LAPSUS$ is a data extortion group that gained notoriety in early 2022 for breaching some of the world's largest technology companies without deploying ransomware. The group relied on social engineering, insider recruitment, and MFA fatigue to gain access, then exfiltrated source code and internal data for extortion. Several members were arrested in the UK in 2022.
| Attribute | Detail |
|---|---|
| Names | LAPSUS$ / DEV-0537 |
| Attribution | English/Portuguese-Speaking Extortion Group |
| Active Since | 2021 |
| Primary Focus | Extortion without ransomware. Compromised Microsoft, Nvidia, Samsung, Okta, Uber. |
Overview
LAPSUS$ is a data extortion group that gained notoriety in early 2022 for breaching some of the world's largest technology companies without deploying ransomware. The group relied on social engineering, insider recruitment, and MFA fatigue to gain access, then exfiltrated source code and internal data for extortion. Several members were arrested in the UK in 2022.
Attribution
LAPSUS$ / DEV-0537 is attributed to English/Portuguese-Speaking Extortion Group, active since at least 2021. Extortion without ransomware. Compromised Microsoft, Nvidia, Samsung, Okta, Uber.
Notable Campaigns
- Microsoft breach — source code exfiltration (2022)
- Nvidia — employee credentials and proprietary data stolen
- Samsung — Galaxy source code exfiltrated
- Okta — third-party support access compromise
- Uber — MFA fatigue attack via compromised contractor
- T-Mobile — source code and tooling access
- Globant — 70GB source code leak
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1566 | Phishing | High |
T1078 | Valid Accounts | High |
T1530 | Data from Cloud Storage Object | High |
T1567 | Exfiltration Over Web Service | High |
T1621 | MFA Request Generation | High |
T1656 | Impersonation | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for LAPSUS$ activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting LAPSUS$ TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875