Background
One would be hard pressed to find anyone working today in the cybersecurity world that has not yet heard of Lapsus$, an emerging cyber-crime group with big claims of breaching the likes of high-profile companies Microsoft, Samsung, NVIDIA, and Okta amongst others. As SecurityScorecard noted in Part 1: “Move aside, Conti, Lapsus$ coming through!,” a post to Doxbin in January 2022 suggested a high ranking Lapsus$ member was actually a 16-year-old teenager residing in Kidlington, England who regularly used the pseudonym(s) SigmA, wh1te, and Breachbase. In this update to our original Lapsus$ blog post, SecurityScorecard explores newly-obtained information regarding the identity of this teenager, their hacking career, and their apparent undoing.
The Undoing
The undoing of SigmA, the most recent alias used by the alleged teen mastermind behind Lapsus$, appears to be a result of a feud with a fellow hacker named “KT.” KT was the owner and administrator of the website Doxbin. According to information on Doxbin, SigmA bought Doxbin from KT for $75,000 in November 2021. SigmA quickly ran the website into the ground, breaking several of its functions and destroying what little reputation it had. KT decided to buy the website back from SigmA, at a fraction of the cost he sold it for.
At this point, things got messy between SigmA and KT. After the sale of the site back to KT, KT alleged that SigmA locked the site’s registrar account and stole its Discord vanity. KT was able to quickly gain access back into these accounts. SigmA responded by using Doxbin’s official Twitter account to publicly advertise a $100,000 bounty for information on KT. Again, KT quickly re-gained access to the Twitter account and began using it to mock SigmA for his poor operational security practices and weak passwords.
Image 1: SigmA’s public bounty on KT. Image 2: KT’s response using the same account.
Obviously frustrated with KT’s ability to quickly take back control of accounts associated with Doxbin, SigmA decided to dump Doxbin’s entire user data-base, compromising nearly 3,000 accounts. In doing so, SigmA leaked their own password, which contained elements of his real name.
The user dump was the last straw for KT, who then decided to proceed with the ‘nuclear’ option. KT and associated allies hacked into several of SigmA’s accounts and posted the information they found to Doxbin. The resulting dox was a treasure trove of personal information related to SigmA and their family, which included addresses, phone numbers, and photos. The dox indicated that SigmA began their internet presence, being obsessed with Minecraft servers and fantasizing about being the next big hacker on the scene. SigmA later hooked up with other young people that were involved in the zero-day exploit selling/trading community. SigmA began making money to further expand his exploit collection, and after a few years had a net worth of more than 300BTC (near $14M USD). In early 2021, SigmA co-founded a now-defunct group of cyber enthusiasts called “Infinity Recursion.” Finally, KT indicated that SigmA was currently involved with the newly formed cybercrime group Lapsus$.
KT’s disdain for SigmA was quite obvious in this post, as KT used every opportunity to mock and troll SigmA when describing the pictures and information obtained.
One of KT’s allies, a hacker who goes by “Federal,” sent an email to Portugal’s Center of Cyber Security offering to provide information on SigmA in exchange for 35 percent of the money extorted from Impresa, a company allegedly breached by Lapsus$.
Image 3: Offer for information on SigmA sent to Portugal’s Center of Cyber Security
KT alleges one of SigmA’s allies offered to pay to have their dox removed. After some back and forth, KT agreed to accept $25,000 as initial payment to remove the dox and post that they made all of it up. However, after KT accepted the initial payment, they reneged on the deal, and quickly posted the conversation to Doxbin, joking that SigmA’s bounty on KT’s own identity would now no doubt increase to $1,000,000.
Image 4: Request to have SigmA’s Dox removed.
Image 5: Payment Confirmation
Image 6: KT Statement on request to remove dox.
At this point, it was just a matter of time before law enforcement would show up at SigmA’s door. KT alleges that SigmA narrowly escaped capture when two men visited his mother’s house asking about his whereabouts. When they were told SigmA wasn’t home, the men proceeded to SigmA’s father’s residence, arriving just after SigmA was able to get away in an Uber, and possibly escape to Spain.
Initial Arrests
On March 24,various media outlets reported that City of London Police had arrested seven teenagers in relation to the Lapsus$ gang. They were all subsequently released. Although no names were given, SecurityScorecard assesses that SigmA was among those arrested. These arrests coincide with a post to the Lapsus$ telegram channel indicating that a few of the Lapsus$ members would be on vacation for a few days, and that the group may be quiet during that time.
