Lapsus$ Group Cyberattacks: Methods, Motives, & Timeline

Lapsus$ is a hacker collective that launched a series of high profile cyberattacks, starting in late 2021. They initially targeted South American companies, before branching out to demand ransoms from increasingly high profile targets in 2022, including Nvidia, Samsung, and Microsoft. After a quiet summer, they reemerged in September 2022 with fresh attacks on Uber and Rockstar Games.

Though some describe Lapsus$ as a ransomware group, they do not rely on software to attack their victims. Instead, they lean heavily on insider threats and social engineering tactics such as phishing. They have even openly recruited insiders from their Telegram page:

WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk . . . You will be paid if you would like. Contact us to discuss that

Lapsus$’s motives are ostensibly financial, and they have repeatedly made statements to that effect. Per one Telegram post, “The only goal is money, our reasons are not political.”

But if money were their sole motive, Lapsus$ might keep a lower profile. They also seem to enjoy showing off to their audience of 38,000 Telegram followers – indicating they may also be chasing thrills and glory. To borrow a term from an older hacker collective, it is very possible Lapsus$ is doing it, at least in part, “for the lulz”.

Lapsus$’s initial run of attacks, focused in South America and Portugal, has led some to speculate Lapsus$ is based in Brazil. While it’s likely at least a few members live there, it’s even more likely this decentralized group has members in a dozen or more countries around the world.

Read on for the full history of Lapsus$, from its inception to its most recent cyberattacks.

December 2021: Lapsus$ makes Brazil’s Ministry of Health their first victim

On December 9, Lapsus$ launched their Telegram page and announced they had breached the Brazilian Ministry of Health. As part of their announcement, they demanded a ransom from the organization:

Over 50tb of data is copied from the cloud and intranet systems over the past weeks and has been erased from the Ministério da Saúde systems.

We request for the Ministério da Saúde ADMIN/EXECUTIVE to contact us on saudegroup@ctemplar.com for the data return. and to avoid leakage.

From what we can tell, Lapsus$ was able to obtain broad access to Brazilian health records. The Brazilian government claimed that they had backups of all the data that had been stolen and deleted, Lapsus$ disputed via Telegram.

December 2021: New Years’ spree targets Impresa, Claro, and more

Over New Years’ weekend, Lapsus$ launched an impressive string of attacks on targets including Impresa, a Portuguese media conglomerate, and Claro, a Latin American telecommunications company. Again, their motives appear to have been expressly financial:

We will come to some agreement, where such i delete the data in exchange for a small reward/fee.

Otherwise we will be forced to share the data with the public eye!

I should add that the leakage of the sensitive legal orders and wiretaps would cause law enforcement major issues

In addition to ransoming sensitive data, Lapsus$ also launched denial-of-service attacks to render their targets’ websites unusable. In one case, they redirected the homepage of car rental company Localiza to send users to a pornographic website.

February 2022: Lapsus$ steals Vodafone source code

In February, Lapsus$ teased that they had breached Vodafone via a short Telegram message, followed by a poll of “what to leak first”. In another poll in early March, they specified that they had accessed 5,000 GitHub repositories and obtained roughly 200 gigabytes of compressed data from Vodaphone.   

This poll also included MercadoLibre, an Argentine ecommerce company. But so far, there has not been much news regarding the Vodafone and MercadoLibre attacks – possibly because Lapsus$ found even more high profile targets to pursue.

February 2022: Lapsus$ breaches Nvidia

In late February, Lapsus$ broke into graphics card company Nvidia and looted nearly a terabyte of proprietary data, including schematics, firmware, and more. Nvidia said they first noticed the attack on February 23, but they were apparently unable to prevent Lapsus$ from making off with their bounty.

As the story broke, Lapsus$ announced the hack on their Telegram on February 27. Instead of demanding money, in this case Lapsus$ demanded Nvidia remove a crypto-mining limitation on their graphics cards:

We decided to help mining and gaming community, we want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder.

