Skip to main content

In this post, we take a close look at international teenage cyber-crime gang, Lapsus$. We dissect how these pimply evil geniuses stole millions through ransomware, extortion and cryptocurrency fraud whilst their parents thought they were doing homework.

How much of a cyber threat is the Lapsus$ group?

It sounds like the plot of a far-fetched Hollywood film. A gang of teenage kids, working from their bedrooms on computers bought by their parents, amassed vast digital wealth through ransomware and extortion. They committed million-dollar crimes against prominent organisations, stole directly from cryptocurrency accounts, and pulled it all off while their parents thought – or so they claimed – that they were just doing their homework and playing computer games.

How did they do it?

Social engineering, such as recruiting and bribing relatively low-level insiders, appears to have been the group’s primary modus operandi, according to Microsoft, though the attacks may also have uncovered some technological security loopholes in the company’s defences.

This underlines the need for constant cyber threat assessment and employee education within businesses and organisations of all sizes. Though some members of the group have been apprehended, the threat may not be over because the group has built up such a large subscriber base on Telegram and because of the information taken in earlier attacks.

Who are Lapsus$?

According to reports, Lapsus$ is a group of teenage hackers who commit cybercrimes and are based primarily in South America. However, the group’s reputed multi-millionaire teen leader lives in Oxford, right here in the UK.

In the last year or two, the group’s notoriety has grown as a result of repeated attacks on high-profile targets using the ransomware and data extortion techniques for which it is known. Despite the fact that they have been labelled “inexperienced and unprofessional” by tech and security pundits, they have increased their global reach and caused a great many significant problems for several large organisations.

The money they allegedly stole is likely the spoils of their extortion activities, and emptying cryptocurrency assets from individual user accounts at cryptocurrency exchanges.

What is social engineering and how does Lapsus$ use it?

The goal of social engineering is to get access to your computer by any means necessary, including but not limited to manipulation, influence, or deception. It’s possible the hacker will utilise some combination of the following methods to get unauthorised access: phone, email, regular mail, or personal contact. For instance, there’s phishing, spear phishing, and CEO fraud.

Online reports have suggested that Lapsus$ uses social engineering to obtain access to organisations’ systems before extorting money from them. Bribing and deceiving workers at customer service contact centres and help desks are cited as examples. Microsoft, which was attacked, revealed the group’s methods in a blog post, saying that Lapsus$ had successfully secured access to target firms through recruited workers, and through the staff of their suppliers or business partners.

Telegram Group

Members of the hacker collective Lapsus$ are rumoured to be quite active on Telegram. This instant messaging app, founded by Russian brothers Pavel Durov and Nikolai Durov is the most popular social app in most of Eastern Europe with a group of roughly 45,000 subscribers. Since at least November 2021, the Telegram group and likely other social media platforms have been utilised for recruitment to Lapsus$.

Who’s running Lapsus$ behind the scenes?

There are rumours that a 16-year-old youngster from Oxford going by the hacker handles “White” or “Breachbase” is the leader of Lapsus$. There are claims that the autistic adolescent has made a fortune hacking, to the tune of $14 million (£10.6 million) in bitcoin.


After allegedly mismanaging the Doxbin website he owned and leaking the Doxbin data set to Telegram, the identity of the teen alleged leader was discovered. As a result, indignant users of the site, which allows users to trade and discover biographical details about one another, retaliated by “doxing” him, or making public details about his life that had previously been kept private. Reports also suggest that cyber-security researchers like Unit 221B have been keeping tabs on the purported leader of Lapsus$ and have known who he really is for close to a year.

Is his father really unaware?

According to reports that surfaced after the doxing, the ten leading Lapsus$ had no idea his son was suspected of hacking and had assumed that his son’s protracted computer use was due to his passion for video games.

Attempted cyber attacks by Lapsus$

It appears that Lapsus$ attacks and targets a wide variety of people and organisations, including Okta, a cyber security firm. According to reports, data belonging to at least 366 of its customers was compromised in a January hack, which apparently involved a third-party contractor. The issue led to a 9 percent drop in the company’s stock price once the news broke.

According to Microsoft, the organisation acquired relatively limited access after compromising a single account. Microsoft has published an in-depth piece regarding the Lapsus$ group, which they refer to as DEV-0537.

Samsung admitted just recently that the hacking organisation had broken into its systems and stolen code essential to the functioning of Galaxy smartphones. According to reports, Lapsus$ infiltrated NVIDIA’s private network, acquired confidential information (including hashed login passwords and trade secrets), and then exposed those certificates to the public. The French videogame publisher Ubisoft has also been attacked.

Recent Arrests have been made

After an investigation, City of London Police reportedly arrested seven adolescents on suspicion of involvement with the Lapsus$ hacking organisation. It is unclear, however, if the presumed 16-year-old leader was included or whether the group is continuing its attacks.

Need cyber security help for your business?

Flywheel supports several hundred UK organisations by managing their cyber security solutions including backups, anti malware and anti ransomware, and disaster recovery solutions.

Find out more by reading our cyber security recommendations for businesses, or get in touch using our contact form and tell us what you need.

About us

Flywheel IT Services has teams of highly qualified and experienced IT engineers and consultants around the UK. For over 20 years we have partnered with businesses, schools and major construction companies to guide and support their projects, tech strategies and day-to-day operations.

In an average year we help 200 businesses use technology for fast-track growth, we design sustainable ICT infrastructures for 100 new schools and commercial buildings, and we nurture the ICT resources and dreams of 33,000 school children.

Find out more

Let’s get started!