Skip to content
Naked Security Naked Security

UK police arrest 7 hacking suspects – have they bust the LAPSUS$ gang?

Seven alleged hackers have been arrested in the UK. But who are they, and which hacking crew are they from?

You’ve almost certainly heard of the LAPSUS$ hacking crew.

That’s lapsus, which is as good a Latin word as any for “data breach”, followed by a dollar sign, like a text variable in BASIC.

Microsoft refers to this cybergang by the more pedestrian moniker of “the DEV-5037 actor”, and noted, in a blog post earlier this week, that the group has been involved in:

[A] large-scale social engineering and extortion campaign against multiple organizations, with some seeing evidence of destructive elements.

According to Microsoft, the scale of the LAPSUS$ infiltrations has been huge:

Early observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of wallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America. More recent campaigns have expanded to include organizations globally spanning a variety of sectors. Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies – to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.

Source code grab

Indeed, as the article goes on to admit, Microsoft itself was one of the companies that LAPSUS$ managed to compromise, allegedly making off with gigabytes of Microsoft source code.

Fascinatingly, Microsoft notes that the LAPSUS$ crew went public even while that data theft was in progress (the group seems to like bragging openly on Telegram about hacks it’s busy with and businesses that it’s determined to embarrass).

The Microsoft security team wryly noted that “[t]his public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Other cybercrimes attibuted to LAPSUS$ include a January break-in at 2FA (two-factor authentication) service provider Okta, which ultimately only came to light this week

…and an unusual extortion attempt against graphics card company Nvidia, which we discussed two weeks back on the Naked Security Podcast:

Most ransomware extortions, whether they’re old-school ransom notes offering decryption keys to unlock scrambled files, or whether they follow the more recent cybercrime path of blackmailing companies in return for not leaking, selling or dumping stolen data…

…demand money, often huge amounts of money, to be paid in cryptocurrency.

But in the Nvidia standover, the LAPSUS$ gang variously demanded Nvidia to open-source its graphics drivers, or to remove the limitations imposed on recent Nvidia graphics cards to restrict their use in cryptomining:

Seven suspects busted

Tonight, the news wires are buzzing with stories stating that seven suspected hackers have been arrested in the UK, with many headlines insisting that this is a “LAPSUS$ bust”.

So far, however [2022-03-25T00:01Z], we haven’t actually seen anything that explicitly connects these arrests with the DEV-0537 a.k.a. LAPSUS$ group.

The closest we’ve seen is a report on popular technology site TechCrunch quoting a City of London Police officer as saying:

[We have] been conducting an investigation with its partners into members of a hacking group. Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.

You may also have seen reports earlier this week about a doxxing incident dating back to January 2022 in which a youngster allegedly from the Cherwell District in Oxfordshire, England, was “identified” as a kingpin in LAPSUS$.

Doxxing is where a cybercriminal publicly dumps what they claim is detailed personal information about another criminal they’ve fallen out with, or about a victim whose life they want to throw into disarray. “Dox” is short for “documents” in the same way that “tix” is short for tickets, so the verb “doxxing” means dumping official, or at least official-sounding, details about someone’s life, possibly also including information about their family.

Cybersecurity journalist Brian Krebs, for example, recently published an investigative writeup about LAPSUS$ and this alleged ringleader, who apparently uses a variety of handles including white and breachbase.

Intriguingly, the doxxed data claims that the youngster is 17 years old (he would have been 16 back in January, when the data was dumped), which would indeed put him within the 16-to-21 age bracket of the seven suspects arrested today, albeit that he would not be the youngest.

The unknown unknowns

As far as we are aware, however, neither the Thames Valley Police, who look after law enforcement in the Oxfordshire area (and who are, ironically, themselves headquarted in the Cherwell District), nor the City of London Police, whom we quoted above, have yet gone public with any specific information about these busts.

So we don’t officially know whether the alleged kingpin of LAPSUS$ is amongst the seven who’ve been busted, or even if the arrests are related to LAPSUS$ at all. (If breachbase were amongst those arrested, of course, the police would not identify him anyway if his age were 17.)

Watch this space – this is almost certain to get interesting!


I hope they hack Google next.


I must admit that’s not what I expected to see in the comments ?!!?


Paul, you might have been too busy writing coherent, detailed tech articles to have noticed the plot of the movie “Idiocracy” busily playing itself out in the real world. Also: Please don’t feed the trolls. Cheers!


This is incorrect, they were arrested yesterday and released on investigation.


Do you know, those very words appear right there in the article (minus the words “this is incorrect”)…


Being in the IT field for many years, this is the very reason I keep my email down to a couple sentences. These days, the short attention spans only allow folks to read the subject line and then gloss through the rest.


The title: “…have they bust….” — shouldn’t that be “…have they busted….”?


I’m sticking with “bust”, not least because it’s an informal word to start with. As in, “I really bust a gut riding up that hill.” The police bust them yesterday; they’ve been busted. (The real question, as the article makes clear, is who are “they” in this story?)


Why such anonimity? This has been circulating in the internet yet their id is still withheld. They do not even care the privacy of others yet who are they? What do they look like? Are they my son’s/daughter’s friends? Is my son/daughter also involved because they chat with them? Have I chat with them accidentally? Are they ai? Don’t tell me privacy act works here and they already leaked others’ personal data in the web.


So, what you’re saying is that as soon as something “circulates on the internet”, that means it’s obviously true enough to be published and endorsed, apparently officially, by law enforcement, by the courts, by the public at large?

If and when these people get charged with criminal offences, that information – but not their identities if they are protected by law, e.g. due to age – will almost certainly become a matter of public record.

My suspicion is that if your son/daughter is involved with this sort of activity and you haven’t yet figured out that something in their online activties is haywire, then simply knowing “who these people are” based on their doxxed names, nicknames and photos is unlikely to help you much anyway. Your son/daughter – let’s assume they’re guilty too, for the sake of arugment – probably doesn’t know their real names, probably hasn’t met them IRL, may know them by a whole slew of different handles and – because we’re assuming they’re guilty – only has to shrug and deny everything to leave you no better off. (Likewise, if your son/daugher is entirely innocent, and innocently admits to “knowing” someone online who goes by the handle “white”, or something like that, where does that leave you? Are we talking about the person alluded to in this article, or one of the other multimillions of youngsters online? If we are talking about the person alluded to in the article, how do you know they themselves aren’t just the victim of a cybercrime, deliberately doxxed for poisonous reasons by someone who hates them, to make them look guilty when they aren’t?)

Criminal process in the UK is based, amongst numerous other things, on the presumption of innocence. Even people who have an illiberal, unforgiving, hard-line view on crime and the causes of crime will tell you that there is one compelling reason why the presumption of innocence is a principle to be respected: one day, the person whose innocence is being presumed…

…might just be you.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!