Between late 2021 and mid-2022, a threat group calling itself LAPSUS$ tore through some of the world's most well-defended technology companies. Their victim list read like a Fortune 100 roster: Microsoft, Nvidia, Samsung, Okta, Ubisoft, T-Mobile, Uber, and Rockstar Games. What made LAPSUS$ unusual wasn't the companies they hit — it was how they hit them.
LAPSUS$ didn't rely on zero-days or custom malware. They didn't build sophisticated toolchains. Instead, they used a combination of social engineering, insider recruitment, SIM swapping, and brute persistence to bypass security controls that were designed to stop far more technically sophisticated attackers. In doing so, they exposed a blind spot in enterprise security that persists today.
Who Was LAPSUS$?
LAPSUS$ appeared to be a loosely organized group, with several core members believed to be teenagers based in the United Kingdom and Brazil. The group's apparent leader, known as "White" or "breachbase," was later identified as a 16-year-old from Oxford, England.
Unlike traditional ransomware groups motivated purely by profit, LAPSUS$ seemed driven by a mix of financial gain, notoriety, and what could only be described as chaos. They operated openly on Telegram, polling their followers on which company to target next and leaking stolen data publicly regardless of whether victims paid.
The group's youth and apparent lack of discipline led many to initially dismiss them. That was a mistake. Their techniques were devastatingly effective, and the data they stole from major tech companies had serious security implications.
The LAPSUS$ Playbook
Social Engineering at Scale
LAPSUS$ perfected the art of targeting help desks and IT support personnel. Their social engineering campaigns included:
SIM swapping: The group bribed or socially engineered telecom employees to transfer victim phone numbers to attacker-controlled SIM cards. This allowed them to intercept SMS-based multi-factor authentication codes. Reports indicated LAPSUS$ members had access to internal tools at multiple telecom providers, either through compromised employees or direct insider access.
MFA fatigue attacks: For organizations using push-based MFA, LAPSUS$ would bombard employees with authentication requests, often late at night or early in the morning, until the target approved one out of frustration or confusion. This technique, sometimes called "MFA bombing," proved remarkably effective even against security-conscious organizations.
Help desk manipulation: The group called IT help desks posing as employees, convincing support staff to reset credentials or enroll new MFA devices. They came prepared with employee information gleaned from data breaches, social media, and LinkedIn.
Insider Recruitment
LAPSUS$ openly advertised on their Telegram channel and on forums, offering to pay employees at target companies for access credentials. Their recruitment posts specifically sought:
- VPN credentials from employees at telecom companies, large tech firms, and software companies
- Access to internal tools at phone carriers (for SIM swapping)
- Credentials for enterprise authentication systems (Okta, Azure AD)
This was brazen, but it worked. The group reportedly paid thousands of dollars per week for insider access at telecommunications companies.
Initial Access Broker Purchases
Beyond direct social engineering, LAPSUS$ purchased credentials and session tokens from initial access brokers — criminal marketplaces where compromised corporate access is traded. These purchases provided ready-made footholds in target networks without requiring the group to conduct their own initial intrusion.
Notable Attacks
Nvidia (February 2022)
LAPSUS$ stole approximately 1TB of data from Nvidia, including proprietary source code, hardware schematics, and employee credentials. The group demanded that Nvidia open-source their GPU drivers and remove cryptocurrency mining limitations from their hardware — demands that revealed the group's unconventional motivations.
When Nvidia reportedly attempted to hack back by encrypting the stolen data on LAPSUS$'s systems, the group claimed they had backups and leaked the data anyway. The stolen code-signing certificates were subsequently used by other threat actors to sign malware, extending the attack's impact far beyond Nvidia itself.
Samsung (March 2022)
The group stole approximately 190GB of source code from Samsung, including source code for Galaxy device bootloaders, biometric authentication algorithms, and confidential source code from Qualcomm. The theft of bootloader code was particularly concerning, as it could potentially be used to develop device exploits.
