT and software development company, which included some of the company’s source code and clients’ project documentation, in addition to some admin credentials.


Modus Operandi

Lapsus$ appears to be a group that is still maturing and that is experimenting with different techniques to launch successful attacks, according to cyber experts. The gang uses mostly social engineering tactics in order to gain unauthorised access to victims, and according to Microsoft’s analysis it uses techniques like SIM swapping, compromising the personal accounts of employees at the targeted company, paying employees and business partners for insider access and credentials, or tricking the help desk and customer support at targeted companies. One of the core members of Lapsus$ was seen posting on Reddit and Telegram to recruit insiders working at mobile phone providers, software and gaming companies, and call centres, offering up to $20,000 a week to anyone willing to help the gang. Lapsus$ appears to use to its advantage the interconnectedness brought by technology, by leveraging access from an organisation to then compromise its business partners or suppliers.

Contrary to many prolific hacker groups on the scene, Lapsus$ typically does not employ malware to breach into victims’ systems and does not use ransomware to encrypt victim’s data. The gang in fact, simply exfiltrates data from its targets, and then threatens to leak it if the target does not pay. In a number of attacks however, Lapsus$ did not request any form of payment, and either made other types of demands, or simply leaked the data. This has led cybersecurity experts to suggest that the primary motivator behind the group’s actions might not be solely or primarily financial gain, but notoriety and fame as well. Microsoft’s analysis points out that Lapsus$ does not seem to take great care into covering its tracks or hiding its malicious activity. In fact, the group typically announces its hacks on its Telegram channel to its over 59,000 subscribers.

Not much is known about the origins of the gang, however, cybersecurity experts believe Lapsus$ is a brand-new group and not a group that has rebranded under a different name. It is also believed the gang functions more as a collective, rather than as a group with a strict and methodical organisation. While the gang is thought to be based in Brazil, it is believed to include European members as well.


Lapsus$’ members and arrests

The high-profile nature of Lapsus$’s targets inevitably attracted the attention of law enforcement. In March 2022, the FBI added the gang to its ‘Most Wanted’ list following intrusions on US-based companies. In the same month in the UK, the City of London Police arrested 7 people between the ages of 16 and 21, in what is speculated to be an investigation into the Lapsus$ gang. All 7 people, who remain unnamed, were released while the investigation remained ongoing. In early April, two UK teenagers, aged 16 and 17, were charged in an investigation into the gang. The charges included three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation, and one count of unauthorised access to a computer with intent to hinder access to data.

Researchers believe to have identified the mastermind behind Lapsus$: a teenager based outside of Oxford who goes by the online moniker “White” and “breachbase”. The alleged identity of “White” was doxxed online [1] by fellow hackers to protest the mismanagement of the website Doxbin, which the teenager had purchased the previous year. The youngster was forced to resell Doxbin, a website where anyone can post the personal information of a target, to its previous owner after users complained about the poor management of the platform. It appears that before relinquishing control, “White” leaked the website’s entire dataset on Telegram, including private doxes that had not been published, which in turn cause the Doxbin community to retaliate against him. Considering that the alleged mastermind is still underage, his name remains unknown.


[1] Doxing or doxxing is the act of publicly revealing previously private personal information about an individual or organization, usually via the Internet. Methods employed to acquire such information include searching publicly available databases and social media websites (like Facebook), hacking, social engineering and, through websites such as Grabify, a site specialized in revealing IP addresses through a fake link. Doxing may be carried out for reasons such as online shaming, extortion, and vigilante aid to law enforcement. It also may be associated with hacktivism. (From Wikipedia)

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List:


The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.

Related news

Why phishing emails contain errors?

You have probably noticed that all the phishing mails are poorly written and some details may let us think they are somewhat unprofessional. Find out why.

Read more
When hacking is good: ethical hackers | White Blue Ocean Blog
When hacking is good: ethical hackers

While talking about the ethics of hackers, the term hacker often has a negative connotation. In reality, a hacker is an extremely competent person in the IT sector who exploits his knowledge, skills and his own curiosity for helping others in order to discover the vulnerabilities of a system.

Read more
2020 FireEye Breach

On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).

Read more
Juspay Data Breach

A statement released by Juspay on 5th January 2021 confirms that the Indian-based company has been the target of a cyberattack resulting in a large-scale data breach.

Read more
You've heard about ransomware, now get ready for extortionware

What is extortionware and how does it differ from ransomware?

Read more
A Brief History of Ransomware | White Blue Ocean
A Brief History of Ransomware

Ransomware is continuously developing and becoming more and more sophisticated. It isn’t going anywhere anytime soon, but where did it come from? Where did it go? And how has it evolved?

Read more


Let's talk

Please fill in the form below (fields with * are mandatory) and we will respond to your request as soon as possible!