LAPSUS$ (G1004): High-Tempo Social Engineering and Extortion
- Suspected Origin
- Brazil, United Kingdom
- Motivation
- Financial Gain, Notoriety, Destructive Attacks
- Aliases
- DEV-0537, Strawberry Tempest
- Target Sectors
- Technology, Telecommunications, Government, Media, Retail, Healthcare, Manufacturing, Energy, Higher Education, Financial Services, Aviation, Luxury Fashion, Insurance
- Associated Malware
- Redline Stealer, Mimikatz, AD Explorer, RVTools, ProcessHacker, Process Explorer, ntdsutil, DCSync, Metasploit
Overview
LAPSUS$ (MITRE ATT&CK ID: G1004), also tracked as DEV-0537 and now known by Microsoft as Strawberry Tempest, is a cybercriminal threat group that burst onto the scene in mid-2021. This group stands out for its brazen, high-tempo intrusions and a distinctive modus operandi that frequently eschews traditional ransomware in favor of data theft, extortion, and destructive attacks. While initially targeting organizations in the UK and South America, LAPSUS$ quickly expanded its reach, demonstrating a global appetite for high-profile victims.
Attribution efforts suggest LAPSUS$ originated as a small, loosely organized, multinational collective, with members predominantly believed to be teenagers operating from Brazil and the United Kingdom. The Federal Bureau of Investigation (FBI) has estimated the group to have around 10 to 11 members, with a notable figure reportedly being a UK-based teenage mastermind known as “White” or “Oklaqq.” Despite arrests of members in both the UK and Brazil in 2022, and one founding member reportedly being held indefinitely in a secure psychiatric facility, the group’s activities have continued, albeit with an evolving structure.
LAPSUS$’s primary motivation is financial gain through extortion, often achieved by threatening to leak stolen data publicly. Unlike many financially motivated groups, they frequently do not deploy ransomware payloads, instead relying on the destructive potential of data deletion and service disruption as leverage. They also exhibit motivations tied to notoriety and, at times, what appears to be “for the lulz,” openly mocking victims and broadcasting their exploits via public Telegram channels. Furthermore, the group has been observed taking over individual user accounts at cryptocurrency exchanges to drain holdings, and they leverage dark web forums and their Telegram channel to sell stolen information.
Their victim selection shows little discernible pattern, with targets spanning a wide array of sectors including government, manufacturing, higher education, energy, healthcare, technology, telecommunications, media, retail, and financial services. More recently, through alliances, their scope has broadened to include aviation, luxury fashion, and insurance.
Tactics & Techniques
LAPSUS$ has carved out a niche by expertly exploiting human weaknesses and identity-based attack vectors, often with minimal reliance on technical vulnerabilities. Their initial access techniques are diverse and heavily social-engineering focused. They are known for deploying the Redline password stealer, purchasing stolen credentials and session tokens from underground forums, and even directly paying employees, suppliers, or business partners for access and multifactor authentication (MFA) approvals. Phone-based social engineering, SIM swapping, and MFA fatigue attacks are core to their methodology, allowing them to bypass strong authentication mechanisms. They also scout public code repositories for exposed credentials and leverage public-facing Remote Desktop Protocol (RDP) instances.
Once inside, LAPSUS$ engages in extensive reconnaissance and privilege escalation. They scrape corporate Microsoft SharePoint sites and access local password managers or databases to find further credentials. They also “live off the land” using legitimate tools like RVTools and ADExplorer for network reconnaissance. The group actively searches collaboration platforms such as Confluence, GitHub, Slack, Jira, Trello, Google Drive, and Microsoft 365 for sensitive data and additional credentials, including those belonging to privileged users and administrators. They have been observed impersonating help desk personnel and exploiting internal documentation or ticketing systems to gather information and raise privileges. Tools like ProcessHacker and Process Explorer are used for recon, establishing footholds, and escalating privileges.
For lateral movement, LAPSUS$ relies on compromised credentials to access corporate VPNs, RDP, and Virtual Desktop Infrastructure (VDI), as well as compromised cloud accounts. Their internal movements can be sporadic, designed to evade detection.
The group’s impact and exfiltration strategies are designed for maximum public exposure and pressure. They steal vast amounts of data, including credentials, email traffic, source code, internal communications, and collaboration data. Instead of encrypting data, they directly download it via VPNs or virtual machines and often attempt to destroy the original copies, leaving victims with no choice but to negotiate or face public leaks. A hallmark of LAPSUS$ is their use of Telegram channels, not only to announce successful breaches and dump stolen data but also to engage with subscribers, conduct polls on future targets, and even recruit insiders. A particularly aggressive tactic involves intruding on victims’ ongoing crisis communication calls to gather intelligence and influence remediation efforts.
