LAPSUS$: How a Sloppy Extortion Gang Became One of the Most Prolific Hacking Groups

Screen Shot 2021-02-24 at 3

Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.

“I want to send a message to EA by you,” the hacker wrote to me in an encrypted chat. “What is the motive to hack? Obviously money right?”

The hacker and their associates, part of a group which later dubbed itself LAPSUS$, had stolen a massive cache of data from video game publishing giant Electronic Arts after breaking into the company’s internal systems. That included source code for FIFA and EA’s Frostbite game engine; technical breakdowns on how to generate crowds in virtual worlds, and software development kits that EA used to streamline the creation of games.

The hackers wanted to monetize that access by extorting EA. But they were shockingly bad at it. They didn’t really know who to send the demand to, so they asked me as a journalist who was in contact with EA over the breach, to act as a conduit. The extortion effort was so sloppy that later an EA spokesperson asked me to put them in touch with the hackers. (I declined both requests). 

Since that hack, LAPSUS$ has gone on to become one of the most publicly active hacking and extortion gangs this year, ripping through the internal systems of Nvidia. Samsung. Microsoft. Seemingly Ubisoft as well. Most brazenly, LAPSUS$ broke into Okta, which handles the digital keys for private and government clients, letting the hackers then leverage that access to potentially target hundreds of Okta’s own customers.

Even though the EA breach was early on in the group’s escapades, it was emblematic of LAPSUS$’s subsequent and massive hacks. A group that can burrow inside some of the biggest technology and games companies on the planet, but which constantly trips over its own feet when it comes to actually getting a payday. In the Nvidia extortion demand, LAPSUS$ told the company to make its graphic cards more efficient for mining cryptocurrency. In some cases the group has pivoted to just releasing data they obtain even when there seemingly was no ransom demand on their Telegram channel, where they’ve become very adept at generating publicity for themselves.

The group has confounded and captivated some in the cybersecurity industry, with some even speculating that LAPSUS$ may be a front for a government-backed hacking group. But a review of LAPSUS$’s public statements, their breaches, technical analysis by security experts, and indications of who a main member might be, paints a picture of a crew that bears much more resemblance to the sort of free-wheeling gangs that have become a staple in the world of SIM-swapping and other relatively low level hacking techniques. Only this time, people are paying much more attention, in part because of the sorts of targets that LAPSUS$ managed to compromise. On Thursday shortly after the publication of this story, British police said they had arrested seven teenagers suspected of being part of the gang.

Often, LAPSUS$ abuses the human weaknesses inside companies, such as their IT or customer support. In other cases, they purchase already hacked login tokens from the digital underground. Ordinarily, some cybersecurity professionals may see these as low level threats. The reality is that sophistication is not the only metric that makes a hacker a security risk. So is their audacity. 

“We often worry a lot about things like 0-days and advanced nation state techniques while employees are falling for requests from the ‘CEO’ to send $200 in Amazon gift cards,” Allan Liska, a researcher at cybersecurity firm RecordedFuture told Motherboard in an online chat. “We need to get better at understanding risk and taking precautions that better match that risk.”

Do you know anything else about LAPSUS$, either as a hacker or an investigator? Do you know anything about this breach or others? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.

After EA, LAPSUS$ targeted a series of companies and organizations in South America and Portugal, including the Ministry of Health Brazil. In February, LAPSUS$ hinted that it had also breached Vodafone Portugal.

That targeting of a telecom overlaps with what appears to be LAPSUS$ roots: the world of SIM swapping. This is where hackers trick into rerouting text messages and calls destined for one person to a SIM card that the hackers control, giving the attackers access to password reset messages and multi-factor authentication tokens. Often, hackers will use SIM swapping to break into accounts to steal Bitcoin or to steal a social media account with a desirable username.

“The people involved have a background in using social engineering (including SIM swapping) to do account takeovers in order to get access to cryptocurrency,” a security researcher who is currently leading an effort analyzing LAPSUS$’s activity told Motherboard. Motherboard granted the researcher anonymity and agreed not to name their employer as the person is not authorized to speak to the press on this issue. LAPSUS$ also targeted Claro and Embratel, two other telecoms in South America. Cybersecurity firm DarkOwl spotted that the hackers used Windows Remote Desktop, a tool for remotely controlling a computer, to interact with the machines inside Claro. As Motherboard previously reported, SIM swappers have escalated from tricking telecoms into swapping SIMs to tricking them into installing similar remote access tools that let the hackers rummage inside telecoms’ networks. The group also launched a spam text message campaign shortly after the EA hack against British phone numbers, demanding payment in the privacy-focused cryptocurrency Monero.

