Lapsus$: Teenagers vs. the Fortune 500

In February 2022, someone broke into Nvidia and stole approximately 1 terabyte of data, including the source code for the company’s DLSS AI rendering technology and the private code-signing certificates of two GPU drivers. Within days, the attackers threatened to release the certificates unless Nvidia removed the mining limiter from its graphics cards — a demand so audacious it read like a joke.

It was not a joke. And Nvidia was not the first, nor the last.

Over the following weeks, the same group — calling themselves Lapsus$, operating primarily on Telegram, broadcasting their intrusions to tens of thousands of followers in real time — tore through the most security-conscious companies on earth. Samsung lost source code for its Galaxy smartphone firmware. Microsoft lost source code for Bing, Cortana, and portions of Azure. Okta, the identity management giant whose authentication infrastructure sits between millions of users and thousands of enterprise applications, was compromised in a way that potentially exposed the tenants of hundreds of corporate customers. T-Mobile lost internal source code repositories. Uber had its entire admin infrastructure accessed — its internal Slack, its AWS console, its HackerOne vulnerability disclosure program — by what turned out to be an 18-year-old in England.

Then Rockstar Games lost footage of the in-development sequel to Grand Theft Auto V.

The security community watched this unfold with a mixture of horror and bewilderment. These were not state-sponsored APT groups with years of operational discipline and nation-state resources. They were, in at least two cases, teenagers. They did not exploit novel zero-days or engineer sophisticated malware. They social-engineered helpdesks. They bought access from insiders. They got employees to approve MFA push notifications at 3 AM. And somehow, this was enough to defeat the security apparatus of some of the largest technology companies on the planet.

Threat Actor Profile: Lapsus$ (DEV-0537)

Designation: Lapsus$ (self-named); DEV-0537 (Microsoft); UNC3661 (Mandiant)
Attribution: A loose, opportunistic extortion group drawing members predominantly from the United Kingdom and Brazil, with apparent connections to broader English- and Portuguese-speaking hacking communities. Not state-sponsored. Not ideologically motivated. Primarily driven by notoriety, financial gain, and — in several members’ cases — what investigators and psychologists described as a compulsive engagement with hacking as a game.
Origin: Emerged publicly around mid-2021; most prominent activity December 2021 – September 2022
Primary Mission: Data theft and extortion; source code exfiltration; destruction of victim reputation; the apparent thrill of demonstrating access to unreachable organizations
Known Tradecraft: SIM swapping, MFA fatigue (push bombing), insider recruitment via Telegram, credential stuffing, targeted social engineering of IT helpdesks, dark web credential purchases, corporate VPN and Citrix exploitation

Key Members Identified:

• Arion Kurtaj (UK, age 18 at time of most attacks): Assessed to be the group’s most technically active member; convicted in August 2023 on multiple counts of computer misuse in the UK. Diagnosed with severe autism. Conducted the Rockstar Games hack from a Premier Inn hotel room while on bail using a TV, a phone, and an Amazon Fire Stick.
• “White” (UK, age 17 at time of most attacks): Second UK teenager convicted in August 2023 for multiple offenses related to the Lapsus$ campaign. Name withheld due to age at time of offense.
• Additional members in Brazil; at least two Brazilian suspects arrested by São Paulo police in October 2022.

Notorious Operations:

• Impresa / Correios / Claro (Dec 2021–Jan 2022): Early attacks on Brazilian media and telecom companies; defaced websites and leaked data to establish credibility.
• Okta (Jan 2022): Compromise of Okta’s third-party support engineering contractor (Sitel); screenshot of admin access circulated on Telegram; affected up to 366 Okta customers.
• Nvidia (Feb 2022): 1TB+ of data stolen including DLSS source code and code-signing certificates; extortion demand to remove GPU mining limiters; certificates leaked and used to sign malware by third parties.
• Samsung (Mar 2022): Source code for Galaxy firmware exfiltrated; 190GB released publicly.
• Microsoft (Mar 2022): Source code repositories for Bing, Cortana, and Azure infrastructure accessed; partial release of approximately 37GB of source code.
• Okta (announced Mar 2022): Public release of screenshots from the January Okta compromise, triggering a major incident for Okta and its enterprise customers.
• T-Mobile (2022): Internal source code repositories accessed; T-Mobile confirmed multiple breaches attributed to Lapsus$ in 2022.
• Uber (Sep 2022): Full administrative access achieved; Slack, AWS, GCP, internal security tooling all accessed by an 18-year-old.
• Rockstar Games (Sep 2022): Early development footage and source code for Grand Theft Auto VI exfiltrated and posted online — one of the most significant game industry leaks in history.

