Operating within the clandestine realms of cyberspace since at least 2019, Lapsus$, is a shadowy hacker collective, whose exploits, organisational acumen and financial resources have made them into a feared global collective, despite the fact that they are believed to be mere teenagers.
Despite the organisation’s relatively young age, its exploits are already etched into the annals of cyber history, marked by attacks on the digital domains of governments and corporate giants. These audacious assaults stand as a testament to Lapsus$’s intimate acquaintance with the dark arts of malware deployment and encryption wizardry. The deployment of advanced malware, including ransomware and insidious trojans, facilitates their intrusion into their victims’ networks and provides them with a stranglehold over their ill-fated targets.
In addition to this, the group has engaged in a number of clever real-world, social engineering techniques to aid their hacking attempts. Telegram group chats, revealed in a recent case, show the gang instructing someone they’d hired to call the Nvidia staff help desk pretending to be an employee in an attempt to get login details from the firm. In other hacks, the gang spammed employee phones late at night with access approval requests until staff finally said yes. Often they have been able to infiltrate their targets through the simple use of a web of insider contacts, which they developed through online chats, and social media or allegedly, even through bribes.
Yet, it is not just their cunning strategies that have confounded authorities. Lapsus$ employs encryption and a range of obfuscation techniques to obscure their digital tracks, making detection and pursuit difficult.
Together, these techniques have yielded an alarmingly large number of successful strikes against high-profile entities, often costing their targets millions.
A range of crippling strikes
In a striking display of their cunning, Lapsus$ orchestrated a meticulous attack on the United States Department of Defense in 2020, where, through a combination of hacking skills and social engineering they managed to infiltrate the bastion of national security. In the wake of this audacious breach, they extracted a trove of sensitive information and the havoc wrought upon the agency’s core operations was nothing short of seismic.
Lapsus$ does not, however, simply target government institutions. Several major banks have over the years found themselves haemorrhaging millions of dollars after becoming the target of the Lapsus$ hackers, and in March 2022 Lapsus$ climbed to the top of the pile in terms of global infamy, after a series of bold cyberattacks managed to ensnare industry stalwarts like Microsoft, Nvidia, and Samsung in their digital clutches.
In yet another brazen incursion, attributed to Lapsus$, sensitive personal data belonging to countless patients was stolen from a major healthcare provider triggering not only a financial catastrophe for that healthcare entity, but also raising profoundly disquieting questions regarding the sanctity of personal data and the erosion of privacy in the digital age.
Throughout, their true motives and end game have remained unclear. Sometimes, they engage in demands for substantial ransoms in exchange for safeguarding stolen data, and at other times they simply seem content with baffling cybersecurity experts and revealing information stolen from the most difficult-to-reach servers.
One attack, in which the group commandeered the control systems of a major oil refinery, plunging it into a crippling shutdown and inflicting severe financial losses, seems to hint that at least some of their motivation lies in the chaos that can be caused by a major attack.
The Elusive Quarry: The Global Pursuit of Lapsus$
Some Lapsus$ members have recently made errors that saw them taken into custody. In March 2022, they attacked a website infamous for Doxxing and released their private information. In return, the website provided London’s Metropolitan Police Service with information that led to the arrests of seven individuals ranging in age from 16 to 21. Only two of those apprehended were eventually charged and convicted.
Some of these charges are linked to a hack made against Rockstar studios, which saw 18-year-old Arion Kurtaj from Oxford, England post a message on the company Slack messaging service to all employees, stating, “I am not a Rockstar employee, I am an attacker.”
He then told employees he had downloaded all the data for the unreleased game Grand Theft Auto 6 and threatened, “If Rockstar does not contact me on Telegram within 24 hours I will start releasing the source code”. To prove his point, 90 video clips of unfinished gameplay for the highly-anticipated new game were also published on a fan forum under the username TeaPotUberHacker.
These convictions have, however, failed to impact LAPSUS$’s operations significantly and the group continues to exploit and publicly release their victims’ data. Despite the glare of the global spotlight and the unyielding efforts of both law enforcement and cybersecurity experts, Lapsus$ maintains its relentless stride, a looming spectre that casts a long shadow over governments and corporations worldwide.
