{ "id": "7464c7d5-b78c-4b12-9a02-7484f962226d", "created_at": "2026-04-06T00:21:06.095954Z", "updated_at": "2026-04-10T03:28:46.858053Z", "deleted_at": null, "sha1_hash": "382496034ebb2d6e6bc9908e4d445fd985532642", "title": "Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2130874, "plain_text": "Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code\r\nPublished: 2022-04-22 · Archived: 2026-04-05 21:23:39 UTC\r\nKrebsOnSecurity recently reviewed a copy of the private chat messages between members of the LAPSUS$\r\ncybercrime group in the week leading up to the arrest of its most active members last month. The logs show\r\nLAPSUS$ breached T-Mobile multiple times in March, stealing source code for a range of company projects. T-Mobile says no customer or government information was stolen in the intrusion.\r\nLAPSUS$ is known for stealing data and then demanding a ransom not to publish or sell it. But the leaked chats\r\nindicate this mercenary activity was of little interest to the tyrannical teenage leader of LAPSUS$, whose\r\nobsession with stealing and leaking proprietary computer source code from the world’s largest tech companies\r\nultimately led to the group’s undoing.\r\nFrom its inception in December 2021 until its implosion late last month, LAPSUS$ operated openly on its\r\nTelegram chat channel, which quickly grew to more than 40,000 followers after the group started using it to leak\r\nhuge volumes of sensitive data stolen from victim corporations.\r\nBut LAPSUS$ also used private Telegram channels that were restricted to the core seven members of the group.\r\nKrebsOnSecurity recently received a week’s worth of these private conversations between LAPSUS$ members as\r\nthey plotted their final attacks late last month.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 1 of 19\n\nThe candid conversations show LAPSUS$ frequently obtained the initial access to targeted organizations by\r\npurchasing it from sites like Russian Market, which sell access to remotely compromised systems, as well as any\r\ncredentials stored on those systems.\r\nThe logs indicate LAPSUS$ had exactly zero problems buying, stealing or sweet-talking their way into employee\r\naccounts at companies they wanted to hack. The bigger challenge for LAPSUS$ was the subject mentioned by\r\n“Lapsus Jobs” in the screenshot above: Device enrollment. In most cases, this involved social engineering\r\nemployees at the targeted firm into adding one of their computers or mobiles to the list of devices allowed to\r\nauthenticate with the company’s virtual private network (VPN).\r\nThe messages show LAPSUS$ members continuously targeted T-Mobile employees, whose access to internal\r\ncompany tools could give them everything they needed to conduct hassle-free “SIM swaps” — reassigning a\r\ntarget’s mobile phone number to a device they controlled. These unauthorized sim swaps allow an attacker to\r\nintercept a target’s text messages and phone calls, including any links sent via SMS for password resets, or one-time codes sent for multi-factor authentication.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 2 of 19\n\nThe LAPSUS$ group had a laugh at this screenshot posted by their leader, White, which shows him reading a T-Mobile news alert about their hack into Samsung. White is viewing the page via a T-Mobile employee’s virtual\r\nmachine.\r\nIn one chat, the LAPSUS$ leader — a 17-year-old from the U.K. who goes by the nicknames “White,”\r\n“WhiteDoxbin” and “Oklaqq” — is sharing his screen with another LAPSUS$ member who used the handles\r\n“Amtrak” and “Asyntax.”\r\nThe two were exploring T-Mobile’s internal systems, and Amtrak asked White to obscure the T-Mobile logo on his\r\nscreen. In these chats, the user “Lapsus Jobs” is White. Amtrak explains this odd request by saying their parents\r\nare aware Amtrak was previously involved in SIM swapping.\r\n“Parents know I simswap,” Amtrak said. “So, if they see [that] they think I’m hacking.”\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 3 of 19\n\nThe messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account — either because\r\nthe employee tried to log in or change their password — they would just find or buy another set of T-Mobile VPN\r\ncredentials. T-Mobile currently has approximately 75,000 employees worldwide.\r\nOn March 19, 2022, the logs and accompanying screenshots show LAPSUS$ had gained access to Atlas, a\r\npowerful internal T-Mobile tool for managing customer accounts.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 4 of 19\n\nLAPSUS$ leader White/Lapsus Jobs looking up the Department of Defense in T-Mobile’s internal Atlas system.