LAPSU$ is a cybercrime group of extreme opposites. Their methods of attack are incredibly brazen, with no attempts made to hide their footsteps; they even go so far as to advertise attacks ahead of time across their various Telegram and email channels.
Now, their public Telegram channel has over 40,000 members and offers regular polls on which company they’ll hit next.
But they’ve also made some severe miscalculations, including a baffling misunderstanding on Nvidia’s corporate firewalls. Regularly described as competent and incompetent at the same time, it’s why some claim this international cybercrime operation is led by a teenager.
From their first breach in December 2021, the group has continued to make waves in the cybercriminal community.
What’s the secret to their lucrative low-code crime? And what is data security, in the face of a $20,000 bribe?
High Profile Hit List
LAPSUS$ made their debut hit with an attack on the Brazilian government at the end of 2021, exposing the COVID-19 vaccination records of millions of Brazilians.
Shortly thereafter, a small number of media outlets started reporting on this new threat actor, where LAPSUS$ were primarily lampooned as “complete amateurs”.
As if to prove a point, LAPSU$ launched into a high-profile spree of extortion: March 2022 saw an explosion in their activity – they started the month off strong with a remarkably successful hit on Nvidia. Here, they siphoned off a terabyte of data, including data on all of Nvidia’s recent GPU designs and hardware.
They then threatened to leak all of this confidential data unless Nvidia made their drivers open source. This would allow them to circumvent the crypto-mining stopgaps that Nvidia placed in their more powerful graphics cards.
During this process, LAPSUS$ claimed that Nvidia “hacked [them] back”, disabling one computer in use by the group. However, this turned out to simply be Nvidia’s automated data encryption kicking in. This data leak allowed other attackers to publish malware with Nvidia code certificates, bypassing most pre-installation Windows security features.
Following the Nvidia leak, LAPSUS$ struck Vodafone on 10th March, Ubisoft on 15th, and Microsoft on the 22nd, usually following the same rough pattern of infiltration and coercion.
Modes of Attack
Though they are a highly dangerous threat actor, they are not technically a ransomware group. Ransomware groups create their own ransom strains that all follow similar methods of infiltration and attack. Instead of lines of code, however, LAPSU$ take advantage of the major weakness in every organization: human employees.
LAPSU$ are incredibly adept at recruiting company insiders. They’ve used this tactic since at least late 2021, and it follows a similar pattern as their Vodafone hack. A core LAPSU$ member such as user WhiteDoxbin first posts a recruitment message – on Reddit, for example. This message includes a light description of an employee’s responsibilities, stresses how the job is ‘low risk’ – before offering a mind-boggling sum of money as payment. AT&T, T-Mobile and Verizon insiders were offered over $20,000 a week. Once they’ve found a willing employee, LAPSU$ gains elevated access through hijacked credentials and 2 factor authentication.
There’s also evidence that the group exploits the tenuous relationship between companies and their third-party IT service providers. For example, a native English speaker will call a third-party helpdesk, assuming the identity of an infiltrated client. Using their highly-paid inside source, they’ll know the answers to most common security questions.
Once they’ve gained access to a compromised account, they begin exfiltrating company data to their own server. In the age of ever-more tangled webs of cyber warfare, LAPSUS$ makes a refreshing change. Their tactics are purely money-making – no politics involved, if the group itself is to be believed.
Hacker Beef: Doxbin
Remember WhiteDoxbin? Considered the ringleader of Lapsu$, he’s been most visible as its lead recruiter. The second half of his username – ‘Doxbin’ – refers to the act of doxing. This is where online users retrieve the private data of an individual, such as their phone number, and release it publicly. An act that’s relatively common on the more unpleasant corners of the world wide web, the ‘Doxbin’ site is a comprehensive archive of most doxs committed.
This is quite a useful resource for criminals looking to beef up their databases of victims’ contacts. So, in 2019, WhiteDoxbin purchased the site from the previous owner ‘kt’. Unfortunately, WhiteDoxbin was too busy committing international cyber crime, and failed to maintain the site to its previous owner’s standards. This angered most of the doxbin user base; Whitedoxbin eventually caved to the incessant whining and sold the site back to the previous owner.
However, not before leaking the entire public and private dox database onto the LAPSUS$ Telegram channel. Unsurprisingly, this failed to placate the community, who responded with an incredibly aggressive doxing campaign. They gained not only his contact information, but the address of his mother, school and the IP address of every single device he owns.
You may have noticed there’s no inclusion of his own address – that’s because he’s a 16-year-old. When irate doxers turned up to his mother’s house asking for him, Arion Kurtaj fled to Spain.
However, it’s confirmed that he was pulled back to the UK for a court trial, as one of the seven people arrested in connection with LAPSU$.
Since attacking Microsoft in March, the group has come under increasing scrutiny from private companies and public authorities.
Stopping a Similar Breach
Even though LAPSU$ appears to be exiting the cyber security scene with a big a bang as it entered, their methodology has proved incredibly potent, and will likely become a staple of cyber extortion going forward.
There is no singular cybersecurity solution to the problem of employees leaking data. However, data privacy can be actively reinforced through two methods: access control and data protection.
The first element limits access to data on a zero-trust model. This means that each employee should only have access to the minimum amount of data they require. All other private data should either be inaccessible, or on a request-only basis with mandatory 2-Factor Authentication.
Data protection ensures that – even if an attacker gains access to data – it remains illegible. This is achieved through encryption, and data loss mechanisms that prevent users from transferring sensitive data to external servers.
TechnologyHQ is a platform about business insights, tech, 4IR, digital transformation, AI, Blockchain, Cybersecurity, and social media for businesses.
We manage social media groups with more than 200,000 members with almost 100% engagement.