lapsus-group

Lapsus$ Group

also tracked as: DEV-0537 (Microsoft) Strawberry Tempest (Microsoft, later) Slippy Spider The Comm / Comm ecosystem

A case study in what the Cyber Safety Review Board called "exploiting systemic ecosystem weaknesses" — Lapsus$ breached NVIDIA, Microsoft, Samsung, Okta, Uber, Rockstar Games, and dozens more using almost no custom malware, relying instead on social engineering, MFA fatigue attacks, SIM swapping, and paying insiders for credentials. The group was loosely organized, operated publicly through Telegram, ran polls asking followers who to target next, and included juveniles — yet breached some of the world's most security-mature organizations. Two British members were convicted in 2023. The group is assessed as dormant since late 2022, though former members are believed to have dispersed into related groups including Scattered Spider.

attributed originUK and Brazil (members identified and arrested)

state affiliationNone — no evidence of nation-state or political affiliation (CSRB)

first observedJune 2021 (forum mentions); Sep–Dec 2021 (Telegram launch)

primary motivationNotoriety, financial gain, amusement — varied by operation

last activeSeptember 2022 (Rockstar GTA VI leak)

confirmed victims14+ named organizations including NVIDIA, Microsoft, Okta

csrb review2023 — Lapsus$ and Related Threat Groups

convictionsArion Kurtaj (indefinite secure psych facility); unnamed minor (UK, Aug 2023)

custom malwareMinimal — no unique tooling; opportunistic off-the-shelf tools

Overview

Lapsus$ is one of the most analytically instructive cybercrime groups in recent history — not because of technical sophistication, but because of what its success revealed about the fragility of enterprise security. A loosely organized collective that included juveniles, operating through a public Telegram channel with tens of thousands of subscribers, running polls to select its next targets, and relying almost entirely on social engineering rather than custom malware — Lapsus$ breached organizations with some of the world's most mature cybersecurity programs. The US Department of Homeland Security's Cyber Safety Review Board (CSRB) convened a formal review specifically to understand why, concluding that the group "exploited, to great and wide effect, a playbook of effective techniques" that exposed "the fragility of our interconnected digital infrastructure."

The group first appeared in forum posts under the Lapsus$ name around June 2021 and formally launched a Telegram channel between September and December 2021, initially targeting South American entities before rapidly pivoting to high-profile international companies. The Telegram channel was itself a distinctive operational choice — rather than maintaining operational security, Lapsus$ publicized its attacks in real time, shared proof of access during active intrusions, ran polls asking followers which companies to target, and directly taunted victims. In one documented case, Microsoft was able to interrupt a source code download because Lapsus$ publicly announced the compromise on Telegram before completing the exfiltration.

The group's initial access methods were consistently human-centric: MFA fatigue attacks (flooding targets with push notification requests until exhausted users approve), SIM swapping (taking over phone numbers to intercept SMS codes), help desk impersonation (calling support lines with gathered personal details to reset credentials), and direct insider recruitment (posting on its Telegram channel offering payment for employees who would provide credentials or install remote access software). These methods bypassed technical controls entirely by exploiting people, processes, and the interconnected nature of business relationships — specifically targeting business process outsourcers (BPOs), telecom providers, and support contractors rather than the final target organizations directly.

Seven people aged 16–21 were arrested by the City of London Police in March 2022. Arion Kurtaj — a core member known by aliases including White, Breachbase, WhiteDoxbin, and TeaPotUberHacker — was released on bail, then continued hacking from a hotel room in Bicester, targeting Uber, Revolut, and Rockstar Games before being arrested again in September 2022. Kurtaj was found responsible but assessed as unfit for trial due to autism, and was sentenced in December 2023 to an indefinite stay in a secure psychiatric facility. An unnamed minor was also convicted. A Brazilian member was arrested in October 2022. The last message on the public Lapsus$ Telegram channel was dated March 30, 2022.

Confirmed Victims

The following organizations confirmed or are strongly attributed to have been compromised between August 2021 and September 2022.

Brazil Ministry of Health

Dec 2021 — 50TB data deleted; COVID vaccination portal disrupted

Okta

Jan 2022 — Third-party support engineer account; ~2.5% of customers impacted

NVIDIA

Feb 2022 — ~1TB data; code signing certs leaked; GPU source code threatened

Samsung

Mar 2022 — Galaxy smartphone source code; ~190GB leaked

Microsoft

Mar 2022 — 37GB source code; Bing, Bing Maps, Cortana code released

T-Mobile

Mar 2022 — Source code repositories; failed attempt on FBI/DoD accounts

Globant

Mar 2022 — IT firm; internal data leaked on Telegram

Ubisoft

Mar 2022 — Internal systems; disruptive attack

Uber

Sep 2022 — Social engineering / MFA fatigue; internal systems accessed

Revolut

Sep 2022 — Financial services; breach claimed by Kurtaj post-bail

Rockstar Games

Sep 2022 — ~90 videos of GTA VI gameplay; source code threatened

LG, Vodafone, BT/EE, Mercado Libre

Various 2021–2022 — confirmed or claimed; additional victims not all publicly disclosed