It does not appear that those arrests mean we have heard the last of Lapsus$. On March 29, Lapsus$ announced it was back from vacation and–in what has become a Lapsus$ tradition–posted a teaser screenshot on its Telegram channel showing folders which contained data appearing to belong to Globant, an IT and software company. The next day, Lapsus$ indicated it had obtained administrative credentials and source code from Globant, subsequently releasing them in a 70GB torrent file. Globant confirmed the Lapsus$ claim, advising that “a limited section of our company’s code repository has been subject to unauthorized access.” It’s unclear if Lapsus$ attempted to extort Globant before releasing the data.
Lapsus$ reportedly consists of members in the UK, Portugal, and Latin America. It is likely that the members based in the latter countries were responsible for this specific breach, given that the UK members of the gang would know that law enforcement in their region would be watching them closely.
Subsequent Arrests
On April 2, further reports came out about the arrests of two teenagers who were charged with various cyber offenses. Legal restrictions related to the ages of the suspects meant the names and/or personal details of the individuals could not be revealed. The teenagers were later released, subject to certain conditions.
Since the latest arrests, there has been no activity on Lapsus$’s telegram channel, or its backup Matrix chat site.
Conclusion
SecurityScorecard assesses it likely that SigmA was one of the teenagers re-arrested and charged with cyber offenses in early April. The conditions of their bail likely stipulate that they are to have no access to the internet from any device, other than for school purposes. SecurityScorecard is working to confirm this.
Given the attention from UK law enforcement, it would not be a wise move for SigmA to breach this condition. However, SigmA has a history of making bad decisions–and underestimating the importance of operational security–and thus could potentially return to their hacking ways.
Although it is likely that SigmA’s hacking activities will cease pending trial, it remains to be seen if Lapsus$ will continue as an effective cyber-crime group without its alleged leader. It is possible that SigmA and the other arrested teenager will cooperate with authorities and provide identities of the remaining Lapsus members. Such a move would likely enable authorities to make further arrests in other countries.
Until then, SecurityScorecard’s Global Investigations Team will continue to monitor the communications and activities of Lapsus$ to provide our customers with relevant threat intelligence regarding this unconventional cyber crime group.
An update on the short-lived (or, potentially ongoing) hacking escapades of a British teen who lives with his mom
by Wally Prather, Senior Staff Threat Researcher and Ryan Slaney, Staff Threat Researcher
Executive Summary
This update is Part 2 of SecurityScorecard’s research into the Lapsus$ cyber-crime group. See “Move aside, Conti, Lapsus$ coming through!” for Part 1.
On March 24, City of London Police arrested seven individuals ages 16 to 21, reported to be members of the Lapsus$ cyber-crime group.
The original arrests did not lead to charges being filed. However, on April 2, two individuals were re-arrested and charged with cyber offenses.
The alleged leader of the group is a British teenager who lives with his mother, yet has an estimated net worth of over $10,000,000.
Lapsus$ has released data after the initial arrests, but it is unclear whether Lapsus$ will remain a viable cyber-crime group after the arrest of its alleged leader.
Background
One would be hard pressed to find anyone working today in the cybersecurity world that has not yet heard of Lapsus$, an emerging cyber-crime group with big claims of breaching the likes of high-profile companies Microsoft, Samsung, NVIDIA, and Okta amongst others. As SecurityScorecard noted in Part 1: “Move aside, Conti, Lapsus$ coming through!,” a post to Doxbin in January 2022 suggested a high ranking Lapsus$ member was actually a 16-year-old teenager residing in Kidlington, England who regularly used the pseudonym(s) SigmA, wh1te, and Breachbase. In this update to our original Lapsus$ blog post, SecurityScorecard explores newly-obtained information regarding the identity of this teenager, their hacking career, and their apparent undoing.
The Undoing
The undoing of SigmA, the most recent alias used by the alleged teen mastermind behind Lapsus$, appears to be a result of a feud with a fellow hacker named “KT.” KT was the owner and administrator of the website Doxbin. According to information on Doxbin, SigmA bought Doxbin from KT for $75,000 in November 2021. SigmA quickly ran the website into the ground, breaking several of its functions and destroying what little reputation it had. KT decided to buy the website back from SigmA, at a fraction of the cost he sold it for.
At this point, things got messy between SigmA and KT. After the sale of the site back to KT, KT alleged that SigmA locked the site’s registrar account and stole its Discord vanity. KT was able to quickly gain access back into these accounts. SigmA responded by using Doxbin’s official Twitter account to publicly advertise a $100,000 bounty for information on KT. Again, KT quickly re-gained access to the Twitter account and began using it to mock SigmA for his poor operational security practices and weak passwords.
Image 1: SigmA’s public bounty on KT. Image 2: KT’s response using the same account.
Obviously frustrated with KT’s ability to quickly take back control of accounts associated with Doxbin, SigmA decided to dump Doxbin’s entire user data-base, compromising nearly 3,000 accounts. In doing so, SigmA leaked their own password, which contained elements of his real name.
