The Lapsus$ hackers responsible for attacks on Samsung, Nvidia and Microsoft (among others) may have been put out of business with a set of arrests in and near London. Surprisingly, no member of the accused group was over the age of 21, and some were as young as 16.
Accused LAPSUS% hackers found in England, Brazil; some members still living with parents
The incident recalls the breach of Twitter in 2020, in which high profile accounts were temporarily taken over and used to promote a cryptocurrency scam. The small group that was ultimately arrested for that breach consisted of 19 to 21 year olds living in the UK and US, with an additional 16 year old in Massachusetts investigated but not yet charged.
The first arrest of the Lapsus$ hackers was a 16 year old living in Oxford, England, who was accused of being the mastermind and ringleader of the operation. His name is being kept out of the press due to his status as a minor, but he goes by the online handles “White” and “breachbase.” The trail to him apparently started with a doxxing by rival hackers, who leaked his name and address as well as information about his parents online; some also claim he has amassed about $14 million from his hacking activities. Reporters were able to contact the teen’s mother at the address, a house not far from Oxford University, where she confirmed that he lived there some days prior to police moving in.
All told, police across the UK ended up making seven arrests of accused Lapsus$ hackers, all teenagers or in their early 20s. All remain free while being investigated and have yet to be formally charged. Security researchers initially suspected the group to be based in Brazil, given some clues attached to their initial attacks in Portugal and social media activity. Investigators believe at least one member is located there, whom they described as “highly skilled” and so fast at hacking that his activity appeared to be automated at first look.
The recent investigation also uncovered some new links between the Lapsus$ hackers and attacks taking place in 2021. At least one member has been linked to a July breach of video gaming company Electronic Arts, and some may have also been involved with an extortion campaign that targeted a UK mobile phone network in August.
Reckless Lapsus$ hackers left considerable trail for investigators
The Lapsus$ hackers appear to have done quite a bit to help investigators find their way to them, paying little regard to the idea of operational security in all phases of their attacks. In addition to posting about their activities on Twitter and other social media sites, the hackers reportedly broke into Zoom conference calls at the companies they had just breached to taunt employees.
Microsoft’s security team, which has been tracking the group for months, says that it has also seen the group successfully recruit insiders at the companies it attacks via use of sites like Reddit and LinkedIn. However, the rather public nature of these offers also gave security researchers plenty of material to work with in tracking the hackers down. The Microsoft team said that the Lapsus$ hackers began targeting companies in South America and the United Kingdom, but soon expanded to targets all over the world and in a broad variety of industries.
The recklessness is unsurprising given the age range of those accused, and the ultimate downfall of the group appears to have been its inability to stay out of confrontations with other hackers. The UK teenager described as the ringleader reportedly purchased a site called Doxbin last year, which is used for trading in personal information from breaches. The Lapsus$ hackers reportedly returned the site to its original owner in January of this year, but also leaked the entire contents of Doxbin to Telegram. The Doxbin community took up digital arms against the hacker, leaking his own personal information and even visiting his house at night to post videos from outside.
In addition to the age range, the combination of social engineering (Lapsus$ hackers also reportedly used phone calls to gain access to target companies) recalls the 2020 breach of Twitter and may indicate a new trend for younger criminal hackers based in the West. In 2016, the ringleader of the “Crackas With Attitude” hacking group that breached and leaked information from the FBI and the CIA director’s email account turned out to be a 16 year old living in the UK. And in 2021, a Canadian teenager was found to have used “flash loans” to defraud a decentralized finance protocol of some $16 million.
The popular focus on criminal hacking has shifted to Eastern Europe and select parts of Asia and the Middle East in the past two decades, but in the 80s and 90s it was usually the American or British teenager cast as the stereotypical cyber troublemaker. Ken Westin, Director of Security Strategy for Cybereason, thinks that security professionals may have lost sight of this potential threat: “It’s tough to know the motivation of the teen involved in this case, as many had speculated it was an organized cybercrime syndicate or potential nation state actors. However, I do feel that the security community underestimates the younger generation. We forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security … Today, teens have seen how much money is being made in criminal hacking, in some ways they are the new rockstars. You pair this with the fact kids have been cooped up for three years often with nothing but the internet to entertain themselves and we shouldn’t be surprised we have skilled hackers. The problem is that their brains are still developing and the line between fun and crime can get blurred, where it’s common for kids to hack to gain notoriety amongst their peers, but this easily crosses over into decisions that can affect the rest of their lives.”