The cyber criminal organization LAPSUS$ has claimed responsibility for a number of high-profile attacks. Did they give away too much in their bragging? It could be since the City of London police say they have arrested seven teenagers in relation to the gang.

Meanwhile, a 16-year-old from Oxford who goes by the handle ‘White’ or ‘Breachbase’ has been named by rival threat actors and researchers as being connected with LAPSUS$. It has not been confirmed if White was among those arrested.

On the LAPSUS$ Telegram channel, the group has boasted about breaching brands such as Microsoft, NVIDIA, Samsung, Mercado Libre, Vodafone and, more recently, Ubisoft. The rival attackers allege White made up to $14M from his individual attacks.

Highly disruptive LAPSUS$ threat

LAPSUS$ is a particularly disruptive group known for unusual activity, such as polling their subscribers about “What should we leak next?”. The group recently offered three options. The first was to leak 200GB worth of Vodafone source code. The second choice was the source code and databases of Portuguese media corporation Impresa. Lastly, they offered to leak the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies.

Apparently, the gang doesn’t make empty threats. In the Samsung incident, LAPSUS$ actors posted a 190GB torrent file to their Telegram channel. The group claimed the file contained confidential source code that exposed Samsung device security systems. The compromised systems reportedly included smartphone biometric authentication algorithms and bootloader source code to bypass OS controls.

On March 24, Microsoft confirmed that the LAPSUS$ group had also breached its company. Threat actors posted a torrent file containing partial source code from Bing, Bing Maps and Cortana. The attackers breached a single employee’s account, granting them “limited access” to Microsoft’s systems and allowing source code theft. According to Microsoft, the attack did not compromise customer code or data.

Attacks and counterattacks

In the NVIDIA attack, parts of the company were offline for two days. Attackers also managed to exfiltrate around 1TB of sensitive data. That included files like GPU driver and GPU firmware source codes. Later, LAPSUS$ threatened to “help mining and gaming community” by leaking a bypass solution for the Lite Hash Rate GPU hash rate limiter. The rogue actors then announced that the full LHR V2 workaround for anything between GA102-GA104 was for sale.

Later, the gang allegedly leaked password hashes from “all NVIDIA employees”. They threatened to release another terabyte of data unless the company paid “a fee”.

In another twist to the story, NVIDIA allegedly struck back at LAPSUS$ and encrypted a virtual machine the attacker group uses. LAPSUS$ stated they had backup files installed.

Teenage LAPSUS$ leader doxxed

According to the BBC report, a rival attacker website doxxed White after an apparent dispute. The rivals posted White’s real name, address and social media pictures. The BBC also reports that the rival group posted a synopsis about White, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organizations.”

As reported by Bloomberg, cybersecurity researchers have been tracking White for nearly a year and linked him to LAPSUS$ and other attacks.

“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B.

Only time will tell if the recent arrest will bring a halt to criminal activity associated with the LAPSUS$ operation.