This article is more than 1 year old
British cops arrest seven in Lapsus$ crime gang probe
Bitcoin millionaire teen said to be among those detained
British cops investigating a cyber-crime group have made a string of arrests.
Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21.
In a statement, the force said: "Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing."
Among them is a 16-year-old boy from Oxford who has been accused of being one of the crew's leaders, the BBC reported. He cannot be identified for legal reasons.
"I had never heard about any of this until recently," the boy's father was quoted as saying by the broadcaster. "He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games. We're going to try to stop him from going on computers."
Bloomberg first reported the boy's alleged involvement with the extortion gang on Wednesday, and claims by security researchers that he was the crew's mastermind. Lapsus$ is the devil-may-care team of miscreants that have broken into major firms including Microsoft, Samsung, Vodafone, and Okta.
It is said the boy netted about $14m in Bitcoin from his online life, and was lately doxxed – which means he had his personal info leaked online – after an apparent falling out with his business partners. Palo Alto Networks and infosec outfit Unit 221B meanwhile said they have been tracking who they believe to be the leader of the crew since last year, and know that person's identity, but could not confirm the arrested 16-year-old was the brains behind the extortion operation.
"We've had his name since the middle of last year and we identified him before the doxxing," Allison Nixon, chief research officer at Unit 221B, told the BBC. She added that the netizen they were monitoring had left a trail of clues to their identity due to OPSEC mistakes.
"Unit 42, together with researchers at Unit 221B, identified the primary actor behind the Lapsus$ Group moniker in 2021, and have been assisting law enforcement in their efforts to prosecute this group," Palo Alto Networks added.
Lapsus$ rise and fall
The cyber-crime ring rose to fame in recent months for its brash tactics and its propensity to brag about its exploits on Telegram. Its standard operating procedure is to infiltrate a big target's network, steal sensitive internal data, make demands to prevent the public release of this material – and usually release some of it anyway.
- Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs
- Okta now says: Lapsus$ may in fact have accessed customer info
- Microsoft investigates Lapsus$'s boasts of Bing, Cortana code heist
- Lapsus$ extortionists dump Samsung data online, chaebol confirms security breach
Lapsus$ was believed to be based in Brazil as its earliest victims included that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.
In February, however, the criminals sneaked into Nvidia's networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.
Days later Lapsus$ said it had raided Samsung and stole 190GB of internal files including some Galaxy device source code.
The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft.
'Motivated by theft and destruction'
Microsoft, in its days-late confirmation that Lapsus$, which the Windows giant calls DEV-0537, did indeed steal some of its source code, and said the crime group seems to be "motivated by theft and destruction." Microsoft added:
Unlike most activity groups that stay under the radar, DEV-0537 doesn't seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft.
Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.
In an email to The Register, endpoint security vendor Cybereason's Director of Security Strategy Ken Westin said he wouldn't be surprised if the notorious cyber-crime ring's bosses do turn out to be teenagers.
"The security community underestimates the younger generation," he wrote. "We forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security."
Like others, Westin said he suspected the group was young "based on their modus operandi, or lack thereof."
"It was as if they were surprised by their success and were not sure what to do with it," he noted.
Today's teens can see how much money cyber-criminals make from ransomware and other destructive attacks. "They are the new rockstars," Westin said. "You pair this with the fact kids have been cooped up for years often with nothing but the internet to entertain themselves and we shouldn't be surprised we have skilled hackers." ®