\r\nAfter gaining access to Atlas, White proceeded to look up T-Mobile accounts associated with the FBI and\r\nDepartment of Defense (see image above). Fortunately, those accounts were listed as requiring additional\r\nverification procedures before any changes could be processed.\r\nFaced with increasingly vocal pleadings from other LAPSUS$ members not to burn their access to Atlas and other\r\ntools by trying to SIM swap government accounts, White unilaterally decided to terminate the VPN connection\r\npermitting access to T-Mobile’s network.\r\nThe other LAPSUS$ members desperately wanted to SIM swap some wealthy targets for money. Amtrak throws a\r\nfit, saying “I worked really hard for this!” White calls the Atlas access trash and then kills the VPN connection\r\nanyway, saying he wanted to focus on using their illicit T-Mobile access to steal source code.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 5 of 19\n\nA screenshot taken by LAPSUS$ inside T-Mobile’s source code repository at Bitbucket.\r\nPerhaps to mollify his furious teammates, White changed the subject and told them he’d gained access to T-Mobile’s Slack and Bitbucket accounts. He said he’d figured out how to upload files to the virtual machine he\r\nhad access to at T-Mobile.\r\nRoughly 12 hours later, White posts a screenshot in their private chat showing his automated script had\r\ndownloaded more than 30,000 source code repositories from T-Mobile.\r\nWhite showing a screenshot of a script that he said downloaded all available T-Mobile source code.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 6 of 19\n\nIn response to questions from KrebsOnSecurity, T-Mobile issued the following statement:\r\n“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems\r\nthat house operational tools software. The systems accessed contained no customer or government information or\r\nother similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of\r\nvalue. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the\r\ncompromised credentials used were rendered obsolete.”\r\nCONSIDER THE SOURCE\r\nIt is not clear why LAPSUS$ was so fixated on stealing source code. Perhaps LAPSUS$ thought they could find\r\nin the source clues about security weaknesses that could be used to further hack these companies and their\r\ncustomers. Maybe the group already had buyers lined up for specific source code that they were then hired to\r\nprocure. Or maybe it was all one big Capture the Flag competition, with source code being the flag. The leaked\r\nchats don’t exactly explain this fixation.\r\nBut it seems likely that the group routinely tried to steal and then delete any source code it could find on victim\r\nsystems. That way, it could turn around and demand a payment to restore the deleted data.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 7 of 19\n\nIn one conversation in late March, a LAPSUS$ member posts screenshots and other data indicating they’d gained\r\nremote administrative access to a multi-billion dollar company. But White is seemingly unimpressed, dismissing\r\nthe illicit access as not worth the group’s time because there was no source code to be had.\r\nLAPSUS$ first surfaced in December 2021, when it hacked into Brazil’s Ministry of Health and deleted more than\r\n50 terabytes of data stored on the ministry’s hacked servers. The deleted data included information related to the\r\nministry’s efforts to track and fight the COVID-19 pandemic in Brazil, which has suffered a disproportionate 13\r\npercent of the world’s COVID-19 fatalities. LAPSUS$’s next 15 victims were based either in Latin America or\r\nPortugal, according to cyber threat intelligence firm Flashpoint.\r\nBy February 2022, LAPSUS$ had pivoted to targeting high-tech firms based in the United States. On Feb. 26,\r\nLAPSUS$ broke into graphics and computing chip maker NVIDIA. The group said it stole more than a terabyte\r\nof NVIDIA data, including source code and employee credentials.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 8 of 19\n\nDan Goodin at Ars Technica wrote about LAPSUS$’s unusual extortion demand against NVIDIA: The group\r\npledged to publish the stolen code unless NVIDIA agreed to make the drivers for its video cards open-source.\r\nAccording to these chats, NVIDIA responded by connecting to the computer the attackers were using, and then\r\nencrypting the stolen data.\r\nLike many high-tech firms whose value is closely tied to their intellectual property, NVIDIA relies on a number of\r\ntechnologies designed to prevent data leaks or theft. According to LAPSUS$, among those is a requirement that\r\nonly devices which have been approved or issued by the company can be used to access its virtual private network\r\n(VPN).