want your data back?

Suspected LAPSUS$ group member arrested in Brazil

The Brazilian Federal Police have arrested a suspect after an investigation into last year’s breach of the Brazilian Ministry of Health. Responsibility for the breach was claimed by the LAPSUS$ group, when users found a message stating that system data had been copied and deleted and was in the hands of the group.

LAPSUS$ is a relative newcomer to the cybercrime scene that first appeared in the summer of 2021. It has made a name for itself by leaking sensitive information from some big targets. At the time it was thought that the group hailed from South America, based on its earliest targets and the near-native use of Spanish and Portuguese.

LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, GlobantNvidia, Okta, Uber, and many others.


In March 2022, the City of London Police said they had arrested seven teenagers in relation to LAPSUS$. Two of the seven suspects were charged with hacking offenses and one was re-arrested later after an attack on Rockstar Games.

The group is likely to be widespread. It has been growing due to its big successes and even bigger claims. The group has an international outreach, especially since it is very active on Telegram and the Dark Web. Based on linguistic analysis, the group is believed to also have Russian, Turkish, and German native speakers among their admins.


LAPSUS$ is mainly an information stealing operation that uses every possible method it can. Paying insiders, SIM-jacking, exploit vulnerabilities in software like Confluence, JIRA, and GitLab, buying or searching for leaked credentials, and AD Explorer—a publicly available tool to enumerate all users and groups in a network.

Most of the times the breached organization is extorted to pay a ransom to prevent the group from leaking the exfiltrated information, but in a few cases the group simply sold or published the stolen information without contacting the victim organization. In the case of the Nvidia breach, LAPSUS$ claimed it was mainly after the removal of the lite hast rate (LHR) limitations in all GeForce 30 series firmware—apparently all to help out gamers and the mining community.

Organized crime

The availability of fast internet has brought cybercriminals from all over the world together and allows them to cooperate internationally. Using end-to-end encrypted communications and the Dark Web allows them to do business below the radar of law enforcement agencies.

Koen Hermans, Dutch national public prosecutor for cybercrime said at the ONE-conference:

“At least 80% of cyberattacks are now caused by organized crime groups and data, tools and expertise are widely shared. Cybercriminal knowledge and skills are shared and offered for sale online, via messaging services, the dark web and other platforms. There is a revenue model behind it, in which cybercrime – according to experts – has already overtaken the international drug trade in terms of profitability.”

This requires law enforcement agencies to cooperate internationally, which seems to be easier for some. The FBI and Europol have been able to achieve some successes by deploying cybertechniques against criminals, but their success rate seems to be lower when the criminal activities are conducted digitally and require virtually no physical activities. It is easier to track a shipment of weapons or drugs than to monitor the trade in stolen information.

The result is a growing demand for specialized experts, for which the police force will need a good deal of extra funds and staff


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.