Notable Campaigns
LAPSUS$ gained significant notoriety through a series of high-profile attacks:
- Brazilian Ministry of Health (December 2021): This was an early major incident where LAPSUS$ claimed to have stolen and deleted 50TB of data, disrupting access to COVID-19 vaccination certificates and public healthcare information.
- NVIDIA (February 2022): The group exfiltrated nearly 1TB of data, including source code, employee credentials, and proprietary information like code-signing certificates and firmware. When NVIDIA did not meet their demands, LAPSUS$ publicly leaked the data.
- Samsung (March 2022): LAPSUS$ claimed responsibility for stealing approximately 200GB of confidential source code for various technologies and algorithms related to biometric unlock operations from Samsung.
- Microsoft (March 2022): The group gained limited access to Microsoft’s systems through a compromised account, leading to the exfiltration of portions of source code for Bing, Bing Maps, and Cortana, totaling 37GB.
- Okta (January 2022, disclosed March 2022): LAPSUS$ breached Okta’s systems through the compromised account of a third-party customer support engineer, affecting a limited number of active customers.
- Uber (September 2022): This incident involved an MFA fatigue attack against an Uber EXT contractor’s credentials, leading to a breach of Uber’s internal systems.
- Rockstar Games (September 2022): LAPSUS$ published details of a breach against the gaming giant.
- Scattered LAPSUS$ Hunters Alliance (2025-2026): In a significant evolution, LAPSUS$ forged an alliance with Scattered Spider and ShinyHunters, forming a supergroup known as “Scattered LAPSUS$ Hunters.” This collective has orchestrated sophisticated, multi-stage attacks, including coordinated intrusions into the Salesforce environments of numerous global companies like Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas, Air France–KLM, Allianz, Cisco, and Pandora. They also compromised GitHub repositories of companies like Salesloft and Drift.
Associated Malware & Tools
LAPSUS$ does not primarily rely on custom-developed malware. Instead, they leverage a combination of legitimate, off-the-shelf tools and readily available malicious software to achieve their objectives. Key tools observed in their operations include:
- Redline Stealer: Used to obtain passwords and session tokens.
- Mimikatz: Employed for credential dumping.
- AD Explorer (ADExplorer): Utilized for reconnaissance within Active Directory environments.
- RVTools: Used to shut down servers.
- ProcessHacker and Process Explorer: Employed for reconnaissance, establishing footholds, and privilege escalation, including disabling endpoint agents.
- ntdsutil and DCSync: Likely used for credential dumping from Active Directory.
- Metasploit: A common penetration testing framework that LAPSUS$ has repurposed.
Their tactical use of these tools often involves downloading them directly from platforms like GitHub from within a victim’s compromised environment, demonstrating a lack of operational security in some instances but effective execution nonetheless.
Current Status
While initial reports in early 2022 suggested a potential period of inactivity following arrests of several members, LAPSUS$ has demonstrated a clear resilience and evolution. The group re-emerged in late 2022, notably with attacks against Uber and Rockstar Games.
More significantly, LAPSUS$ has transitioned and evolved through strategic alliances. Since mid-2025, the group has been observed operating as a key component of a larger, more organized cybercrime alliance known as “Scattered LAPSUS$ Hunters.” This collective also includes members from the notorious Scattered Spider and ShinyHunters groups. This alliance has actively engaged in sophisticated, multi-stage attacks, utilizing advanced social engineering, data theft, and extortion tactics against global enterprises across various sectors. Recent activity in February 2026 saw “Scattered Lapsus$Hunters” claiming responsibility for a breach against Adidas. Okta Threat Intelligence also published on a related cluster (O-UNC-066) in July 2026, which is linked to this broader cybercrime milieu.
Therefore, LAPSUS$ should be considered an Active threat actor, having adapted its operational model to be part of a larger, more formidable alliance, continuing to pose a significant risk to organizations worldwide through its characteristic social engineering and extortion-based campaigns.
Related content
FIN6: From POS Skimming to Ransomware and Enterprise Infiltration
Adversary ProfileCopyKittens: Persistent Iranian Cyber Espionage Group
Adversary ProfileCleaver (G0003): Iranian APT Targeting Critical Infrastructure
Adversary ProfileAPT1 Threat Profile: China's Pioneering Cyber Espionage Unit
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call