{ "id": "e1b5555c-3a37-4902-85e5-978b69e05837", "created_at": "2026-04-06T00:19:05.665963Z", "updated_at": "2026-04-10T03:28:46.878786Z", "deleted_at": null, "sha1_hash": "49368101c060168e1eb5591ba78918d694a14833", "title": "All About LAPSUS$: What We Know About the Extortionist Group [Updated]", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 822443, "plain_text": "All About LAPSUS$: What We Know About the Extortionist\r\nGroup [Updated]\r\nBy Flashpoint Intel Team\r\nPublished: 2022-03-23 · Archived: 2026-04-05 22:09:29 UTC\r\nUnderstanding the Rise and Fall of LAPSUS$\r\nLAPSUS$ is an extortionist threat group that became active on December 10, 2021. Unlike the majority of\r\nextortionist groups that typically rely on a combination of ransomware and data leaks, LAPSUS$ is focused on\r\nmonetizing their operations exclusively through data leaks advertised on Telegram without the use of ransomware.\r\nInitially, the group focused on data breaches against Latin American and Portuguese targets but in late February\r\n2022, LAPSUS$ began widening the scope of its targeting by announcing it had successfully breached US-based\r\ngraphics and computing chip manufacturer Nvidia. Since then, LAPSUS$ has continued to focus on large-scale\r\ninternational technology companies, including Microsoft, Okta, and Samsung, as the financial incentive for\r\nstealing source code and extorting companies for sensitive proprietary technical data is high.\r\nWhat Made LAPSUS$ Tactics So Effective?\r\nUnlike traditional ransomware groups, they did not always encrypt their victims’ data. Instead, they focused on\r\ndata extortion. They would steal sensitive source code or customer data and then demand a ransom to keep it\r\nprivate.\r\nUsing Social Engineering to Bypass MFA\r\nOne of the group’s most famous tactics was bypassing multi-factor authentication (MFA). They did not use\r\ntechnical exploits to do this. Instead, they used “MFA fatigue” attacks. They would send a flood of login requests\r\nto an employee’s phone at night. Eventually, the tired employee might approve just to stop the noise.\r\nThey also used simple social engineering to trick help desks. They would call an IT support line and pretend to be\r\nan employee who lost their phone. By using basic personal info found online, they convinced help desks to reset\r\npasswords or add new devices. These human errors provided the group with initial access.\r\nNotable LAPSUS$ targets\r\nLAPSUS$ is different from ransomware collectives in that the group is not encrypting the files of their victims,\r\nbut rather gaining access to important files and threatening to leak if an extortion is not paid.\r\nBrazil’s Ministry of Health\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 1 of 9\n\nLAPSUS$ claimed its first victim, Brazil’s Ministry of Health, on December 10, 2021. Since then, the group has\r\nclaimed an additional 19 victims, the first 15 of which were all Latin American and Portuguese targets. \r\nLocaliza\r\nLAPSUS$ gained additional notoriety on when, on January 11, it began redirecting users of the official website\r\nfor Localiza, one of the largest car rental conglomerates in Latin America, to a pornography site.\r\nVodafone Portugal\r\nOn February 8, Vodafone Portugal suffered a cyberattack impacting its 4G and 5G services. Initially, no group\r\nclaimed responsibility, which was speculated to be either a distributed denial-of-service (DDoS) or ransomware\r\nattack. But on February 24, LAPSUS$ admitted responsibility for the Vodafone Portugal attack on its Telegram\r\nchannel.\r\nImpresa and Confina\r\nLAPSUS$ breached two of Portugal’s largest media companies: Impresa, on January 3 and Confina on February\r\n6.\r\nNVIDIA\r\nIn perhaps its most publicized attack to-date, LAPSUS$ claimed it carried out an attack against US-based graphics\r\nand computing chip manufacturer NVIDIA, successfully exfiltrated 1 TB of data from the company’s networks,\r\nincluding proprietary information related to NVIDIA’s GPUs, which is not set to be publicly launched for sale\r\nuntil March 29. Overall, LAPSUS$ has thus far released 150GB of stolen data as of this publishing.\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 2 of 9\n\nScreenshot of LAPSUS$’s Nvidia Hack Announcement (Image: Flashpoint).\r\nThe group also offered to separately sell a bypass for Nvidia’s Lite Hash Rate (LHR) limit imposed on Nvidia\r\nGPUs to make them more ineffective for crypto mining purposes in an effort to address the global chip shortage.\r\nThe group stated the minimum offer they would entertain for the LHR bypass was US$1 million. \r\nSamsung\r\nOn March 4, LAPSUS$ posted a message in its official Telegram channel informing subscribers that it had carried\r\nout an attack against the South Korean electronics conglomerate, Samsung. The group later leaked 189 GB of\r\nstolen Samsung data and instructed Samsung to contact the group directly to prevent further leaks.s.