One of the Lapsus$ hackers who have stolen data the internal systems of Microsoft, Samsung, Nvidia and other companies in the past few months may be a 16-year-old living with his mother near Oxford, England.
So says Bloomberg News in an unconfirmed (and paywalled) report that cites unnamed sources. Another member of Lapsus$ is believed to be a teenager in Brazil, Bloomberg said, and there may be as many as five other individuals involved. No individuals were named and no arrests have been made.
Bloomberg's William Turton and Jordan Robertson said personal information about the Oxford teen and his parents, including street addresses, had been posted online by rival hackers.
The group cajoles tech-support workers into resetting passwords, pays insiders to provide access, and even joins in internal chatroom discussions when companies strategize about how to react to Lapsus$'s intrusions.
On Twitter, Turton said Robertson had rung the doorbell at the teen's mother's house and spoken to the mother through the intercom. The mother said she was unaware of the allegations against her son.
Bless my colleague @jordanr1000, who went to the hacker's home in Oxford this morning and interviewed his mother. https://t.co/Mbtu8oyhf1 pic.twitter.com/1ucGKAr7wtMarch 23, 2022
The Bloomberg report said the Brazilian teenager was so fast at breaking into systems that investigators initially thought they were witnessing an automated attack.
If Lapsus$ are indeed a group of bored teenagers, that would make sense. The group seems more interested in notoriety than in money, and while it does make extortion demands tied to stolen data, it does not use ransomware or indeed much malware of any kind.
Rather, the group breaks into corporate networks using bribery and trickery, a Microsoft report Tuesday (March 22) noted. It cajoles tech-support workers into resetting passwords, pays insiders to provide access, and even joins in internal chatroom discussions when companies strategize about how to react to Lapsus$'s intrusions.
The group has asked for payoffs in exchange for not publicly posting stolen data, but has also demanded, for example, that Nvidia release open-source drivers for its high-end graphics cards.
Over this past weekend, Lapsus$ posted source code for several Microsoft online projects, including Bing, Bing Maps and the Cortana digital assistant. Microsoft insisted that the posting of the source code did not pose a security risk.
