{ "id": "66a1b544-8dfa-4401-95f5-4b2070c63cb6", "created_at": "2026-04-09T02:23:50.665242Z", "updated_at": "2026-04-10T03:28:46.815627Z", "deleted_at": null, "sha1_hash": "f418196132b6c0b2a4d3d2fe8f6b308ee5468310", "title": "LAPSUS and the Terrible, Horrible, No Good, Very Bad Ransom Day 1 (UPDATED) - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 72452, "plain_text": "LAPSUS and the Terrible, Horrible, No Good, Very Bad Ransom\r\nDay 1 (UPDATED) - DataBreaches.Net\r\nPublished: 2022-02-27 · Archived: 2026-04-09 02:14:51 UTC\r\nFirst they thought their victim hacked them back. Then they appeared to be trolled by a “negotiator” who\r\nwasn’t. I don’t know if the Brazilian threat actors who call themselves LAPSUS felt like moving to Australia\r\nafter a bad day at the ransom office yesterday, but their attack on Nvidia and the aftermath seemed\r\nsomewhat… unusual, to say the least.\r\nOn February 26, word of the attack on chip giant Nvidia gained attention on Twitter after LAPSUS used their\r\nTelegram channel to leak what they claimed was employee data. They also threatened to leak 1TB of Nvidia’s\r\ndata.  @DarkTracer_int tweeted some screencaps:\r\nAt that point, it seemed to be a fairly standard situation — threat actors claim to have compromised victim, leak\r\nsome data as proof of claim, and make threats, while the victim entity says it is investigating the claims.\r\nBut what happened next started to derail this one.\r\nLAPSUS, typing in always-ridiculed all uppercase capitals with tons of exclamation points, claimed that Nvidia\r\nwere criminals because they hacked them back.\r\nLAPSUS claimed that Nvidia had hacked back.\r\nLAPSUS$, [2/26/2022 1:02 AM] EVERYONE!!! NVIDIA ARE CRIMINALS!!!!!!!!!\r\nSOME DAYS AGO A ATTACK AGAINST NVIDIA AND STOLE 1TB OF CONFIDENTIAL\r\nDATA!!!!!!\r\nTODAY WOKE UP AND FOUND NVIDIA SCUM HAD ATTACKED **THE** MACHINE WITH\r\nRANSOMWARE…….\r\nLUCKILY IT HAD A BACKUP BUT WHY THE FUCK THEY THINK THEY CAN CONNECT TO\r\nTHE PRIVATE MACHINE AND INSTALL RANSOMWARE!!!!!!!!!!!\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 1 of 6\n\nLAPSUS$, [2/26/2022 1:03 AM] (100% DISK USAGE) from nvidia ENCRYPTING **THE**\r\nDRIVES!!!!!!!!!!!\r\nLAPSUS later offered an explanation as to how Nvidia allegedly hacked them and encrypted their drives:\r\nTo address all the rumours about how nvidia hacked us.\r\nIts simple.\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 2 of 6\n\nAccess to nvidia employee VPN requires the PC to be enrolled in MDM (Mobile Device Management)\r\nWith this they were able to connect to a VM we use.\r\nYes they successfully encrypted the data. However we have a backup and it’s safe from scum!!!\r\nWe were not hacked by a competitors group or any sorts.\r\nMarcus Hutchins (@malwaretechblog) offered a somewhat different explanation:\r\nTo me this sounds a lot like LAPSUS$ installed Nvidia’s corporate agent on their own machine then\r\ntriggered a data loss prevention policy, which they mistook for ransomware because they’re morons.\r\nhttps://t.co/NNF27yidE6\r\n— Marcus Hutchins (@MalwareTechBlog) February 27, 2022\r\nTo me this sounds a lot like LAPSUS$ installed Nvidia’s corporate agent on their own machine then\r\ntriggered a data loss prevention policy, which they mistook for ransomware because they’re morons. —\r\nMarcus Hutchins (@MalwareTechBlog) February 27, 2022\r\nIn less than 24 hours, LAPSUS had gone from appearing to be a threat to rapidly losing credibility. And their day\r\nwasn’t over yet…..\r\nThe Negotiations That Weren’t\r\nWhile DataBreaches.net continued to try to get a response from Nvidia about the claimed hack-back, this site was\r\ncontacted by a Russian threat actor who has communicated with this site in the past. “Tokyo” (one of his aliases)\r\ninformed this site that he wanted to expose LAPSUS as frauds and to make a point to victims that you can’t trust\r\namateur groups. To make that point, it seems that Tokyo posed as a negotiator for Nvidia.\r\n“No one should trust this shitty group who didnt even confirm that i was genuine,” Tokyo told this site.\r\nDataBreaches.net was shown the chat log between Tokyo and “SigmA” from Lapsus. This site was also provided\r\nwith some of the email chain for the negotiations, one of which included a URL provided by Lapsus for the\r\nsample data. The archived sample, which was still available on the URL as of today, contained almost 20 GB of\r\nsource code and other non-personal information. It also contained a SpyEye trojan.