The Tactics: Why Sophistication Was Not Required

To understand Lapsus$, you have to discard a fundamental assumption that the security industry had embedded in its threat modeling: that breaking into a Fortune 500 company requires sophisticated tooling, advanced malware, or nation-state resources.

Lapsus$ demonstrated — conclusively — that it does not.

SIM Swapping

The group’s foundational technique was SIM swapping: convincing a mobile carrier’s customer support agent to transfer a target’s phone number to a SIM card under the attacker’s control. Once accomplished, any SMS-based multi-factor authentication code sent to that number went to the attacker, not the victim.

This was not a novel technique. SIM swapping had been documented for years in financial fraud. What Lapsus$ added was scale and targeting — systematically applying it to employees at high-value technology companies rather than to individual cryptocurrency holders.

A carrier’s call center agent can typically be convinced with a date of birth, a partial account number, and a plausible story. This information is routinely available from prior data breaches. Lapsus$ members were apparently skilled at the performance: confident, specific, impatient — social engineering techniques that replicate the feel of a legitimate customer rather than a hesitant attacker.

MFA Fatigue / Push Bombing

For accounts protected by push-based MFA — where a legitimate employee must approve a notification on their phone to complete login — Lapsus$ deployed MFA fatigue. The attacker, in possession of valid credentials but lacking the MFA approval, repeatedly sends authentication requests to the victim’s device. At 2 AM, receiving the 30th push notification, some employees simply tapped Approve to make it stop.

This is not a technical vulnerability. It is a human one. And it worked against employees at major technology companies.

Insider Recruitment: Paying for the Door

Perhaps the most alarming element of Lapsus$‘s tradecraft was the most straightforward: they paid employees to let them in.

On their Telegram channel — which at peak had tens of thousands of subscribers watching in real time — Lapsus$ openly posted job listings. They wanted employees at major technology companies and telecommunications providers. They were offering cash: reportedly $20,000 or more for someone to install remote access software, provide VPN credentials, or simply click a link on a corporate machine.

They got takers.

In the T-Mobile intrusion, the FBI’s subsequent investigation found evidence that Lapsus$ members had directly paid T-Mobile employees for access. In other cases, the group recruited through broader networks — advertising on dark web forums and, strikingly, in public Telegram channels with tens of thousands of followers.

The insider recruitment strategy bypassed every perimeter security control that organizations spend billions of dollars building. Firewalls. Zero-trust architecture. Endpoint detection and response. Multi-factor authentication. None of it matters if someone with legitimate access is willing to sell that access for a price.

The Helpdesk: The Last Line of Trust

Where direct insider recruitment wasn’t available, Lapsus$ turned to social engineering IT support. By posing as legitimate employees — sometimes using personal information obtained from prior data breaches or LinkedIn — members called helpdesks and requested password resets and MFA re-enrollment for high-privilege accounts.

This was the technique used in the Okta intrusion: the group’s members convinced a support contractor at Sitel — a third-party firm providing customer support engineering for Okta — to grant them access to Okta’s admin portal. A screenshot of that access, showing the ability to reset credentials for Okta enterprise customers, circulated on Telegram for two months before Okta publicly acknowledged the incident.

The Companies: A Parade of Defeats

Okta (January–March 2022)

The Okta compromise is arguably the most consequential in the Lapsus$ record, because of what Okta is.

Okta provides single sign-on and identity management for approximately 15,000 organizations — including hundreds of Fortune 500 companies, government agencies, and technology firms. When employees at these organizations log into their corporate systems, they often do so through Okta. Okta, in effect, is the key that opens every door.

Lapsus$ compromised a Sitel contractor account with access to Okta’s customer support system in January 2022. From that access, they obtained the ability to view and potentially modify customer tenant information — including the ability to reset passwords and MFA factors for Okta customer accounts.

