{
	"id": "c81225d6-4c30-43ba-926e-62ad2466df28",
	"created_at": "2026-04-06T00:07:10.385153Z",
	"updated_at": "2026-04-10T03:28:46.9267Z",
	"deleted_at": null,
	"sha1_hash": "ea33032a517887c1b9e8f2a4b0bcf031388f219b",
	"title": "Vodafone Investigating Source Code Theft Claims",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89045,
	"plain_text": "Vodafone Investigating Source Code Theft Claims\r\nBy Eduard Kovacs\r\nPublished: 2022-03-10 · Archived: 2026-04-05 20:24:27 UTC\r\nVodafone has launched an investigation after a cybercrime group claimed to have stolen hundreds of\r\ngigabytes of source code from the telecoms giant.\r\nThe hacker group, calling itself “Lapsus$,” claims to have obtained roughly 200 Gb of source code files, allegedly\r\nrepresenting approximately 5,000 GitHub repositories.\r\nIn an emailed statement, Vodafone confirmed that it’s aware of the claims and said an investigation has been\r\nlaunched.\r\n“We are investigating the claim together with law enforcement, and at this point we cannot comment on the\r\ncredibility of the claim,” Vodafone told SecurityWeek. “However, what we can say is that generally the types of\r\nrepositories referenced in the claim contain proprietary source code and do not contain customer data.”\r\nThe hackers haven’t leaked any of the Vodafone source code they claim to have obtained. Instead, they are asking\r\nthe tens of thousands of users subscribed to their Telegram channel if they should leak source code from\r\nVodafone, Portuguese media giant Impresa, or e-commerce firm MercadoLibre. The poll will end on March 13.\r\nThe attack on Impresa caused significant disruption, and MercadoLibre recently confirmed in an SEC filing that\r\nsource code and the data of 300,000 users was compromised.\r\nAdvertisement. Scroll to continue reading.\r\nhttps://www.securityweek.com/vodafone-investigating-source-code-theft-claims\r\nPage 1 of 2\n\nIn February, Vodafone Portugal blamed some service disruptions on a “malicious cyberattack,” but it’s unclear if\r\nthe incidents are related.\r\nThe Lapsus$ group recently also claimed to have stolen source code and other information from NVIDIA and\r\nSamsung.\r\nNVIDIA has confirmed that the attackers have stolen employee credentials and code-signing certificates.\r\nSamsung, from which the cybercriminals allegedly stole 190 GB of data, has confirmed the theft of source code\r\nrelated to Galaxy devices, but said that customer and employee information did not appear to have been\r\ncompromised.\r\nThe hackers are hoping to get big ransom payments from the impacted companies in return for not leaking the\r\nstolen information. In the case of NVIDIA, they also demanded that the company open source drivers and remove\r\na feature that limits the Ethereum mining capabilities on some of its graphics cards.\r\nThe attacks do not appear to involve any file-encrypting ransomware.\r\nRelated: French Ministry of Justice Targeted in Ransomware Attack\r\nRelated: Conti Ransomware Source Code Leaked\r\nRelated: University Project Cataloged 1,100 Ransomware Attacks on Critical Infrastructure\r\nSource: https://www.securityweek.com/vodafone-investigating-source-code-theft-claims\r\nhttps://www.securityweek.com/vodafone-investigating-source-code-theft-claims\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.securityweek.com/vodafone-investigating-source-code-theft-claims"
	],
	"report_names": [
		"vodafone-investigating-source-code-theft-claims"
	],
	"threat_actors": [
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434030,
	"ts_updated_at": 1775791726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea33032a517887c1b9e8f2a4b0bcf031388f219b.pdf",
		"text": "https://archive.orkl.eu/ea33032a517887c1b9e8f2a4b0bcf031388f219b.txt",
		"img": "https://archive.orkl.eu/ea33032a517887c1b9e8f2a4b0bcf031388f219b.jpg"
	}
}