The user dump was the last straw for KT, who then decided to proceed with the ‘nuclear’ option. KT and associated allies hacked into several of SigmA’s accounts and posted the information they found to Doxbin. The resulting dox was a treasure trove of personal information related to SigmA and their family, which included addresses, phone numbers, and photos. The dox indicated that SigmA began their internet presence, being obsessed with Minecraft servers and fantasizing about being the next big hacker on the scene. SigmA later hooked up with other young people that were involved in the zero-day exploit selling/trading community. SigmA began making money to further expand his exploit collection, and after a few years had a net worth of more than 300BTC (near $14M USD). In early 2021, SigmA co-founded a now-defunct group of cyber enthusiasts called “Infinity Recursion.” Finally, KT indicated that SigmA was currently involved with the newly formed cybercrime group Lapsus$.
KT’s disdain for SigmA was quite obvious in this post, as KT used every opportunity to mock and troll SigmA when describing the pictures and information obtained.
One of KT’s allies, a hacker who goes by “Federal,” sent an email to Portugal’s Center of Cyber Security offering to provide information on SigmA in exchange for 35 percent of the money extorted from Impresa, a company allegedly breached by Lapsus$.
Image 3: Offer for information on SigmA sent to Portugal’s Center of Cyber Security
KT alleges one of SigmA’s allies offered to pay to have their dox removed. After some back and forth, KT agreed to accept $25,000 as initial payment to remove the dox and post that they made all of it up. However, after KT accepted the initial payment, they reneged on the deal, and quickly posted the conversation to Doxbin, joking that SigmA’s bounty on KT’s own identity would now no doubt increase to $1,000,000.
Image 4: Request to have SigmA’s Dox removed.
Image 5: Payment Confirmation
Image 6: KT Statement on request to remove dox.
At this point, it was just a matter of time before law enforcement would show up at SigmA’s door. KT alleges that SigmA narrowly escaped capture when two men visited his mother’s house asking about his whereabouts. When they were told SigmA wasn’t home, the men proceeded to SigmA’s father’s residence, arriving just after SigmA was able to get away in an Uber, and possibly escape to Spain.
Initial Arrests
On March 24,various media outlets reported that City of London Police had arrested seven teenagers in relation to the Lapsus$ gang. They were all subsequently released. Although no names were given, SecurityScorecard assesses that SigmA was among those arrested. These arrests coincide with a post to the Lapsus$ telegram channel indicating that a few of the Lapsus$ members would be on vacation for a few days, and that the group may be quiet during that time.
It does not appear that those arrests mean we have heard the last of Lapsus$. On March 29, Lapsus$ announced it was back from vacation and–in what has become a Lapsus$ tradition–posted a teaser screenshot on its Telegram channel showing folders which contained data appearing to belong to Globant, an IT and software company. The next day, Lapsus$ indicated it had obtained administrative credentials and source code from Globant, subsequently releasing them in a 70GB torrent file. Globant confirmed the Lapsus$ claim, advising that “a limited section of our company’s code repository has been subject to unauthorized access.” It’s unclear if Lapsus$ attempted to extort Globant before releasing the data.
Lapsus$ reportedly consists of members in the UK, Portugal, and Latin America. It is likely that the members based in the latter countries were responsible for this specific breach, given that the UK members of the gang would know that law enforcement in their region would be watching them closely.
Subsequent Arrests
On April 2, further reports came out about the arrests of two teenagers who were charged with various cyber offenses. Legal restrictions related to the ages of the suspects meant the names and/or personal details of the individuals could not be revealed. The teenagers were later released, subject to certain conditions.
Since the latest arrests, there has been no activity on Lapsus$’s telegram channel, or its backup Matrix chat site.
Conclusion
SecurityScorecard assesses it likely that SigmA was one of the teenagers re-arrested and charged with cyber offenses in early April. The conditions of their bail likely stipulate that they are to have no access to the internet from any device, other than for school purposes. SecurityScorecard is working to confirm this.
Given the attention from UK law enforcement, it would not be a wise move for SigmA to breach this condition. However, SigmA has a history of making bad decisions–and underestimating the importance of operational security–and thus could potentially return to their hacking ways.
Although it is likely that SigmA’s hacking activities will cease pending trial, it remains to be seen if Lapsus$ will continue as an effective cyber-crime group without its alleged leader. It is possible that SigmA and the other arrested teenager will cooperate with authorities and provide identities of the remaining Lapsus members. Such a move would likely enable authorities to make further arrests in other countries.
Until then, SecurityScorecard’s Global Investigations Team will continue to monitor the communications and activities of Lapsus$ to provide our customers with relevant threat intelligence regarding this unconventional cyber crime group.