LAPSUS$

LAPSUS$ is a financially motivated data extortion group, also tracked by Microsoft as DEV-0537 and referred to in reporting as Lapsus, Lapsus$, Slippy Spider, and Strawberry Tempest. Public reporting in the provided content also notes analytical overlap or comparison with Scattered Spider, ShinyHunters, and broader Com-affiliated activity, but only LAPSUS$ and DEV-0537 are directly identified as this actor. The group became prominent in late 2021 and 2022 for high-profile intrusions and extortion against major organizations including NVIDIA, Samsung, Microsoft, Okta, Mercado Libre, Vodafone, and Ubisoft. Its model is data theft and extortion rather than classic ransomware encryption: it steals source code, credentials, and other sensitive files, then threatens public release or leaks data directly. The content states LAPSUS$ uploaded sensitive files, information, and credentials from targeted organizations for extortion or public release. Microsoft describes LAPSUS$/DEV-0537 as primarily obtaining initial access through compromised credentials. Reported access methods include use of RedLine stealer to obtain passwords and session tokens, purchasing credentials and session tokens on underground forums, searching public repositories for exposed credentials, paying insiders at victim organizations or suppliers for credentials or MFA approval, compromising employees’ personal email accounts to facilitate password resets, SIM swapping, session replay, MFA fatigue, and phone-based social engineering including help-desk deception. The content also states LAPSUS$ popularized phone-based intrusion tactics during its 2021-2022 campaign. After access, the group has been reported using AD Explorer and RVTools, targeting collaboration and development platforms such as SharePoint, Confluence, JIRA, Slack, Microsoft Teams, GitLab, GitHub, and Azure DevOps, and in some cases exploiting Confluence, JIRA, and GitLab for privilege escalation. Microsoft reported that LAPSUS$ exfiltrated data over NordVPN connections, monitored incident response communications through compromised Slack or Teams channels, and sometimes performed destructive actions to trigger incident response. Victim-specific activity in the provided content includes: claims of stealing 1TB of data from NVIDIA and leaking archives containing source code, schematics, drivers, firmware, SDKs, Falcon-related information, and employee password hashes; leaking nearly 190GB of Samsung source code including TrustZone applets, biometric unlock algorithms, bootloader code, Samsung account authentication technology, activation server code, and some Qualcomm-related code; compromising a Microsoft employee account and stealing portions of source code related to Bing, Cortana, and Bing Maps; breaching Okta; claiming access to 24,000 Mercado Libre and Mercado Pago repositories; and claiming responsibility for Vodafone source code theft. Reporting also states LAPSUS$ later cooperated with TeamPCP in a joint sale of stolen GitHub repositories for $95,000. The content repeatedly describes LAPSUS$ as active on Telegram and Discord, where it publicly bragged about operations, ran extortion communications, and maintained a large subscriber base. Reporting in the provided material also notes multiple arrests and law-enforcement actions tied to alleged members, including UK arrests and charges in 2022. The content does not directly attribute LAPSUS$ to a nation state; instead it characterizes the group as a cybercriminal or extortion actor.