Tactics, Techniques & Procedures

Lapsus$'s TTPs are almost entirely human-centric — social engineering layers applied systematically rather than technical exploits. The CSRB, NCC Group, and Microsoft all documented substantially the same playbook.

mitre id	technique	description
T1621	MFA Fatigue (Push Bombing)	One of Lapsus$'s most effective access techniques: sending repeated MFA push notifications to a target's mobile device until the exhausted or confused user approves the request. In some cases, attackers followed up with a voice call claiming to be IT support, instructing the employee to approve the push. Lapsus$ used this technique in the Uber breach — calling a contractor directly while bombarding them with approval requests. The CSRB noted that broadly deployed MFA implementations were "not sufficient for most organizations or consumers" given Lapsus$'s ability to defeat them.
T1598.003	SIM Swapping	Lapsus$ obtained basic victim information (name, phone number, CPNI — Customer Proprietary Network Information) through various means including fraudulent Emergency Disclosure Requests (EDRs) to law enforcement portals and account takeover techniques targeting telecom employee accounts. Using this information, they accessed telecom customer management tools to perform fraudulent SIM swaps — reassigning the victim's phone number to an attacker-controlled SIM, enabling interception of SMS-based MFA codes and OTPs. The CSRB documented that the group exploited telecom industry vulnerabilities including point-of-sale system weaknesses and customer account management APIs.
T1078.001 / T1534	Insider Recruitment — Credential Purchase	Lapsus$ publicly advertised on its Telegram channel that it would pay employees or contractors at target organizations for their credentials and MFA approval, or to install AnyDesk or other remote management software on corporate workstations. Payments were offered for this access. Microsoft documented instances of recruited employees and contractors at both target organizations and their suppliers and business partners. This direct insider recruitment was openly conducted on the public Telegram channel — reflecting the group's complete disregard for operational security.
T1199	Supply Chain Access via BPOs and Telcos	Lapsus$ deliberately targeted business process outsourcers (BPOs), customer support firms, and telecom providers rather than final targets directly. The Okta breach was achieved by compromising a Sitel support engineer's account — not Okta itself. Unit 42 noted that "some victims are not the intended end-target, but are rather breached in order to gain access to their customers." This supply chain approach exploited the trusted third-party relationships that large enterprises rely on for customer support, technical help, and operational services.
T1557 / T1111	Help Desk Social Engineering / Vishing	Lapsus$ called target organizations' help desks and used gathered personal information (profile pictures, family details, known security recovery answers) to convince support staff to reset privileged account credentials. Microsoft documented that the group used "a native-English-sounding caller" alongside gathered profile information to pass identity verification. The group answered common recovery prompts to pass security questions. This technique successfully bypassed help desk identity verification at multiple major organizations.
T1530 / T1567	Cloud and Collaboration Tool Access	Once inside target networks — typically via compromised credentials of a privileged employee — Lapsus$ accessed internal collaboration tools including Jira, Slack, GitHub, GitLab, Confluence, and Azure DevOps. The group exfiltrated source code, internal documents, and proprietary data from these platforms. In the Microsoft breach, Lapsus$ accessed an Azure DevOps server and released 37GB of source code. The group also created cloud administrator accounts and in some destructive operations wiped virtual machine environments, destroying over a thousand VMs in one documented incident.
T1219	Remote Management Tool Abuse	AnyDesk and other remote management software were installed by recruited insiders at target organizations, providing Lapsus$ direct remote access to corporate workstations without requiring credential theft. This was one of the explicit options offered to insider recruits: either provide credentials and approve MFA prompts, or install remote management software allowing the attacker to take control of an authenticated system. Once installed, the legitimate remote access tool's traffic blends with normal IT administration activity.
T1589.002	Credential Aggregation from Stealer Logs	Lapsus$ purchased and leveraged credentials from stealer malware logs available on underground forums — including Redline Stealer logs. These logs contain credentials harvested from infected endpoints, including personal accounts that employees use for work, recovery email addresses, and browser-saved passwords. The group also targeted victims' personal accounts first, then used access to those accounts to find business credentials or bypass corporate MFA recovery flows, since employees typically use personal accounts or phone numbers as second-factor authentication or password recovery mechanisms.