The Okta breach was discovered internally in January but not disclosed publicly until March 22, 2022, after Lapsus$ posted screenshots on Telegram. Okta’s initial assessment — that only 2.5% of customers (approximately 366 organizations) may have been affected — was later revised. The incident triggered significant customer concern and ultimately a formal security review of Okta’s third-party access controls.

Nvidia (February 2022)

The Nvidia breach began with an attacker using compromised employee credentials to access Nvidia’s internal network via the company’s remote access infrastructure. Once inside, they exfiltrated approximately 1 terabyte of data, including source code for the DLSS machine learning rendering technology, GPU driver code, and critically: the private code-signing certificates of two Nvidia GPU drivers.

The extortion demand was unlike any other: Lapsus$ threatened to release the certificates unless Nvidia removed the Lite Hash Rate (LHR) limiter from its graphics cards — a hardware restriction Nvidia had implemented to reduce the attractiveness of its consumer GPUs for cryptocurrency mining operations.

Nvidia declined. The certificates were released. Within days, other malicious actors were using the Nvidia certificates to sign their own malware — lending it the apparent legitimacy of a signed Nvidia driver. The certificates’ validity period had already expired, but many security tools at the time did not rigorously check certificate expiration for signing purposes.

Microsoft (March 2022)

In March 2022, Microsoft confirmed that Lapsus$ had accessed its internal source code repositories. The group published approximately 37GB of source code for Bing, Cortana, and portions of the Azure platform.

Microsoft’s disclosure, characteristically thorough, noted that the compromise appeared to have been achieved via a single compromised employee account — and that the company’s security team had detected and terminated the access while the exfiltration was in progress. The published source code, Microsoft assessed, did not include anything that posed a direct security risk to customers: the targeted repositories did not contain production secrets, credentials, or keys.

What the incident demonstrated was the exposure of a single weak credential — a single employee without adequately hardened access — within one of the world’s most security-sophisticated organizations.

Uber (September 2022)

The Uber intrusion of September 15, 2022 may be the group’s most cinematic.

An 18-year-old, later identified as Arion Kurtaj, obtained the personal WhatsApp number of an Uber employee. He sent a message claiming to be from Uber’s internal IT security team, warning that the employee’s account had been compromised and that he needed to approve an MFA push notification to help resolve the issue. The employee approved the push.

Kurtaj was inside Uber’s network.

From that initial foothold, the 18-year-old navigated through Uber’s internal systems with apparent ease. He accessed the company’s Slack — and posted messages in Uber’s internal channels announcing the breach to Uber employees directly. He accessed Uber’s AWS management console. He accessed Uber’s Google Cloud infrastructure. He found Uber’s HackerOne vulnerability disclosure portal — the database of security vulnerabilities that ethical hackers had reported to Uber and that were still outstanding — and downloaded it.

He then emailed those vulnerability reports to Uber’s security team from a Lapsus$ address. The message, approximately translated, was: Look what I have.

Uber spent the better part of a day verifying the intrusion was real and shutting down access. Kurtaj had taken screenshots of everything and posted them publicly.

He was, at the time of the Uber hack, out on police bail in England following his earlier arrest for the Nvidia and Rockstar intrusions.

Rockstar Games (September 2022)

Ten days after Uber, still on bail, still in a Premier Inn hotel room in Bicester, Oxfordshire — placed there by police who had confiscated his personal laptop — Arion Kurtaj broke into Rockstar Games.

Using nothing but a television, a mobile phone used as a hotspot, and an Amazon Fire Stick to browse the web, Kurtaj gained access to Rockstar’s internal Slack via a compromised employee account and then navigated to development servers containing material from GTA VI — the in-development sequel to the most commercially successful entertainment product in history.

He downloaded 90 video clips of early gameplay footage and posted them to GTAForums.com and the Lapsus$ Telegram channel. The footage went instantly viral. The gaming world stared at footage from a game that wasn’t scheduled for release for years, obtained by a teenager, in a hotel room, on bail, using a TV remote.

Rockstar’s parent company Take-Two Interactive confirmed the breach on September 19, 2022.

The Arrests and Aftermath

UK police had been watching the group since early 2022. In March 2022, City of London Police arrested seven individuals between the ages of 16 and 21 in connection with the Lapsus$ investigation. Most were released pending further investigation.