If they remove the lhr we will forget about hw folder (it’s a big folder)

We both know lhr impact mining and gaming.

On March 1st, Lapsus$ expanded their demands and called on Nvidia to fully open source their GPU drivers. They also began offering leaked data for sale, at a minimum price of $1 million.

From what we can tell, Lapsus$ and Nvidia have not come to any kind of deal. In early March, Lapsus$ even accused of Nvidia of hacking them, which Nvidia currently denies.

March 2022: Lapsus$ leaks Samsung source codes & more

On March 4, Lapsus$ posted a torrent file to its Telegram including various source codes and algorithms pertaining to Samsung devices and software. In a media statement a few days later, Samsung acknowledged the breach and noted that no personal information regarding customers or employees had been leaked.

It’s unclear what, exactly, Lapsus$’s motivations were here. In this case, they did not make any clear demands, monetary or otherwise.

March 2022: Lapsus$ disrupts Ubisoft gaming services

On March 11, Ubisoft announced that they, too, had been targeted by a cyberattack causing disruptions to their online gaming services. When The Verge reported on the incident, Lapsus$ reposted the story to their Telegram page alongside a smirking emoji.

It’s unclear what Lapsus$’s motivations were in this case, and there has been little other news on the matter.

March 2022: Lapsus$ breaches Microsoft

On March 19, Lapsus$ posted a screenshot to their Telegram, teasing that they had breached the tech giant Microsoft. The screenshot indicated that they had compromised Bing, Cortana, and other Microsoft projects.

On March 21, Lapsus$ posted partial source codes for Bing, Bing Maps, and Cortana to their Telegram page. So far, it does not appear that any customer data was leaked in the data breach. However, we will continue to update this story as new details emerge.

March 2022: Several London Teenagers Arrested in Connection to Lapsus$

On March 24, City of London Police arrested seven London teens in connection to the Lapsus$ group. One of them, a 16-year-old from Oxford, may have been a leader in the group at one point. By the time of his arrest, this teenager had already been monitored by security researchers for several months. They called him by the moniker “White.”

As we shall see, this arrest did not stop the Lapsus$ group attacks — though they did quiet down for several months.

March 2022: Globant Breached by Lapsus$

On March 30, the IT company Globant admitted to being breached by the Lapsus$ group. Lapsus$ hackers dumped 70 GB of data on their Telegram channel, including source codes and other proprietary information.

After March, Lapsus$ went dark for several months. They reemerged later in the year, with another string of high-profile attacks on companies such as Uber and Rockstar Games — read on.

September 2022: Lapsus$-affiliated hacker compromises Uber

On September 15, a hacker announced in Uber’s private Slack channel that he had breached the company. One security engineer described it to the New York Times as “a total compromise”, and stated that “They pretty much have full access to Uber.” Uber’s source code, internal databases, communication channels, and more were all compromised in the breach.

This appears to have been a social engineering attack. The hacker, who uses the alias ‘teapotuberhacker,’ was able to successfully get past multi-factor authentication by repeatedly spamming an Uber employee with requests to grant access, claiming to be an IT worker.

In a statement released September 17th, Uber said they had found “no evidence that the incident involved access to sensitive user data (like trip history).” Uber has linked this breach to the Lapsus$ group, which has compromised companies such as Nvidia, Samsung, and Microsoft.

A few days following this incident, the very same hacker breached Rockstar Games — read on.

September 2022: Hacker breaches Rockstar Games, leaks GTA6 footage

On September 18, a hacker under the alias ‘teapotuberhacker’ leaked roughly 50 minutes of footage of Grand Theft Auto 6, an upcoming game produced by Rockstar Games. They apparently obtained the footage by gaining access to the company’s Slack, where they proceeded to download the video clips. Rockstar acknowledged the leak in a statement released on Twitter.

Leave a Comment