Known Campaigns

Brazil Ministry of Health — Launch Attack Dec 2021

The first major publicly attributed Lapsus$ attack targeted Brazil's Ministry of Health website, taking it offline and exfiltrating and deleting 50TB of data from internal servers. Lapsus$ left a ransom message on the homepage. The attack also disabled the ConecteSUS app providing COVID vaccination certificates, disrupting international travel for Brazilian citizens. A follow-on attack hit the Argentinian e-commerce company Mercado Libre. These South American early operations established the group's operational pattern before it pivoted to high-profile international targets.

Okta — Third-Party Support Engineer Compromise Jan–Mar 2022

On January 21, 2022, Lapsus$ gained access to Okta's systems through the compromised account of a Sitel customer support engineer — a third-party contractor providing support on behalf of Okta. The compromise occurred over a five-day window in mid-January. Lapsus$ did not disclose the breach publicly until March 22, 2022, when it posted screenshots in its Telegram channel claiming access to Okta's internal systems, including Jira and Slack. Okta's initial response was criticized for delay — the breach was investigated in January but not disclosed to customers until March when Lapsus$ forced the issue. The CSRB noted this as a supply chain security failure — the compromise of a BPO contractor provided inherent access to Okta's customer-facing infrastructure.

NVIDIA — Code Signing Certificate and GPU Source Code Feb–Mar 2022

On February 23, 2022, NVIDIA became aware of a breach. Lapsus$ claimed to have approximately 1TB of NVIDIA data including proprietary GPU source code for the RTX 3090Ti and upcoming GPU revisions, chip microarchitecture files, and critically — code signing certificates from NVIDIA's certificate authority. The stolen NVIDIA certificates were subsequently used by other threat actors to sign malicious drivers, giving them the appearance of legitimacy. This secondary weaponization of the stolen certificates by parties other than Lapsus$ extended the real-world impact of the breach significantly beyond the initial data theft. Lapsus$ demanded NVIDIA open-source its GPU drivers as a condition of not leaking more data.

Microsoft — Azure DevOps Source Code Release Mar 2022

On March 20, Lapsus$ posted a screenshot of Microsoft's Azure DevOps server to its Telegram channel. Microsoft publicly announced on March 22 that a single employee account had been compromised and that the group had gained limited access. Lapsus$ released a 37GB zip file containing approximately 90% of the source code for Bing, along with source code for Bing Maps and Cortana. Microsoft noted it was able to interrupt the download because Lapsus$ publicly announced the compromise on Telegram before completing the exfiltration — the group's lack of operational security directly allowed Microsoft to limit the damage. Microsoft's blog post stated the source code release would not impact the security of its services, given that Bing is not a closed-source product.

Uber — MFA Fatigue from Hotel Room Sep 2022

In September 2022, Uber suffered a breach attributed to Lapsus$ — specifically to Arion Kurtaj, who at the time was on police bail and under restrictions, staying in a hotel in Bicester after being doxxed. Kurtaj obtained a contractor's credentials (likely from the dark web), then called the contractor while simultaneously flooding their phone with MFA push notifications — eventually convincing them to approve access by impersonating Uber IT support. Once inside, he accessed Uber's internal systems including Slack, which displayed an admin user's credentials in a PowerShell script, enabling escalation to AWS, Google Cloud, and Uber's bug bounty platform. The attack demonstrated that Kurtaj was continuing to hack actively despite being under bail conditions and police monitoring.

Rockstar Games — GTA VI Footage Leak Sep 2022

On September 18, 2022, approximately 90 videos of pre-release Grand Theft Auto VI gameplay footage appeared on GTAForums. The leak was attributed to Kurtaj, who accessed Rockstar Games' Slack workspace from the hotel room in Bicester — reportedly using only a mobile phone, an Amazon Fire Stick, and a hotel TV as a monitor, as police had confiscated his computer hardware. The GTA VI leak was one of the largest gaming industry data breaches in history by media impact. Kurtaj was arrested days later. Rockstar confirmed the breach. Further source code releases for GTA V and potentially GTA VI were threatened.

Afterlife — Scattered Spider and The Comm

Lapsus$'s legacy extends significantly beyond the group's own active period. The tactics pioneered or popularized by Lapsus$ — particularly MFA fatigue and social engineering of help desks — were directly adopted by Scattered Spider (also known as UNC3944 or 0ktapus), which the CSRB identified as part of the same loosely connected English-speaking cybercriminal ecosystem. Both groups are part of a larger network called "The Comm" — a predominantly English-speaking, international cybercrime ecosystem whose members are primarily teens and young adults. In August 2025, a new collective called Scattered LAPSUS$ Hunters (SLH) emerged, representing a strategic partnership between Lapsus$, Scattered Spider, and ShinyHunters — operating 16 Telegram channels and adopting an extortion-as-a-service model. The CSRB noted that if well-resourced organizations were breached by a loosely organized group including juveniles, defending against well-resourced nation-state actors and cybercrime syndicates requires fundamental changes to identity security infrastructure.

