On March 4, 2022, the LAPSUS$ group posted a teaser on their Telegram channel: a screenshot of Samsung internal source code and a promise of more to come. Two days later, they delivered. A 190GB data dump, split into three compressed archives, was released via torrent. It contained source code for Samsung's TrustZone environment, biometric unlock algorithms, bootloader source for all recent Samsung devices, Qualcomm confidential source code, Samsung activation server code, and the full source for Samsung's Knox security platform.
This was the LAPSUS$ group at peak operational tempo. They had already hit NVIDIA weeks earlier and would go on to breach Microsoft, Okta, and others in the following weeks. But the Samsung breach was particularly consequential because of what was stolen: not just corporate data or user credentials, but the source code that underpins the security of hundreds of millions of Samsung devices.
What Was Stolen
The leaked data was organized into three parts, each targeting a different aspect of Samsung's device ecosystem.
Part 1: TrustZone and security-critical code. This included source code for Samsung's Trusted Execution Environment (TEE), which runs in ARM TrustZone. The TEE handles the most sensitive operations on a Samsung device: biometric authentication, encryption key management, hardware-backed attestation, and DRM enforcement. Source code for these components gives attackers a detailed map of Samsung's most critical security boundaries.
Part 2: Device security and encryption. Bootloader source code for all recent Samsung devices, algorithms for biometric operations including fingerprint and facial recognition, and source code for Samsung Knox, the platform's enterprise security framework. Knox is used by governments and enterprises worldwide to secure Samsung devices, making its source code extremely sensitive.
Part 3: Samsung and Qualcomm confidential code. This included various Samsung backend services, the Samsung activation server, and confidential Qualcomm source code that Samsung received under NDA. The Qualcomm component added a multi-party dimension to the breach, as the stolen data belonged to two companies, not one.
The Security Implications
Source code theft for consumer electronics is qualitatively different from typical corporate data breaches. The affected devices can't be recalled or patched quickly. The knowledge gained from source code analysis persists indefinitely.
TrustZone exploitation becomes easier. TrustZone vulnerabilities are among the most valuable in the exploit market because they provide root-of-trust compromise on ARM devices. With source code, finding these vulnerabilities shifts from painstaking binary reverse engineering to straightforward code auditing. Researchers have long found TrustZone bugs through binary analysis; with source code, the process is dramatically more efficient.
Biometric bypass research accelerates. Samsung's biometric authentication algorithms were previously black boxes. Attackers had to work with behavioral observations and side-channel analysis. With the actual source code, they can identify implementation weaknesses, edge cases in the matching algorithms, and potential bypass techniques directly.
Bootloader attacks become practical. Bootloader security is the foundation of the entire device security model. If the bootloader is compromised, every security mechanism above it, including Knox, encryption, and secure boot, can be undermined. Source code access makes bootloader vulnerability research straightforward.
Knox enterprise trust is undermined. Organizations using Samsung Knox to secure their device fleets made that decision based partly on the assumption that Knox's security architecture was a closely guarded secret. With the source code public, attackers can study Knox's design for weaknesses that affect every Knox-secured device.
How LAPSUS$ Operated
The LAPSUS$ group's techniques were notable for their simplicity and effectiveness. They didn't rely on sophisticated zero-day exploits or custom malware. Their playbook was built around social engineering, credential theft, and insider recruitment.
For Samsung specifically, the exact initial access method was never publicly confirmed. However, LAPSUS$ was known to use several techniques including purchasing credentials from initial access brokers, SIM-swapping to bypass MFA, recruiting insiders through Telegram offers of payment for VPN or Citrix access, and targeting IT helpdesks for password resets.
Once inside, LAPSUS$ moved quickly. They identified high-value targets (source code repositories), exfiltrated data in bulk, and published it with minimal delay. Their motivations appeared to be a mix of notoriety-seeking and financial gain through extortion.
The group's operational security was ultimately poor. Several members, including teenagers in the UK and Brazil, were identified and arrested in March and April 2022. But by then, the damage was done. The source code was publicly available and couldn't be recalled.
Samsung's Response
Samsung confirmed the breach on March 7, 2022, stating that "certain internal company data" had been accessed but that no personal information of customers or employees was compromised. They described implementing enhanced security measures but provided limited technical detail about the breach vector or their remediation efforts.
The reality was that Samsung had no practical way to remediate the most significant impact: the exposure of device security source code. They could rotate server-side credentials, patch specific vulnerabilities that the source code revealed, and harden their internal access controls. But the source code itself was permanently public, and the security advantages it provides to attackers would persist for the lifetime of affected devices.
Samsung did accelerate their bug bounty programs and security research partnerships following the breach, likely in an attempt to identify and fix vulnerabilities before attackers could exploit the leaked source code.
Lessons from the LAPSUS$ Campaign
The Samsung breach was part of a broader LAPSUS$ campaign that taught the industry several uncomfortable lessons.
Social engineering still works. Despite billions invested in perimeter security, a group of teenagers could breach some of the world's largest technology companies through social engineering and credential theft. Technical controls are necessary but not sufficient without corresponding human-layer defenses.
MFA is not a complete solution. LAPSUS$ regularly bypassed MFA through SIM swapping, MFA fatigue attacks (spamming authentication prompts until the target approves one), and social engineering helpdesks to reset MFA. Organizations that treated MFA as a silver bullet discovered it was merely one layer.
Source code access control matters. Samsung's source code for its most sensitive components was accessible to a broad internal audience. Implementing strict need-to-know access for security-critical source code would have limited the blast radius even after initial network compromise.
Insider threat programs are underinvested. LAPSUS$ openly recruited insiders on Telegram. Organizations need to monitor for and respond to insider threat indicators, including unusual access patterns, large data transfers, and evidence of compromise or coercion.
How Safeguard.sh Helps
Safeguard.sh helps organizations protect their software supply chain even when source code confidentiality is lost. Our platform's continuous vulnerability scanning identifies weaknesses in your codebase before attackers can find them through leaked source code. SBOM generation provides complete visibility into your software components, enabling rapid response when related breaches expose information that could be used to target your dependencies. Policy gates enforce security baselines that catch the kind of targeted attacks that become possible when an attacker has read your source code. The lesson from Samsung's breach is clear: security through obscurity is not security at all, and organizations need defense mechanisms that work even when their internals are known.