\r\nOn March 7, Samsung revealed that it had suffered a data breach in which source code for Samsung Galaxy\r\nmobile devices had been stolen. However, the company stated that no personal customer or employee information\r\nwas compromised as part of the breach. Samsung did not name a threat group responsible for the hack.\r\nMicrosoft\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 3 of 9\n\nOn March 20, 2022, LAPSUS$ claimed to have breached one of Microsoft’s Azure DevOps accounts. Later, on\r\nMarch 22, LAPSUS$ leaked 37 GB of stolen data which allegedly included partial source code for Bing, Bing\r\nMaps, and Cortana.\r\nOn March 22, Microsoft released a blog post detailing LAPSUS$ and confirmed that a single account had been\r\ncompromised and source code was stolen as a result. However, Microsoft stated that customer data and code theft\r\nhad not been witnessed and incident responders were able to halt the malicious activity. Microsoft also stated that\r\nconfidentiality of source code was not one of their security methods as access to it does not increase risk. \r\nOkta\r\nOn March 22, LAPSUS$ claimed to have remote access and superuser and admin privileges on multiple Okta\r\nsystems. LAPSUS$ stated that it did not steal data from Okta and the group’s focus was rather on Okta\r\ncustomers. \r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 4 of 9\n\nScreenshot of LAPSUS$’s Okta Hack Announcement (Image: Flashpoint).\r\nIn response to LAPSUS$’s claims, Okta issued an official statement on March 22 in which the company revealed\r\nthat in late January 2022, it had detected an attempt to compromise an account belonging to a third-party customer\r\nsupport engineer. Okta stated that it investigated the incident and was able to contain it. The company stated that\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 5 of 9\n\nthe screenshots shared by LAPSUS$ appeared to be related to this late January incident and that the company’s\r\ninvestigations have not identified additional evidence of current malicious activity.\r\nLAPSUS$ and Insider Threats\r\nSince LAPSUS$ became active in December 2021, they have actively sought out corporate and government\r\ninsiders which could provide the group with remote internal network access. \r\nLAPSUS$ has emphasized that it is not interested in corporate data stolen from insiders but was specifically\r\ninterested in network access, listing VPNs, Citrix, and AnyDesk as network access type examples.\r\nOn March 10, 2022, LAPSUS$ posted a advertisement (below) seeking to recruit insiders employed who could\r\nprovide remote corporate network access through VPN or virtual desktop infrastructure (VDI) credentials within\r\nthe following sectors:\r\nTelecommunications companies\r\nLarge software and/or gaming companies\r\nCall centers and business process management (BPM) providers\r\nServer hosting providers\r\nScreenshot of LAPSUS$ insider recruitment ad (Screenshot: Flashpoint).\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 6 of 9\n\nEven prior to this latest insider recruitment advertisement, Flashpoint has observed multiple instances of\r\nLAPSUS$ insider recruitment attempts in the LAPSUS$ Telegram group going back to the group’s founding in\r\nDecember 2021. For example, on December 12, 2021, the group offered to pay potential Brazilian Federal Police\r\ninsiders within their Telegram group chat $15,000 for internal network access to Brazil’s Federal Police network.\r\nAlthough Flashpoint has not observed an example of an insider providing LAPSUS$ with access which later led\r\nto a real world attack, it’s likely that if an insider has provided access to LAPSUS$ that has enabled an attack,\r\nthese conversations likely would have taken place via private direct messages. \r\nBased on LAPSUS$’s history of openly soliciting for corporate network accesses, Flashpoint assesses with\r\nmoderate confidence that this is at least one if not the primary method the group is gaining initial access to victim\r\norganizations. As the group has also demonstrated a preference in login credentials for remote network gateways,\r\nit’s also possible that the group could be procuring a portion of these accesses through dark web purchases such as\r\nbrowser stealer malware logs which are readily available for purchase on several dark web account shops and\r\nmarketplaces.\r\nMajor LAPSUS$ Arrests\r\nThe City of London Police arrested seven individuals today, March 24, in connection with the extortionist group\r\nLAPSUS$, allegedly responsible for carrying out several high-profile attacks in recent weeks. Police revealed that\r\nall of the individuals arrested were between the ages of 16 and 21; no names are yet to be released. One of the\r\nthreat actors arrested is said to have accumulated $14M as the fruits of their malicious cyber activities, according\r\nto the BBC.\r\nOn March 23, Bloomberg released an article tying the group’s ringleader to the online aliases “white” and\r\n“breachbase,” which belong to a 16-year-old UK minor. This individual was further tied to the aliases\r\n“WhiteDoxbin” and “Oklaqq” according to a KrebsOnSecurity article, also released yesterday. London Police did\r\nnot reveal whether this individual was included in these arrests.