{ "id": "1342279a-0dfb-4fa0-83b6-e2a0c007ed3e", "created_at": "2026-04-06T00:18:30.182065Z", "updated_at": "2026-04-10T03:28:46.87456Z", "deleted_at": null, "sha1_hash": "1bfe5a2d88748b5e9e1bbdde4f9780eb2f3f05ba", "title": "Lapsus$ Group - an emerging dark net threat actor leveraging insider threats-or was it?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6282427, "plain_text": "Lapsus$ Group - an emerging dark net threat actor leveraging\r\ninsider threats-or was it?\r\nBy Silent Push Threat Team\r\nPublished: 2022-03-17 · Archived: 2026-04-05 15:49:30 UTC\r\nResearch by the Silent Push Labs team.\r\nIntroduction:\r\nLapsus$ Group is an extortion group that gained public recognition in the last few weeks due to its attacks to\r\nNVIDIA and Samsung where they stole and leaked critical information from the companies.\r\nPreviously they had conducted:\r\n– a ransomware attack to the Ministry of Health of Brazil back in December 2021;\r\n– DNS spoofing attacks to Portuguese speaking companies such as Localiza, Submarino and Americanas during\r\nthe months of January and February of the current year 2022;\r\n– cyber attacks where they stole confidential information from a Portuguese media and information company-Impresa– and a Brazilian TV and Telecommunications company- Claro and Embratel.\r\nThis latter type of attack, where critical data is accessed and stolen without being encrypted or deleted, is the most\r\ncommon procedure of the group and it is the reason why to this date, this threat actor does not fall under the\r\ncategory of a ransomware group.\r\nNevertheless, this threat actor is responsible for leaking important data and confidential information that\r\ncompromises services and companies.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 1 of 31\n\nlapsus-group[.]com as of December 2021:\r\nlapsus-group[.]com as of January 2022:\r\nMethods\r\nBut how exactly does this threat actor infiltrate into its target systems?\r\nThe groups initial step appears to be to collect authentic credentials either by conducting phishing attacks or by\r\nadvertising on the internet that they are looking to buy verified passwords from employees. However recent\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 2 of 31\n\nupdates may suggest they had access through the customer’s OKTA accounts. More on the updated timeline\r\nbelow.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 3 of 31\n\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 4 of 31\n\nLapsus recruit insiders\r\nIn this way, they can access the IT infrastructures with minimal detection, sometimes being in the system for\r\nweeks.\r\nAfter either successfully having stolen enough data or being discovered, the subsequent step of the group is to\r\nactively advertise their actions on their public Telegram channel or by leaving a note on the compromised\r\nwebsites.\r\nAt last, the story unfolds as predicted: the gang threatens the victim to either contact them or the crucial\r\ninformation will be leaked.\r\nOften, some bitcoin payment is demanded, but the requests vary. This backs up the hypothesis that this threat actor\r\nis not sponsored or politically motivated but purely looking for money and recognition.\r\nWe have reasons to believe that the attacks from this extortion group will continue and become more frequent,\r\npossibly targeting international companies and infrastructures.\r\nFor that reason, we’ll continuously monitor the activity of this threat actor, collecting information and Indicators\r\nof Compromise which will be available to the Silent Push customers under the tag ‘lapsus$’.\r\nConfirmed Lapsus$ attacks\r\nMinistry of Health of Brazil\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 5 of 31\n\nOn December 10th 2021, the threat actor conducted a ransomware attack on the websites of the Ministry of Health\r\nof Brazil, blocking access to COVID-19 vaccination certificates and other vital information of the public\r\nhealthcare system.\r\nA Portuguese written message was left on the compromised websites where the group claimed to have stolen and\r\nerased 50 TB of data.\r\nTheir contacts were also provided in order for negotiating the restoration of the stolen information.\r\nCorreios\r\nLapsus$ announcement of attack on Correios\r\nOn December 23rd 2021, the post office company Correios website was taken down.\r\nThe group immediately utilized their Telegram channel to take responsibility for the attack.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 6 of 31\n\nUnlike the attack conducted to the Ministry of Health of Brazil, no message was left on the compromised website\r\nand there is no evidence that any data was accessed or stolen.\r\nClaro and Embratel Telecommunications\r\nLapsus$ announcing they have hacked Claro\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 7 of 31\n\nOn December 30th 2021 , the group posted a message on their Telegram claiming to having accessed Claro IT\r\ninfrastructure and stolen almost 10000TB of confidential data.\r\nA previous post on their channel shows that the group was looking to buy the access credentials of a Claro\r\nemployee. This suggests it is possible that they were on the system for brief period since many users reported\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 8 of 31\n\nissues in the weeks prior to the attack.