\r\nThese so-called Mobile Device Management\r\n(MDM) systems retrieve information about the underlying hardware and software powering the system requesting\r\naccess, and then relay that information along with any login credentials.\r\nIn a typical MDM setup, a company will issue employees a laptop or smartphone that has been pre-programmed\r\nwith a data profile, VPN and other software that allows the employer to track, monitor, troubleshoot or even wipe\r\ndevice data in the event of theft, loss, or a detected breach.\r\nMDM tools also can be used to encrypt or retrieve data from connected systems, and this was purportedly the\r\nfunctionality NVIDIA used to claw back the information stolen by LAPSUS$.\r\n“Access to NVIDIA employee VPN requires the PC to be enrolled in MDM,” LAPSUS$ wrote in a post on their\r\npublic Telegram channel. “With this they were able to connect to a [virtual machine] that we use. Yes, they\r\nsuccessfully encrypted the data. However, we have a backup and it’s safe from scum!!!”\r\nNVIDIA declined to comment for this story.\r\nOn March 7, consumer electronics giant Samsung confirmed what LAPSUS$ had bragged on its Telegram\r\nchannel: That the group had stolen and leaked nearly 200 GB of source code and other internal company data.\r\nThe chats reveal that LAPSUS$ stole a great deal more source code than they bragged about online. One of\r\nWhite’s curious fascinations was SASCAR, Brazil’s leading fleet management and freight security company.\r\nWhite had bought and talked his way into SASCAR’s systems, and had stolen many gigabytes worth of source\r\ncode for the company’s fleet tracking software.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 9 of 19\n\nIt was bad enough that LAPSUS$ had just relieved this company of valuable intellectual property: The chats show\r\nthat for several days White taunted SASCAR employees who were responding to the then-unfolding breach, at\r\nfirst by defacing the company’s website with porn.\r\nThe messages show White maintained access to the company’s internal systems for at least 24 hours after that,\r\neven sitting in on the company’s incident response communications where the security team discussed how to\r\nevict their tormentors.\r\nSASCAR is owned by tire industry giant Michelin, which did not respond to requests for comment.\r\nENROLLMENT\r\nThe leaked LAPSUS$ internal chats show the group spent a great deal of time trying to bypass multi-factor\r\nauthentication for the credentials they’d stolen. By the time these leaked chat logs were recorded, LAPSUS$ had\r\nspent days relentlessly picking on another target that relied on MDM to restrict employee logins: Iqor, a customer\r\nsupport outsourcing company based in St. Petersburg, Fla.\r\nLAPSUS$ apparently had no trouble using Russian Market to purchase access to Iqor employee systems. “I will\r\nbuy login when on sale, Russians stock it every 3-4 days,” Amtrak wrote regarding Iqor credentials for sale in the\r\nbot shops.\r\nThe real trouble for LAPSUS$ came when the group tried to evade Iqor’s MDM systems by social engineering\r\nIqor employees into removing multi-factor authentication on Iqor accounts they’d purchased previously. The chats\r\nshow that time and again Iqor’s employees simply refused requests to modify multi-factor authentication settings\r\non the targeted accounts, or make any changes unless the requests were coming from authorized devices.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 10 of 19\n\nOne of several IQOR support engineers who told LAPSUS$ no over and over again.\r\nAfter many days of trying, LAPSUS$ ultimately gave up on Iqor. On Mar. 22, LAPSUS$ announced it hacked\r\nMicrosoft, and began leaking 37 gigabytes worth of Microsoft source code.\r\nLike NVIDIA, Microsoft was able to stanch some of the bleeding, cutting off LAPSUS$’s illicit access while the\r\ngroup was in the process of downloading all of the available source code repositories alphabetically (the group\r\npublicized their access to Microsoft at the same time they were downloading the software giant’s source code). As\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 11 of 19\n\na result, LAPSUS$ was only able to leak the source for Microsoft products at the beginning of the code repository,\r\nincluding Azure, Bing and Cortana.\r\nBETRAYAL\r\nLAPSUS$ leader White drew attention to himself prior to the creation of LAPSUS$ last year when he purchased a\r\nwebsite called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply\r\npersonal information on people.