{ "id": "f9af7f08-6000-4208-a8a0-55f903478b23", "created_at": "2026-04-06T00:22:13.70608Z", "updated_at": "2026-04-10T13:11:45.872493Z", "deleted_at": null, "sha1_hash": "dc9a7aace067825a112c2bd6ab72bd1a08eac464", "title": "A Closer Look at the LAPSUS$ Data Extortion Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 514663, "plain_text": "A Closer Look at the LAPSUS$ Data Extortion Group\r\nPublished: 2022-03-23 · Archived: 2026-04-02 12:09:23 UTC\r\nMicrosoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a\r\nrelatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it\r\nunless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact\r\nmethods the group uses to gain access to targeted organizations.\r\nFirst surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made\r\nheadlines more recently for posting screenshots of internal tools tied to a number of major corporations, including\r\nNVIDIA, Samsung, and Vodafone.\r\nOn Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. In\r\na blog post published Mar. 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it\r\ncould finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their\r\nTelegram channel before the download could complete.\r\nOne of the LAPSUS$ group members admitted on their Telegram channel that the Microsoft source code\r\ndownload had been interrupted.\r\n“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation,\r\nlimiting broader impact,” Microsoft wrote. “No customer code or data was involved in the observed activities. Our\r\ninvestigation has found a single account had been compromised, granting limited access. Microsoft does not rely\r\non the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”\r\nWhile it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make\r\nanyone in charge of corporate security sit up and take notice. Microsoft says LAPSUS$ — which it boringly calls\r\n“DEV-0537” — mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking\r\nemployees at the target organization or at its myriad partners, such as customer support call centers and help\r\ndesks.\r\n“Microsoft found instances where the group successfully gained access to target organizations through recruited\r\nemployees (or employees of their suppliers or business partners),” Microsoft wrote. The post continues:\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 1 of 6\n\n“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or\r\ncontractors to take part in its operation. For a fee, the willing accomplice must provide their credentials\r\nand approve the MFA prompt or have the user install AnyDesk or other remote management software\r\non a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic\r\nwas just one of the ways DEV-0537 took advantage of the security access and business relationships\r\ntheir target organizations have with their service providers and supply chains.”\r\nThe LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad\r\nLAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming\r\ncompanies, hosting firms and call centers.\r\nSources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms\r\nsince at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and\r\n“WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT\u0026T, T-Mobile and\r\nVerizon up to $20,000 a week to perform “inside jobs.”\r\nLAPSUS$ leader Oklaqq a.k.a. “WhiteDoxbin” offering to pay $20,000 a week to corrupt employees at major\r\nmobile providers.\r\nMany of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence\r\nfirm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal.\r\n“LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it\r\noperates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. “LAPSUS$ appears to be\r\nhighly sophisticated, carrying out increasingly high-profile data breaches. The group has claimed it is not state-sponsored. The individuals behind the group are likely experienced and have demonstrated in-depth technical\r\nknowledge and abilities.”\r\nMicrosoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations\r\nthey wish to hack, knowing that most employees these days use some sort of VPN to remotely access their\r\nemployer’s network.\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 2 of 6\n\n“In some cases, [LAPSUS$] first targeted and compromised an individual’s personal or private (non-work-related)\r\naccounts giving them access to then look for additional credentials that could be used to gain access to corporate\r\nsystems,” Microsoft wrote. “Given that employees typically use these personal accounts or numbers as their\r\nsecond-factor authentication or password recovery, the group would often use this access to reset passwords and\r\ncomplete account recovery actions.”\r\nIn other cases, Microsoft said, LAPSUS$ has been seen calling a target organization’s help desk and attempting to\r\nconvince support personnel to reset a privileged account’s credentials.\r\n“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” Microsoft explained.\r\n“Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived\r\non” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations\r\noutsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where\r\norganizations give their help desk personnel the ability to elevate privileges.”\r\nLAPSUS$ recruiting insiders via its Telegram channel.\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 3 of 6\n\nSIM-SWAPPING PAST SECURITY\r\nMicrosoft said LAPSUS$ also has used “SIM swapping” to gain access to key accounts at target organizations. In\r\na fraudulent SIM swap, the attackers bribe or trick mobile company employees into transferring a target’s mobile\r\nphone number to their device. From there, the attackers can intercept any one-time passwords sent to the victim\r\nvia SMS or phone call. They can also then reset the password for any online account that allows password resets\r\nvia a link sent over SMS.