Mitigation & Defense

The CSRB's 2023 report generated specific recommendations targeting the systemic weaknesses Lapsus$ exploited. These are the highest-priority controls for organizations seeking to defend against Lapsus$-style attacks and the successor groups that use the same playbook.

Replace SMS and Voice-Based MFA with FIDO2 / Phishing-Resistant Authentication: The CSRB's single most emphasized recommendation. SMS OTPs and push notifications can be defeated by SIM swapping and MFA fatigue respectively. FIDO2/WebAuthn hardware tokens and passkeys are resistant to both — they require physical possession of the key and cryptographically bind authentication to the specific origin domain, preventing both interception and remote approval. Organizations should implement FIDO2 for all privileged access and for any account that provides access to sensitive internal systems.
Enable Number Matching and Additional MFA Context: Where FIDO2 rollout is not yet complete, enable number matching in push-based MFA apps — requiring the user to type the number shown on the login screen into the authenticator app before approving. This prevents approval of push notifications received without a corresponding login attempt. Additionally, configure MFA to display the geographic location and device making the request — anomalous request locations should prompt employees to deny and report.
Treat Help Desk Identity Verification as a Critical Security Layer: Lapsus$ impersonated employees at help desks using gathered personal information to reset privileged accounts. Implement non-spoofable verification for all MFA resets and password changes — callbacks to phone numbers alone are insufficient since those numbers can be SIM-swapped. Require manager approval for privileged account resets, use video verification, or implement hardware token verification procedures. Train support staff specifically on social engineering recognition.
Extend Security Program Coverage to BPO and Contractor Environments: The Okta breach succeeded because a third-party support contractor was the attack surface. The CSRB recommended that organizations design security programs covering their own IT environments and the vendors and contractors that host critical data or maintain direct network access. Impose security baseline requirements on BPOs and support contractors, include them in security audits, and implement least-privilege access so contractor accounts cannot access more than their specific support function requires.
Build Telecom Resilience Against SIM Swapping: The CSRB recommended treating SIM swaps as highly privileged actions requiring strong identity verification by default. Telecom providers should enforce multi-step identity verification before completing SIM swaps. Enterprises should encourage employees handling sensitive accounts to set SIM swap locks with their mobile carriers (port freeze / SIM lock features available from major carriers) and avoid using phone numbers as primary account recovery mechanisms.
Anomaly Detection on Collaboration Tool Access: Lapsus$ exfiltrated data from Jira, Slack, GitHub, Azure DevOps, Confluence, and other collaboration platforms once inside networks. Implement behavioral analytics monitoring for unusual access patterns — bulk downloads, access to source code repositories outside business hours, access from unusual geographic locations or device types. Alert on creation of new admin accounts, particularly in cloud environments.
Fraudulent Emergency Disclosure Request (EDR) Defense: Lapsus$ obtained victim information through fraudulent EDRs submitted to legitimate platforms. Organizations receiving sensitive account requests via apparent law enforcement channels should implement secondary verification procedures — contacting law enforcement agencies through official channels to verify the legitimacy of requests before complying with data disclosures.
Rate-Limit and Alert on MFA Push Notifications: Implement rate limiting on MFA push notifications — after a threshold of unacknowledged pushes, lock the account and alert the security team. Repeated MFA push events without a corresponding legitimate login attempt in corporate logs are a detectable signal. Train employees that receiving unexpected MFA push notifications should be treated as a potential attack indicator requiring immediate reporting.

analyst note

Lapsus$ is operationally dormant and its core members are arrested or convicted. Its significance is primarily as a case study rather than an ongoing threat. The CSRB framed the core lesson well: if organizations with some of the world's largest and most mature security programs were defeated by social engineering, MFA fatigue, and insider payments deployed by teenagers with no custom malware, the foundational assumptions of enterprise security need reexamination — particularly the assumption that deployed MFA is adequate for protecting privileged access. The specific answer the CSRB prescribed — FIDO2/phishing-resistant authentication — remains underdeployed across enterprise environments years after the Lapsus$ attacks. Meanwhile, Scattered Spider directly inherited the Lapsus$ playbook and used it to breach MGM Resorts and Caesars Entertainment in 2023, demonstrating that the systemic weaknesses Lapsus$ exploited were not corrected in the two years following the original attacks. The techniques have now been institutionalized within The Comm ecosystem and are expected to remain a primary attack vector for English-speaking cybercrime groups for the foreseeable future.

Sources & Further Reading

— end of profile