LAPSUS$ ringleader suspected to be 16-year-old British teen

Bloomberg identifies members of notorious cohort

Table of Contents Table of Contents

The hacking group LAPSUS$ has been making waves across the technology industry over the past few months, the new group, thought to be a collective of hackers from around the world have breached the likes of Nvidia, Microsoft and more, as we’ve previously reported. According to a team of cybersecurity researchers via Bloomberg, one of them might be a 16-year old teenager from the UK, who has been identified as living with their mother around Oxford, England. The researchers suggest that this teenager is the mastermind behind the recent slew of attacks upon the company.

The extremely high-profile attacks from Lapsus$ have baffling motivations, but it’s thought that they seek to bargain with technology companies after stealing confidential information, such as the DLSS source code from Nvidia, which could have rippling effects throughout the entire industry. But, the team of researchers suggest a classic motivation from the hackers; to make money, and to build up a reputation.

Update: March 24, 2022, 16:20 GMT: The BBC has reported that the British teenager known as ‘White’ / ‘Breachbase’ has amassed a sum of almost 300BTC, which is currently valued at around $14 million USD. They also confirm that the City of London Police has arrested seven teenagers in relation to the LAPSUS$ hacking conglomerate. The teenager in question also attends a special education school in Oxford, but his father says that they had no idea what was going on in a statement made to the BBC.

I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.

The alleged LAPSUS$ ringleader’s father

Additionally, it has come to light that security researchers at 221B identified the individual as early as the middle of last year, meaning that he’s been on radars for a good while before the infamous hackings by the LAPSUS$ group. The City of London Police released a statement regarding the arrests of several teenagers with the following:

Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.

City of London Police

Is the LAPSUS$ ringleader ‘White’ or ‘Breachbase’ a 16-year old?

The British teenager suspected of being attached to LAPSUS$ is suspected to be the leader, as there is no conclusive evidence to attach them to every instance of a LAPSUS$ hack. However, there does seem to be enough to begin to form an opinion on ‘White’ or ‘Breachbase’, as they are known by several aliases.

Due to being a minor, Bloomberg cannot officially identify them, and it’s important to note that no official law-enforcement actions have been taken against them, nor is there any official accusation of wrongdoing from the authorities. Therefore, we cannot conclusively say whether this person is the mastermind behind LAPSUS$, or if they were indeed responsible for any of the actions that LAPSUS$ has undertaken over the past six months and more.

The teenager has reportedly also been doxxed by rival hackers, having his addresses and personal information posted online. Bloomberg investigators visited the house and identified their mother, and had a conversation through their doorbell’s intercom system, where she reported that she was unaware of her son’s activities, or of any of the leaked materials. Additionally, she was also disturbed to find that photos of her home, and the boy’s father’s homes were posted online. It’s noted that the home is a ‘modest terraced house’ around five miles from Oxford University.

She further declined to discuss her son, or to make him available for an interview and that the issue was a matter for law enforcement, and will be contacting the local police. As of right now, The Thames Valley Police, in addition to the National Crime Agency which handles cases of hacking in the UK did not respond to Bloomberg for comment. Additionally, the FBI’s San Francisco field office which is currently investigating LAPSUS$ declined to comment on the matter.

Bloomberg identifies another associate

According to the report from Bloomberg, another associate attached to LAPSUS$ has also been identified, another teenager, this time residing in Brazil. The team of researchers have identified several accounts attached to the group, and that there are most likely many more among their cohort of hackers.

The report states that the teenager is incredibly skilled at hacking, to the point where the researchers thought that their actions might even be automated. This displays that the tried and true example of the most-skilled hackers could also be some of the smartest, they just need to apply their skillsets over to penetration testing, which is a white-hat activity where you can garner similar results, instead of doing what essentially amounts to black-hat extortion tactics, and publicly leaving a trail of victims, announcements, and calls for help, which might end up being quite shortsighted, considering the power of the companies that they have targeted, in addition to the law enforcement forces which might seek to apprehend them if enough evidence becomes clear.

LAPSUS$ taunts its victims, Microsoft responds

According to Bloomberg, after hacking the companies that fell victim to the maverick hacking group, they’ve taunted employees by entering into their Zoom meetings, who were attempting to make sense of the mess that the group left behind for them. Additionally, it’s thought that some of their breaches have impacted Okta Inc to such a degree that 2.5% of its customers were impacted by the security breach.

In a recent blog post, Microsoft is tracking LAPSUS$ as ‘DEV-0537’ and stated the following about the notorious group.

DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail, and healthcare sectors. DEV-0537 is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.

Microsoft Security Threat Intelligence Center (MSTIC)

This information corroborates the reports that some of its members reside in both the United Kingdom and South America. In addition to this, they state that LAPSUS$ publicly announces their attacks, and even goes so far to announce that they are looking to purchase credentials from employees in any of the targeted organizations. This may eventually come across as crass, or even be leaving behind a trail that they can be identified by, which may spell trouble when it comes to things such as being tracked or targeted by law enforcement.

The group takes time to cool off

According to Bloomberg, LAPSUS$ is taking some time to cool off, after their series of high-profile breaches and attacks. They posted on their Telegram channel with the following:

A few of our members has a vacation until 30/3/2022. We might be quiet for some times… Thanks for understand us. – we will try to leak stuff ASAP.

LAPSUS$ Telegram Channel

Considering the amount of heat on the group following this series of high-profile attacks, it’s reasonable to think that they will be awaiting time for this to blow over, as law enforcement begins to identify members of its network, which could have devastating consequences for the children involved in the series of high-profile targets and attacks.

If you’re looking for more stories about blackhat hacking, you might enjoy the Darknet Diaries podcast, who will surely release an episode about LAPSUS$ in the coming years.