\r\nWith access to the cloud IT infrastructure and apparently undetected, the group claims to have collected sensitive\r\ndata including customer information, legal documents, emails, source codes, confidential court orders and\r\nwiretapping recordings, and requested a monetary payment in order to stop the leakage of the information\r\nobtained.\r\nImpresa\r\nOn January 2nd, a cyber attack conducted by this gang, took down several websites of Impresa, a Portuguese\r\nmedia and information company, for a brief number of days.\r\nAdditionally, the group accessed the twitter and email accounts of Expresso which they used to send tweets and\r\nemails sharing their Telegram account.\r\nOn the compromised websites, the group left their signature message, claiming to have gained access to the AWS\r\nservers of the company and requesting a monetary payment in order to stop the leakage of the information\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 9 of 31\n\nobtained.\r\nIt is believed that the group obtained valid credentials obtained via a fraudulent phishing campaign.\r\nBig claims by Lapsus$\r\nLocaliza\r\nOn January 11th lapsus$ performed a DNS spoofing attack on Localiza, a Brazilian rent-a-car, redirecting their\r\nwebsite to an adult media one.\r\nSubmarino and Americanas\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 10 of 31\n\nMore announcements from Lapsus$\r\nNVIDIA\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 11 of 31\n\nOn march 1st 2022, NVIDIA confirmed they had suffered a cyber attack where employee credentials and\r\nconfidential data had been stolen from their systems.\r\nShortly after this, the group posted a message on their telegram claiming responsibility and demanding a response\r\nfrom NVIDIA threatening to expose the data they had collected.\r\nIt appears that negotiations either did not occur or the results were not the expected by the gang, since they ended\r\nup leaking 20GB of the data they had stolen, which contained information about the components of the NVIDIA\r\nGPU Driver namely Falcon and LHR.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 12 of 31\n\nOn another message, the gang claimed that NVIDIA was able to connect to their virtual machine and encrypted\r\nback the information. This affirmation has not been confirmed by NVIDIA.\r\nUnfortunately, the group declared that they had made copies from the information stolen and keep threatening to\r\nrelease all the sensitive data obtained if their demands are not met. One of these demands that were recently made\r\npublic by the gang concern the NVIDIA LHR limitations.\r\nThe group is asking for the company to remove all LHR limitations which would profit Bitcoin mining.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 13 of 31\n\nSamsung\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 14 of 31\n\nOn march 4th, the group leaked 190G of Samsung confidential data including:\r\n– source code from every Trusted Applet installed on Samsung devices’s TrustZone;\r\n– algorithms for all biometric unlock operations;\r\n– Bootloader source code for all recent Samsung devices;\r\n– Samsung activation servers source code;\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 15 of 31\n\n– Samsung accounts full source code;\r\n– among other highly sensitive data, what they claim to be source code from Qualcomm.\r\nIt is unclear if Samsung was contacted by the group before the leak or if some attempted extortion occurred. The\r\ncompany has already confirmed the breach.\r\nSuspected Lapsus$ attacks:Vodafone Portugal, Mercado Livre and Ubisoft\r\nRecently the group created a poll on their Telegram channel where they requested their followers to choose the\r\ncontent of the next data leak.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 16 of 31\n\nOne of the companies in this list was Impresa, which the group had attacked in January and requested money in\r\norder to stop the leakage of the information obtained.\r\nAt the time, there was no evidence that the requested amount was payed but this recent publication suggests it was\r\nnot.\r\nIs this the official claim that Lapsus$ did attack Vodafone Portugal?\r\nOn the other hand, the group never confirmed their responsibility for the cyber attacks of Vodafone Portugal and\r\nMercadoLibre at the time of the events.\r\nIs this publication an admission of their actions?\r\nMoreover, a recent publication on their Telegram suggests that they could be behind the recent cyber attack to\r\nUbisoft.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 17 of 31\n\nLG Data Dump\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 18 of 31\n\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 19 of 31\n\nIn a last minute rush of data dumps Lapsus$ on 22nd March 2022 suddenly dropped a lot of information quickly\r\nbeginning with this dump of LG data from an alleged breach and claiming to have infrastructure information from\r\ntheir confluence which will be released soon. However, this was almost lost compared to what was to come.\r\nBing, Bing Maps and Cortana\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 20 of 31\n\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 21 of 31\n\nThis had been hinted at in previous days but the Telegram message was deleted. So at this point everyone is\r\nwondering how this group is getting access to all of these big brands. The previous posts looking for insiders\r\nmakes it look like that could be the weakness across all of these organizations. However, what happens next\r\nchanges the picture.