\r\nThis minor was previously doxed by a rival threat actor on January 9. The doxxer purported that the alleged\r\nLAPSUS$ mastermind had purchased Doxbin, an illicit leak and dox site, which has had its issues ever since. This\r\ndox also contained personally identifiable information (PII) for the individual, but due to their underage status,\r\nFlashpoint will not be sharing this information.\r\nThe Bloomberg article also alluded to another LAPSUS$ member likely residing in Brazil, but did not provide an\r\nalias for this individual, suggesting perhaps this LAPSUS$ member may still be at large.\r\nAfter the arrests, LAPSUS$ made reference to a vacation being taken by some of the groups members in their\r\nTelegram channel—a probable reference to the arrests announced. \r\nGet Flashpoint Intelligence on Your Team\r\nAny organization’s security capabilities are only as good as its threat and vulnerability intelligence partner.\r\nFlashpoint’s suite of tools offer you a comprehensive overview of your threat landscape, providing you with the\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 7 of 9\n\nability to proactively manage risks and protect your assets, infrastructure, and personnel. To unlock the power of\r\ngreat threat intelligence, sign up for a demo or get started with a free trial today.\r\nLAPSUS$ Frequently Asked Questions (FAQs)\r\nWhat is LAPSUS$ and how does Flashpoint Ignite track their activity?\r\nLAPSUS$ is a high-profile extortion group within Flashpoint Ignite’s monitoring scope that gained notoriety for\r\ntargeting major global tech firms. Flashpoint Ignite tracks this group by monitoring their public and private\r\nTelegram channels where they announce new victims and poll their followers on which data to leak next. This\r\nprovides Flashpoint users with immediate awareness of the group’s targets and the specific TTPs they are using to\r\nbypass modern security stacks.\r\nGroup Characteristic Flashpoint Ignite Strategic Benefit\r\nExtortion Focus Alerts users to data leaks even when no ransomware is present.\r\nTelegram Presence Captures real-time chatter and recruitment ads from the group.\r\nTarget Diversity Tracks shifts in their focus across different industries and regions.\r\nHow does Flashpoint help prevent the MFA fatigue attacks used by LAPSUS$?\r\nFlashpoint helps prevent MFA fatigue attacks by providing intelligence on the “initial access” methods that lead to\r\nthese requests. Before LAPSUS$ can spam an employee with MFA prompts, they must first obtain a valid\r\nusername and password. Flashpoint monitors for your organization’s leaked credentials on the dark web, allowing\r\nyou to reset compromised accounts before the group can ever initiate a malicious login or social engineering\r\nattempt.\r\nCredential Monitoring: Identifies stolen logins that are the prerequisite for MFA bypass.\r\nTTP Intelligence: Details how the group uses “MFA bombing” to overwhelm targets.\r\nHelp Desk Protection: Provides training context for staff on how LAPSUS$ manipulates support calls.\r\nWhy is Flashpoint’s visibility into “insider recruitment” vital for corporate defense?\r\nFlashpoint’s visibility into insider recruitment is vital because it allows organizations to detect when their own\r\nemployees are being targeted by groups like LAPSUS$. Flashpoint monitors illicit forums and encrypted apps for\r\nposts specifically soliciting “access for hire” from within your domain. This allows security and HR teams to\r\nidentify high-risk areas and take proactive measures to secure privileged accounts before an insider can facilitate a\r\nbreach.\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 8 of 9\n\nInsider Risk\r\nFactor\r\nFlashpoint Integrated Response\r\nDirect\r\nRecruitment\r\nAlerts you when actors post ads for insiders at your company.\r\nCredential Sales Identifies if internal access tokens are being sold in illicit markets.\r\nBehavioral\r\nContext\r\nProvides a clear view of the rewards and incentives actors use to lure\r\ninsiders.\r\nSource: https://www.flashpoint-intel.com/blog/lapsus/\r\nhttps://www.flashpoint-intel.com/blog/lapsus/\r\nPage 9 of 9\n\n https://www.flashpoint-intel.com/blog/lapsus/ \nScreenshot of LAPSUS$’s Okta Hack Announcement (Image: Flashpoint). \nIn response to LAPSUS$’s claims, Okta issued an official statement on March 22 in which the company revealed\nthat in late January 2022, it had detected an attempt to compromise an account belonging to a third-party customer\nsupport engineer. Okta stated that it investigated the incident and was able to contain it. The company stated that\n Page 5 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.flashpoint-intel.com/blog/lapsus/" ], "report_names": [ "lapsus" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434745, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/49368101c060168e1eb5591ba78918d694a14833.pdf", "text": "https://archive.orkl.eu/49368101c060168e1eb5591ba78918d694a14833.txt", "img": "https://archive.orkl.eu/49368101c060168e1eb5591ba78918d694a14833.jpg" } }