16-Year-Old Master Hacker and Six Others Nabbed for Ties With the Lapsus$ Gang


Seven teenagers residing in the UK, including a 16-year-old in Oxford, were arrested for their ties to cyber extortionist gang Lapsus$ this week. The 16-year-old was reportedly ratted out by his cybercriminal associates, who may not necessarily be Lapsus$ members.

Bragging is never the right move, mainly when you operate in the dark corners of the world wide web. At least that’s what seven very young and suspected members of the cybercriminal syndicate Lapsus$ discovered this week.

In the hush-hush world of online crime, going out of your way to boast of your illicit activities that had a significant impact on more than half a dozen global organizations and governments is undoubtedly a one-way ticket to a prison cell. Fortunately for the white hat community, one Lapsus$ member began to enjoy the ‘game’ a bit too much.

The father of a minor — a 16-year-old boy from Oxford, U.K. — thought his son was playing “a game” when he was, in fact, engaging in high-level cybercrime, raking in millions of dollars along the way.

The boy’s father told the BBCOpens a new window , “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.” The rest of those arrested by the City of London police because of alleged ties with Lapsus$ are also aged 16 to 21.

Ken Westin, director of security strategy at Cybereason, told Toolbox, “Today, teens have seen how much money is being made in criminal hacking, in some ways they are the new rock stars. You pair this with the fact that kids have been cooped up for a couple of years, often with nothing but the internet to entertain themselves, so we shouldn’t be surprised we have skilled hackers.”

“The issue is that their brains are still developing and the line between fun and crime can get blurred, where it’s common for kids to hack to gain notoriety amongst their peers; but this easily crosses over into decisions that can affect the rest of their lives.”

Lapsus$ is new, but prolific. In just four months, the gang claimed responsibility for the following:

Lapsus$ Victim



Brazil’s Ministry of Health

December 2021 Exfiltrated data associated with the country’s immunization program
Impresa (Portugal’s largest media conglomerate) January 2022

Defaced all of its websites with a ransom note


February-March 2022 Stole and leaked 19 GB of sensitive data including software info and employee credentials

Demanded financial and non-financial ransom

Samsung March 2022

Stole and leaked 190 GB data including source code for several projects, and authentication protocols

Mercado Libre

March 2022 “Part of the source code,” access to 300,000 users
Ubisoft March 2022



March 2022 Stole ~37 GB data including source code of several projects
Okta March 2022

2.5% of Okta customers (366 organizations) are impacted

At least one member of Lapsus$ may have also been involved in the exfiltration of 780 GB of Electronic Arts data in June 2021. Using this stolen data, they extorted EA for money in exchange for not leaking it. Lapsus$ has also claimed to have data of Vodafone and LG Electronics.

They are doing this through a “large-scale social engineering and extortion campaign.” According to Microsoft, which is tracking Lapsus$ as DEV-0537, the group’s end game is cyber extortion akin to ransomware.

They steal data and threaten to leak it publicly if a ransom isn’t paid. However, they do not use any ransomware strain but rely on stolen credentials or cookies, SIM-swapping, and even recruit and pay company insiders, suppliers, or business partners. But Lapsus$ was careless in the way they operated.

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft,” Microsoft notedOpens a new window .

Westin added, “I speculated the group was young based on their modus operandi, or lack thereof. It was as if they were surprised by their success and were not sure what to do with it. In some of their follow up communications their language appeared more interested in the notoriety and defensiveness of their capabilities and accomplishments than any financial motivation.”

Infosec professionals Dave Maasland and Marcus Hutchins (aka MalwareTech) have previously expressed their thoughts of the group’s incompetence. Hutchins wrote, “IDK how a group can be that competent and incompetent at the same time.”

The 16-year-old who goes by the alias ‘White’ or ‘Breachbase’ may have been outed by his partners. Reportedly, they had a falling out for which the hackers revealed White’s name, address, social media pictures, and his cybercriminal activities on an underground site.

“After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he is] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organisations.”

They did this in retaliation to White leaking the dataset of Doxbin on Telegram. Doxbin is a text-based site where cybercriminals or anyone can ‘dox,’ i.e., publicly reveal private or identifying information of any other person. White had bought this site last year but sold it in January 2022 back to the original owner following harassment from other members, but not before leaking the entire data set.

Allison Nixon, chief research officer at Unit 221B, told Brian KrebsOpens a new window of Krebs on Security, “He wasn’t a good administrator, and couldn’t keep the website running properly. The Doxbin community was pretty upset, so they started targeting him and harassing him.”

Nixon also told the BBC that White of WhiteDoxbin was already on Unit 221 B’s radar since mid-2021. However, the law enforcement eventually caught up to him because of the mistakes he made along the way. This includes disproportionate steps to cover up his activities, leading to his exposure as one of the founding members of SIM-swapping group Recursion Team, besides obviously leaking the entire Doxbin dataset.

There is also a possibility that law enforcement didn’t nab White sooner because they were possibly after some big fish or because they were waiting for a major slip-up. The Okta breach could prove to be just that.

Westing told Toolbox, “It is too early to say if this will be the end of Lapsus$, it could still be a false flag, bad attribution, or even framing someone for the hacks. If it is this 16-year-old in England, it is likely we will see an end to the group’s activity, unless one of their partners in cyber crime takes up the mantle.”

Lapsus$ is widely believed to be based out of South America, owing to some of their earliest targets being from Portuguese-speaking countries Brazil and Portugal. A Lapsus$ member said in their Telegram group, which now has over 50,000 subscribersOpens a new window , that no one was arrested.

Source: Kevin BeaumontOpens a new window

It is unclear if Lapsus$ paid employees or vendors to gain organizational network and system access. If so, organizations need to ponder over what’s going wrong. Is the security or even general infotech staff underpaid?

Organizations also need to look at whether suppliers/vendors are being granted more than necessary access to their networks. In this regard, segmentation can go a long way in at least preventing the amount of data exfiltration in case of a breach.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!