In September 2022 — the same week as the Uber hack — Arion Kurtaj was arrested again. The Rockstar hack had been committed while he was on bail from his first arrest, in a police-arranged hotel room specifically intended to keep him away from computers.

In August 2023, at Southwark Crown Court, Kurtaj and a second unnamed teenager were convicted following a trial. Kurtaj was found unfit to stand trial due to the severity of his autism and was instead assessed on whether he had committed the acts — the jury found that he had. He was sentenced to an indefinite hospital order. The second defendant received an 18-month youth rehabilitation order.

Brazilian police had separately arrested two individuals in São Paulo in October 2022.

The group had effectively ceased operations by late 2022, partly through arrests and partly through the scattering that typically follows intense law enforcement attention. But the breach record they left behind remains one of the most striking in the history of enterprise security — not for technical sophistication, but for its demonstration that the most secure perimeter in the world is powerless against a sufficiently determined and creative human being working the phone.

---

Attack Chain: Lapsus$ — Multi-Vector Social Engineering Campaign

graph TD
    A["💬 Lapsus$\n(UK / Brazil–based, 2021–2022)\nTelegram-coordinated\nDEV-0537"] --> B["Initial Access Arsenal\n(multiple concurrent vectors)"]

    B --> C["📱 SIM Swapping\nBribe/social-engineer\nmobile carrier reps\nHijack target's phone number\nCapture SMS MFA codes"]

    B --> D["🔔 MFA Fatigue\nPush Bombing\nRepeat MFA push\nrequests 2–3 AM\nUntil employee approves"]

    B --> E["💰 Insider Recruitment\nPublic Telegram 'job listings'\nOffer $20K+ for\ncorporate credentials\nor remote access installs"]

    B --> F["🎭 Helpdesk Social\nEngineering\nPretend to be employee\nRequest password reset\n+ MFA re-enrollment"]

    C --> G["Corporate VPN / Citrix\nAccess Obtained"]
    D --> G
    E --> G
    F --> G

    G --> H["Internal Network\nAccess Achieved"]

    H --> H1["🟢 Okta (Jan 2022)\nSitel contractor\ncompromised; admin access\nto 15,000-org platform\n~366 customers affected"]

    H --> H2["🟡 Nvidia (Feb 2022)\n1TB stolen: DLSS source code\n+ private code-signing certs\nExtortion: remove GPU\nmining limiters"]

    H --> H3["🔵 Samsung (Mar 2022)\n190GB Galaxy firmware\nsource code exfiltrated\n& publicly released"]

    H --> H4["🔴 Microsoft (Mar 2022)\n37GB source code for\nBing, Cortana, Azure\nDetected mid-exfiltration"]

    H --> H5["📱 T-Mobile (2022)\nInternal source code repos\nFBI: insiders paid\nfor access"]

    H --> H6["🚗 Uber (Sep 2022)\nFull admin: Slack, AWS,\nGCP, HackerOne database\n18-yr-old on bail\nfrom hotel room"]

    H --> H7["🎮 Rockstar Games (Sep 2022)\nGTA VI dev footage\n90 clips leaked publicly\nAmazon Fire Stick +\nhot-spotted phone"]

    H2 --> I["Nvidia Certs Leaked\nUsed to sign malware\nby third-party criminals"]

    H6 --> J["Kurtaj posts to\nUber Slack internally:\n'I announce I am a hacker'"]

    H7 --> K["Largest game industry\nleak in history\nFired around the world"]

    G --> L["Exfiltrate Everything\nPost on Telegram\n(tens of thousands\nwatching live)"]

    L --> M["Public Humiliation\nof Victims"]

    M --> N["🏛️ Arrests & Prosecution"]
    N --> N1["UK: March 2022 — 7 arrested"]
    N --> N2["Brazil: Oct 2022 — 2 arrested\nSão Paulo"]
    N --> N3["Kurtaj: Aug 2023 conviction\nIndefinite hospital order\n(severe autism)"]
    N --> N4["'White': Aug 2023 conviction\n18-month rehabilitation order"]

    N --> O["Legacy: Social Engineering\nBeats Every Technical Control"]
    O --> O1["MFA push bomb\nnow industry-recognized\nattack vector"]
    O --> O2["Insider threat awareness\nmoves to board level"]
    O --> O3["Third-party vendor access\nunder new scrutiny"]