\r\nThe following is a screencap of the folders in the sample archive:\r\nDirectory of files in the archived sample provided by Lapsus. Image: DataBreaches.net\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 3 of 6\n\nAccording to the email chain and statements to this site by “Tokyo,” LAPSUS asked $750,000 to delete all the\r\ndata they had exfiltrated.\r\nPart of email negotiations thread between Lapsus and someone posing as Nvidia negotiator. Lapsus\r\nhad been told to email the amount demanded to specific employees, who had no knowledge of the\r\nruse or troll at all.  Image: Provided. URL redacted by DataBreaches.net.\r\nThe “negotiator” counteroffered $560,000 – an offer that Lapsus appeared to accept, providing their BTC wallet\r\nwhere payment could be made.\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 4 of 6\n\nLapsus accepts the offer of $560k and provides their BTC wallet. The employee named in the chat\r\nhad no participation or knowledge of any of this.  \r\nBut as you might have guessed by now, no, that wasn’t the end of it, because the “negotiator” waited a while, and\r\nthen sent another message, saying that he had made a mistake and the offer was $56,000 and not $560,000.\r\nAnd of course, that wasn’t real anyway.\r\nAt some point last night, LAPSUS removed Nvidia screencaps and data from their Telegram channel, which might\r\nhave indicated that they thought they were getting paid. But according to their email to this site in response to\r\ninquiries, that’s not what happened.\r\nWhen asked about being trolled, a spokesperson replied:\r\nI suspected he was a fraud from the start. So I decided not to send him the most important data.\r\nI sent him some old GPU driver or something, not the important information about GV10* chips or\r\n30** GPU’s\r\nThe posts were removed, the spokesperson wrote, “due to the fact we are going to make a better announcement in\r\nsome time.”\r\nIn follow-up email, they indicated that they would be leaking about 100 GB of data soon after the time of their\r\nemail.\r\nIn response to their explanation of their responses to him, Tokyo claims that they are just making excuses and had\r\nbeen completely cooperative, raising concerns about why they didn’t actually verify him as a negotiator. And as to\r\nthe posts being removed, he wrote, “This is bullshit. I [the negotiator] told them to take the posts down and they\r\ndid.”\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 5 of 6\n\nAs to Nvidia, well, DataBreaches.net had sent inquiries to Nvidia beginning early yesterday about the claimed\r\nhack-back but got no response. Nvidia finally responded late last night that they would be issuing a statement\r\ntoday. So far, that hasn’t happened yet, and it is not clear to me that when they do issue a statement if they will\r\naddress the questions this site put to them. This post will be updated if their statement contains any new\r\ninformation about the scope of the breach and their incident response.\r\nUpdate: LAPSUS did post another announcement of the breach. In their statement, they claimed they were in\r\nNvidia systems “for about a week,” and they “grabbed the most important stuff, schematics, driver, firmware,\r\netc… ”\r\nThey also leaked some data, noting that “This leak contains source code and highly confidential/secret data from\r\nvarious parts of NVIDIA gpu driver. Falcon, LHR, and such.” DataBreaches.net did not download it to determine\r\nif it was identical to the sample data this site had previously acquired and that included a trojan.\r\nLess than two hours later, however, LAPSUS seemed to have changed their mind about leaking data, writing:\r\nWe decided to help mining and gaming community, we want nvidia to push an update for all 30 series\r\nfirmware that remove every lhr limitations otherwise we will leak hw folder.\r\nIf they remove the lhr we will forget about hw folder (it’s a big folder)\r\nWe both know lhr impact mining and gaming.\r\nThanks.\r\nAs to Nvidia’s promised statement: they never sent this site any statement after more than 24 hours. In\r\ncombination with LAPSUS’s revised announcement, the breach may be worse than they were willing to\r\nacknowledge initially.\r\n1 With apologies to Judith Viorst, the author of the classic children’s book, Alexander and the Terrible, Horrible,\r\nNo Good, Very Bad Day\r\nSource: https://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nhttps://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/" ], "report_names": [ "lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701430, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f418196132b6c0b2a4d3d2fe8f6b308ee5468310.pdf", "text": "https://archive.orkl.eu/f418196132b6c0b2a4d3d2fe8f6b308ee5468310.txt", "img": "https://archive.orkl.eu/f418196132b6c0b2a4d3d2fe8f6b308ee5468310.jpg" } }