\r\nOKTA\r\nOne of the most well used tools across the security industry is OKTA. It completely changes the access\r\nmanagement capabilities of a large organization. Instead of managing each users access to each corporate\r\napplication they are all done through OKTA. The user logs in to OKTA and from there they just have to click on\r\nthe application tile. It significantly reduces the password management risks from each individual user as well as\r\nmany other benefits. But what if OKTA becomes the entry point for the attacker. Well that appears to be what\r\nhappens next.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 22 of 31\n\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 23 of 31\n\nThis is followed by many images backing up their claims including the user names of OKTA employees who\r\nappear to be Software Engineers in OKTA.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 24 of 31\n\nThe date of these screenshots is visible as 21st January 2022\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 25 of 31\n\nThe next claim is strange, Lapsus$ then take pains to point out that they haven’t accessed any databases belonging\r\nto OKTA, they just are targeting their customers.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 26 of 31\n\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 27 of 31\n\nAnd that is the timeline so far. We’ll continue to update if there are any more developments. This group appears to\r\nbe a young and inexperienced group who are struggling to actually receive any payments for all of this extortion\r\nwork. We don’t know how they obtained this access to a Superuser(if there is such a thing) account in OKTA and\r\nit may never be revealed. It definitely reinforces the message that security is always about people. This group have\r\ngained a lot of notoriety and a following on social media, which may be an important factor for them. I imagine\r\nthe lives of people working in the organizations that have been victims have been badly effected. Particularly for\r\nthe employees mentioned in the images that were released.\r\nLapsus$ history:\r\nIt is difficult to pinpoint a date when this threat actor began its activity.\r\nThere is a clear severity and frequency increase of their attacks since December 2021.\r\nPrior to this date, there can be found a few English written posts on web forums of what appears to be their first\r\nattack as group.\r\nIn this attack which took place in June 2021, the group claims to have stolen the source code from FIFA 21 from\r\nthe Electronic Arts company.\r\nThe company acknowledged this event but failed to fulfill the requests from the group and the source code ended\r\nup being leaked on the dark web.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 28 of 31\n\nDoxbin link to Lapsus$\r\nFor the next few months there were some minor attacks that could be traced back to the group but these are\r\nirrelevant in comparison to their current spike of malicious activity.\r\nThe group also changed their communication channels by retracting from web forums and twitter to exclusively\r\nuse Telegram.\r\nDespite that they speak both Brazilian-Portuguese and English, little is known about the members of the gang.\r\nRecently, a dox was leaked where it claimed that the head of this group was a 16 year old boy who lives in the\r\nUnited Kingdom and suffers from severe autism. He is known on the dark web as as SigmA (most recent),\r\nwh1te, Breachbase or Alexander Pavlov (Also an aliase).\r\nThis came to light after some disputes that took place when SigmA bought the website doxbin.com and tried to\r\nsell it back to previous owner afterward. It appears that negotiations didn’t go as planed and he ended up being\r\nexposed as Lapsus$ chief on the website that he once owned.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 29 of 31\n\nBy using the PADNS features on the Silent Push app, we found some information that could back up this\r\nhypothesis: during the period that SigmA supposedly owned doxbin.com , this website was hosted on the same\r\nsubnet as the main Lapsus$ website at the time.\r\nAnother thing that supports this claim are the messages posted by the group on their Telegram where they deny\r\nthat SigmA was arrested and share his new Telegram account.\r\nSilentPush IoC research:\r\nUsing the PADNS feature on the silent push app, we found domains that fitted the *lapsus*group*.* pattern and\r\nthe IP addresses that hosted them.\r\nTheir registar is unavailable and they use *.cloudflare.com nameservers.\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 30 of 31\n\n→IoC:\r\nlapsus-group[.]com\r\nlapsusgroup[.]tk\r\n185.56.83[.]40\r\n185.56.83[.]150\r\nSource: https://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nhttps://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor" ], "report_names": [ "lapsus-group-an-emerging-dark-net-threat-actor" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434710, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1bfe5a2d88748b5e9e1bbdde4f9780eb2f3f05ba.pdf", "text": "https://archive.orkl.eu/1bfe5a2d88748b5e9e1bbdde4f9780eb2f3f05ba.txt", "img": "https://archive.orkl.eu/1bfe5a2d88748b5e9e1bbdde4f9780eb2f3f05ba.jpg" } }