Microsoft (March 2022)
LAPSUS$ compromised a Microsoft employee account and exfiltrated partial source code for Bing, Bing Maps, and Cortana. Microsoft confirmed the breach but stated that the stolen code didn't contain customer data or credentials and didn't represent a security risk to their products.
Microsoft's subsequent analysis of LAPSUS$ techniques became one of the most valuable public threat intelligence reports on the group, detailing their social engineering and credential theft methodology.
Okta (March 2022)
This was arguably LAPSUS$ most consequential breach. The group compromised a third-party support engineer's account at Sitel, a company that provided customer support services for Okta. Through this access, LAPSUS$ could potentially reset passwords and MFA for Okta customers — organizations that relied on Okta as their identity provider.
Okta's initial response downplayed the breach, claiming only 2.5% of customers (approximately 366 organizations) were potentially affected. The incident exposed the risks inherent in outsourced IT support and demonstrated how a supply chain compromise through a service provider could cascade to hundreds of downstream customers.
Uber and Rockstar Games (September 2022)
An 18-year-old associated with LAPSUS$ compromised Uber using an MFA fatigue attack against an employee, then accessed internal systems including the company's HackerOne bug bounty dashboard. Days later, the same attacker leaked pre-release footage of Grand Theft Auto VI from Rockstar Games.
Why Traditional Defenses Failed
LAPSUS$ succeeded against organizations with mature security programs because their attack techniques targeted assumptions rather than vulnerabilities:
Assumption: MFA stops unauthorized access. LAPSUS$ demonstrated multiple MFA bypass techniques — SIM swapping for SMS codes, MFA fatigue for push notifications, and help desk social engineering for enrollment resets. The MFA implementations at these companies weren't technically broken; they were operationally bypassable.
Assumption: Perimeter security contains threats. Once LAPSUS$ obtained valid credentials, they operated as legitimate users. Network security tools designed to detect malware or exploit traffic had nothing to flag.
Assumption: Third-party access is managed. The Okta breach through Sitel showed that supply chain access — outsourced support, contracted IT services — creates attack surface that many organizations don't adequately monitor.
Assumption: Attackers need sophisticated tools. LAPSUS$ used publicly available tools, social engineering, and purchased access. There were no custom implants to detect, no C2 infrastructure to block, no exploit code to patch against.
Law Enforcement Response
In March 2022, London's City of London Police arrested seven individuals aged 16-21 in connection with LAPSUS$ activities. The alleged ringleader, a 16-year-old, was subsequently charged with multiple offenses. In August 2023, a jury found the then-18-year-old guilty of multiple counts of computer misuse and fraud.
Despite the arrests, attacks continued from other LAPSUS$-affiliated individuals, demonstrating the difficulty of fully dismantling loosely organized threat groups.
Lasting Impact
LAPSUS$ fundamentally changed how the security industry thinks about several areas:
MFA design: The wave of MFA fatigue attacks prompted vendors including Microsoft and Okta to implement number matching and additional context in push notifications, requiring users to enter a specific code rather than simply approving a push.
Help desk verification: Organizations began implementing stricter identity verification for help desk requests, particularly for credential resets and MFA changes.
Insider threat programs: LAPSUS$'s open recruitment of insiders highlighted the need for better insider threat detection, particularly at companies whose employees have access to sensitive systems or data.
Third-party risk: The Okta breach reinforced that outsourced service providers are a direct extension of your attack surface and need to be secured accordingly.
How Safeguard.sh Helps
LAPSUS$ demonstrated that your security is only as strong as your weakest supply chain link. The Okta breach through a third-party support contractor is a textbook example — one compromised vendor threatened hundreds of downstream organizations.
Safeguard.sh provides the supply chain visibility needed to understand these cascading risks. By mapping your complete software dependency chain and monitoring the security posture of components throughout your stack, the platform helps you identify single points of failure before they're exploited.
The platform's continuous monitoring and automated alerting ensure that when a vendor in your supply chain is compromised — whether through social engineering, insider threats, or technical exploitation — you have immediate visibility into which of your systems are potentially affected. In a world where attackers target the path of least resistance, knowing your full supply chain exposure is the foundation of effective defense.