\r\n“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing\r\npersonal email accounts of employees at target organizations; paying employees, suppliers, or business partners of\r\ntarget organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the\r\nongoing crisis-communication calls of their targets,” Microsoft wrote.\r\nAllison Nixon is chief research officer at Unit 221B, a cybersecurity consultancy based in New York that closely\r\ntracks cybercriminals involved in SIM-swapping. Working with researchers at security firm Palo Alto Networks,\r\nNixon has been tracking individual members of LAPSUS$ prior to their forming the group, and says the social\r\nengineering techniques adopted by the group have long been abused to target employees and contractors working\r\nfor the major mobile phone companies.\r\n“LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets\r\nthat are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”\r\nMicrosoft says LAPSUS$ also has been known to gain access to victim organizations by deploying the “Redline”\r\npassword-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials\r\nand session tokens from criminal forums.\r\nThat last bit is interesting because Nixon said it appears at least one member of LAPSUS$ also was involved in\r\nthe intrusion at game maker Electronic Arts (EA) last year, in which extortionists demanded payment in\r\nexchange for a promise not to publish 780 GB worth of source code. In an interview with Motherboard, the\r\nhackers claimed to have gained access to EA’s data after purchasing authentication cookies for an EA Slack\r\nchannel from a dark web marketplace called Genesis.\r\n“The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and\r\naccess EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s\r\ninternal network,” wrote Catalin Cimpanu for The Record.\r\nWhy is Nixon convinced LAPSUS$ was behind the EA attack? The “WhiteDoxbin/Oklaqq” identity referenced in\r\nthe first insider recruitment screenshot above appears to be the group’s leader, and it has used multiple nicknames\r\nacross many Telegram channels. However, Telegram lumps all aliases for an account into the same Telegram ID\r\nnumber.\r\nBack in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for\r\nlaunching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News\r\nof EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 4 of 6\n\nWHO IS LAPSUS$?\r\nNixon said WhiteDoxbin — LAPSUS$’s apparent ringleader — is the same individual who last year purchased\r\nthe Doxbin, a long-running, text-based website where anyone can post the personal information of a target, or find\r\npersonal data on hundreds of thousands who have already been “doxed.”\r\nApparently, Doxbin’s new owner failed to keep the site functioning smoothly, because top Doxbin members had\r\nno problems telling WhiteDoxbin how unhappy they were with his stewardship.\r\n“He wasn’t a good administrator, and couldn’t keep the website running properly,” Nixon said. “The Doxbin\r\ncommunity was pretty upset, so they started targeting him and harassing him.”\r\nNixon said that in January 2022, WhiteDoxbin reluctantly agreed to relinquish control over Doxbin, selling the\r\nforum back to its previous owner at a considerable loss. However, just before giving up the forum, WhiteDoxbin\r\nleaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to\r\nthe public via Telegram.\r\nThe Doxbin community responded ferociously, posting on WhiteDoxbin perhaps the most thorough dox the\r\ncommunity had ever produced, including videos supposedly shot at night outside his home in the United\r\nKingdom.\r\nAccording to the denizens of Doxbin, WhiteDoxbin started out in the business of buying and selling zero-day\r\nvulnerabilities, security flaws in popular software and hardware that even the makers of those products don’t yet\r\nknow about.\r\n“[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few\r\nyears his net worth accumulated to well over 300BTC (close to $14 mil).”\r\nWhiteDoxbin’s Breachbase identity on RaidForums at one point in 2020 said they had a budget of $100,000 in\r\nbitcoin with which to buy zero-day flaws in Github, Gitlab, Twitter, Snapchat, Cisco VPN, Pulse VPN and other\r\nremote access or collaboration tools.\r\n“My budget is $100000 in BTC,” Breachbase told Raidforums in October 2020. “Person who directs me to\r\nsomeone will get $10000 BTC. Reply to thread if you know anyone or anywhere selling this stuff. NOTE: The\r\n0day must have high/critical impact.”\r\nKrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17),\r\nand because this person has not officially been accused of a crime. Also, the Doxbin entry for this individual\r\nincludes personal information on his family members.\r\nNixon said that prior to launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group\r\ncalling itself the “Recursion Team.” According to the group’s now-defunct website, they mostly specialized in\r\nSIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage\r\nsituations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting\r\npotentially deadly force on a target’s address.\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 5 of 6\n\n“The team is made up of Cyber-enthusiasts who major in skills including security penetration, software\r\ndevelopment, and botting,” reads the now-defunct Recursion Team website. “We plan to have a bright future, and\r\nwe hope you do too!”\r\nUpdate, March 24, 11:11 a.m. ET: The BBC is quoting City of London Police as saying seven people between\r\nthe ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. All have been\r\nreleased under investigation.\r\nSource: https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nhttps://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/" ], "report_names": [ "a-closer-look-at-the-lapsus-data-extortion-group" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434933, "ts_updated_at": 1775826705, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc9a7aace067825a112c2bd6ab72bd1a08eac464.pdf", "text": "https://archive.orkl.eu/dc9a7aace067825a112c2bd6ab72bd1a08eac464.txt", "img": "https://archive.orkl.eu/dc9a7aace067825a112c2bd6ab72bd1a08eac464.jpg" } }