Lapsus$

Lapsus$
Formation2021
FounderArion Kurtaj
TypeCybercrime gang
HeadquartersUnknown
Region
International
MethodsSpearphishing, SIM swapping, recruitment of accomplices via social media, extortion, hacking
Membership
7 (March 2022 estimate)
Official language
English
AffiliationsUnknown

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest,[1] is an international extortion-focused[2] hacker group known for its various cyberattacks against companies and government agencies.[3][4] The group was active in several countries, and has had its members arrested in Brazil and the UK in 2022.[5] According to City of London Police at least two of the members were teenagers.

Lapsus$ uses a variety of attack vectors, including social engineering, MFA fatigue, SIM swapping,[6] and targeting suppliers. Once the group has gained the credentials to a privileged employee within the target organisation, the group then attempts to obtain sensitive data through a variety of means, including using remote desktop tools. Attempts at extortion follow. Initially, the messaging app Telegram had been used for communications to the public, including recruitment and posting sensitive data from their victims.[7]

The first major cyberattack attributed to Lapsus$ was against the Brazilian Health Ministry's computer systems in December 2021.[8] Lapsus$ gained notoriety for a series of cyberattacks against large tech companies, including Microsoft, Nvidia, and Samsung. Following these attacks, the City of London Police announced that it had made seven arrests in connection to a police investigation into Lapsus$.[9] Although the group had been considered inactive by April 2022, the group is believed to have re-emerged in September 2022 with a series of data breaches against various large companies through a similar attack vector, including Uber and Rockstar Games, with subsequent arrests again by City of London Police, and Brazilian police.[5] The group appears to have become inactive after September 2022, with members perhaps dispersing to other groups,[5] and the conviction of two British members.[10] One of the group's founding members, Arion Kurtaj, was given an order to indefinitely remain in a secure psychiatric facility.[11]

  1. ^ "DEV-0537 criminal actor targeting organizations for data exfiltration and destruction". Microsoft Security Blog. 22 March 2022. Retrieved 24 March 2022.
  2. ^ "Defending against attacks". Security Insider. Microsoft Security. 22 August 2022. Retrieved 8 October 2022.
  3. ^ Cite error: The named reference ArsInfo was invoked but never defined (see the help page).
  4. ^ Cite error: The named reference SamsungForbes was invoked but never defined (see the help page).
  5. ^ a b c Cite error: The named reference CSRB23 was invoked but never defined (see the help page).
  6. ^ Goodin, Dan (18 November 2023). "The FCC says new rules will curb SIM swapping. I'm pessimistic". Ars Technica. Retrieved 19 November 2023.
  7. ^ Cite error: The named reference Krebs was invoked but never defined (see the help page).
  8. ^ "Brazil health ministry website hit by hackers, vaccination data targeted". Reuters. 11 December 2021. Retrieved 24 March 2022.
  9. ^ Peters, Jay (24 March 2022). "Seven teenagers arrested in connection with the Lapsus$ hacking group".
  10. ^ "Lapsus$: Court finds teenagers carried out hacking spree". BBC News. 23 August 2023. Retrieved 23 August 2023.
  11. ^ Cite error: The named reference :1 was invoked but never defined (see the help page).