\r\nBased on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime\r\nmembers soon took to harassing him about various components of the site falling into disrepair. That pestering\r\neventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so,\r\nWhite leaked the Doxbin user database.\r\nWhite’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White\r\nperhaps the most thorough dox the forum had ever produced — including videos filmed just outside his home\r\nwhere he lives with his parents in the United Kingdom.\r\nThe past and current owner of the Doxbin — an established cybercriminal who goes by the handle “KT” — is the\r\nsame person who leaked these private LAPSUS$ Telegram chat logs to KrebsOnSecurity.\r\nIn early April, multiple news outlets reported that U.K. police had arrested seven people aged 15-21 in connection\r\nwith the LAPSUS$ investigation. But it seems clear from reading these leaked Telegram chats that individual\r\nmembers of LAPSUS$ were detained and questioned at different times over the course of several months.\r\nIn his chats with other LAPSUS$ members during the last week in March, White maintained that he was arrested\r\n1-2 months prior in connection with an intrusion against a victim referred to only by the initials “BT.” White also\r\nappeared unconcerned when Amtrak admits that the City of London police found LAPSUS$ Telegram chat\r\nconversations on his mobile phone.\r\nPerhaps to demonstrate his indifference (or maybe just to screw with Amtrak), White responds by leaking\r\nAmtrak’s real name and phone number to the group’s public Telegram channel. In an ALL CAPS invective of\r\ndisbelief at the sudden betrayal, Amtrak relates how various people started calling their home and threatening their\r\nparents as a result, and how White effectively outed them to law enforcement and the rest of the world as a\r\nLAPSUS$ member.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 12 of 19\n\nThe vast majority of noteworthy activity documented in these private chats takes place between White and\r\nAmtrak, but it doesn’t seem that White counted Amtrak or any of his fellow LAPSUS$ members as friends or\r\nconfidants. On the contrary, White generally behaved horribly toward everyone in the group, and he particularly\r\nseemed to enjoy abusing Amtrak (who somehow always came back for more).\r\n“Mox,” one of the LAPSUS$ members who shows up throughout these leaked chats, helped the group in their\r\nunsuccessful attempts to enroll their mobile devices with an airline in the Middle East to which they had\r\npurchased access. Audio recordings leaked from the group’s private Telegram channel include a call wherein Mox\r\ncan be heard speaking fluently in Arabic and impersonating an airline employee.\r\nAt one point, Mox’s first name briefly shows up in a video he made and shared with the group, and Mox mentions\r\nthat he lives in the United States. White then begins trying to find and leak Mox’s real-life identity.\r\nWhen Mox declares he’s so scared he wants to delete his iCloud account, White suggests he can get Mox’s real\r\nname, precise location and other information by making a fraudulent “emergency data request” (EDR) to Apple,\r\nin which they use a hacked police department email account to request emergency access to subscriber\r\ninformation under the claim that the request can’t wait for a warrant because someone’s life is on the line.\r\nWhite was no stranger to fake EDRs. White was a founding member of a cybercriminal group called “Recursion\r\nTeam,” which existed between 2020 and 2021. This group mostly specialized in SIM swapping targets of interest\r\nand participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios\r\nare phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 13 of 19\n\nThe roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ hail.\r\nThe Recursion Team was founded by a then 14-year-old from the United Kingdom who used the handle\r\n“Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled,\r\n“Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 14 of 19\n\nEverlynn advertising a warrant/subpoena service based on fake EDRs.\r\nBringing this full circle, it appears Amtrak/Asyntax is the same person as Everlynn. As part of the Recursion\r\nTeam, White used the alias “Peter.” Several LAPSUS$ members quizzed White and Amtrak about whether\r\nauthorities asked about Recursion Team during questioning. In several discussion threads, White’s “Lapsus Jobs”\r\nalias on Telegram answers “yes?” or “I’m here” when another member addresses him by Peter.\r\nWhite dismissed his public doxing of both Amtrak and Mox as their fault for being sloppy with operational\r\nsecurity, or by claiming that everyone already knew their real identities. Incredibly, just a few minutes after doxing\r\nAmtrak, White nonchalantly asks them for help in stealing source code from yet another victim firm — as if\r\nnothing had just happened between them. Amtrak seems soothed by this invitation, and agrees to help.