“We are LAPSUS$, remember our name, we have your userdata,” the group wrote in a July 2021 message published by DarkOwl.

The group has seemingly also purchased stolen login tokens, including from an underground website called Genesis Marketplace. These login tokens or cookies are more powerful than a simple username and password. They essentially allow the hackers to load their web browser in a state where they are already logged into a stolen account, fooling a system into thinking they are the legitimate user. They are using the same sort of token that ordinary users have to stay logged into their browsing sessions, like a perfectly resembling mask of the victim.

LAPSUS$ has gone further than most SIM swappers though, and has enough technical proficiency to use other techniques once they’ve broken in, according to an analysis of LAPSUS$’s techniques published by Microsoft. Those include deploying a password stealing piece of software, and exploiting unpatched vulnerabilities to gain access to even more information.

For months, LAPSUS$ was more of a sideshow for the cybersecurity industry. At the start of March, that changed when the group announced on its Telegram channel it had breached graphics card manufacturer Nvidia. 

Now, LAPSUS$ runs two Telegram channels. The first is one where only the group itself can post, and where it shares details about new breaches or links to download released data. The second is a chat room where anyone can join and post messages, including journalists who, predictably, get dog-piled when they make their presence known. At the time of writing, that channel has over 10,680 members, many of whom spend their time shit-talking each other or posting memes, not unlike many other hacking communities on Telegram or Discord. LAPSUS$ used to have its own website too.

Multiple security researchers Motherboard spoke to pointed to LAPSUS$’s use of Telegram to publicly announce breaches as unusual. “Lapsus$ has an unusual desire for attention. Asking the public to vote on which victim’s data to leak next on their Telegram channel is a typical example,” Inês Vestia on the intelligence team at cybersecurity firm SilentPush, which has followed the group’s posts, told Motherboard in an email. 

“Based on their public persona, they also seem to enjoy letting everyone know about those accesses. They enjoy the spotlight, which is somewhat unique,” Joshua Shilko, senior principal analyst at cybersecurity company Mandiant, added.

But in the context of a SIM swapping crew, LAPSUS$’s brazenness makes total sense. Often when these sorts of groups or individuals breach a target, they drum up attention on Twitter, taunt their rivals in online posts, or flex to others on Discord. LAPSUS$ is the continuation of that, albeit just louder. Often, clout is the point. That, and as a group that at least attempts extortion, public facing sites or Telegram channels where hackers list and intimidate their victims are the norm now.

The haphazard extortion style that started with EA returned with Nvidia. After leaking some data stolen from the company, LAPSUS$ demanded that Nvidia remove limitations on its graphics cards that curb how powerful the cards are for mining cryptocurrency. Predictably, Nividia didn’t make any such change.

Just a few days after claiming responsibility for the Nvidia breach, LAPSUS$ leaked data stolen from Samsung. Then Microsoft said it was investigating LAPSUS$’s claim that it had hacked that company as well, and the group dumped what appeared to be source from Microsoft search engine Bing and smart assistant Cortana.

“Our investigation found an account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” a Microsoft spokesperson said in a statement a sort while later, confirming the hack.

If the earlier hacks were more about being high profile targets, the breach of Okta signified that LAPSUS$ could be actually dangerous. Okta is an authentication provider that companies and agencies use to log workers into their systems. LAPSUS$ gained access to Okta itself, and posted internal screenshots showing it, in at least some cases, could reset targets’ passwords. Okta later admitted that hundreds of customers could have been caught in the hack.

In the wake of that hack, even the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said it was “paying very close attention to LAPSUS$,” and said that the group didn’t appear to be a Russian government front.

Whether it’s the young hacker who broke into Twitter’s backend and gained access to a slew of high profile accounts; the hacking crew Chuckling Squad which did something similar but targeted individuals, or even as far back as Crackas With Attitude who dumped lists of FBI and DHS staff, the cybersecurity industry has a habit of undermining hackers who just want to break into shit for the sake showing off to their friends and enemies, even if their payday doesn’t happen or is a small one. LAPSUS$ is the latest in that tradition.

Update: This piece has been updated to include news of the arrest of seven teenagers suspected of being involved in LAPSUS$.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.