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 15 of 19\n\nOn Mar. 30, software consultancy giant Globant was forced to acknowledge a hack after LAPSUS$ published 70\r\ngigabytes of data stolen from the company, including customers’ source code. While the Globant hack has been\r\nwidely reported for weeks, the cause of the breach remained hidden in these chat logs: A stolen five-year-old\r\naccess token for Globant’s network that still worked.\r\nLAPSUS$ members marvel at a 5-year-old stolen authentication cookie still working when they use it against\r\nGlobant to steal source code.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 16 of 19\n\nGlobant lists a number of high-profile customers on its website, including the U.K. Metropolitan Police, software\r\nhouse Autodesk and gaming giant Electronic Arts. In March, KrebsOnSecurity showed how White was\r\nconnected to the theft of 780 GB worth of source code from Electronic Arts last summer.\r\nIn that attack, the intruders reportedly gained access to EA’s data after purchasing authentication cookies for an\r\nEA Slack channel from the dark web marketplace “Genesis,” which offers more or less the same wares as the\r\nRussian Market.\r\nOne remarkable aspect of LAPSUS$ was that its members apparently decided not to personally download or store\r\nany data they stole from companies they hacked. They were all so paranoid of police raiding their homes that they\r\nassiduously kept everything “in the cloud.” That way, when investigators searched their devices, they would find\r\nno traces of the stolen information.\r\nBut this strategy ultimately backfired: Shortly before the private LAPSUS$ chat was terminated, the group learned\r\nit had just lost access to the Amazon AWS server it was using to store months of source code booty and other\r\nstolen data.\r\n“RIP FBI seized my server,” Amtrak wrote. “So much illegal shit. It’s filled with illegal shit.”\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 17 of 19\n\nWhite shrugs it off with the dismissive comment, “U can’t do anything about ur server seized.” Then Amtrak\r\nreplies that they never made a backup of the server.\r\n“FFS, THAT AWS HAD TMO SRC [T-Mobile source] code!” White yelled back.\r\nThe two then make a mad scramble to hack back into T-Mobile and re-download the stolen source code. But that\r\neffort ultimately failed after T-Mobile’s systems revoked the access token they were using to raid the company’s\r\nsource code stash.\r\n“How they noticed?” Amtrak asked White.\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 18 of 19\n\n“Gitlab auto-revoked, likely,” White replied. “Cloning 30k repos four times in 24 hours isn’t very normal.”\r\nAh, the irony of a criminal hacking group that specializes in stealing and deleting data having their stolen data\r\ndeleted.\r\nIt’s remarkable how often LAPSUS$ was able to pay a few dollars to buy access to some hacked machine at a\r\ncompany they wanted to break into, and then successfully parlay that into the theft of source code and other\r\nsensitive information.\r\nWhat’s even more remarkable is that anyone can access dark web bot shops like Russian Market and Genesis,\r\nwhich means larger companies probably should be paying someone to regularly scrape these criminal bot services,\r\neven buying back their own employee credentials to take those vulnerable systems off the market. Because that’s\r\nprobably the simplest and cheapest incident response money can buy.\r\nThe Genesis bot shop.\r\nSource: https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nhttps://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/\r\nPage 19 of 19\n\n https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/ \nThe roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ hail.\nThe Recursion Team was founded by a then 14-year-old from the United Kingdom who used the handle \n“Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled,\n“Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.\n Page 14 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/" ], "report_names": [ "leaked-chats-show-lapsus-stole-t-mobile-source-code" ], "threat_actors": [ { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434866, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/382496034ebb2d6e6bc9908e4d445fd985532642.pdf", "text": "https://archive.orkl.eu/382496034ebb2d6e6bc9908e4d445fd985532642.txt", "img": "https://archive.orkl.eu/382496034ebb2d6e6bc9908e4d445fd985532642.jpg" } }