In a landmark case in London, two British teenagers have been found guilty of their involvement in the infamous LAPSUS$ international hacking group. The duo, known for their audacious cyber attacks on major tech companies, demanded ransoms in return for not releasing stolen data.
The two culprits include Arion Kurtaj, an 18-year-old from Oxford who goes by various aliases such as White, Breachbase, WhiteDoxbin, and TeaPotUberHacker, and a minor whose identity has not been disclosed. The pair began their illicit collaboration in July 2021 after meeting online, as reported by the BBC.
Initially apprehended and released pending further investigation in January 2022, both were subsequently re-arrested and charged by the City of London Police in April 2022. Following his doxxing on an online cybercrime forum, Kurtaj was granted bail and relocated to a hotel in Bicester. Despite this, he continued his hacking activities, targeting companies such as Uber, Revolut, and Rockstar Games, leading to his re-arrest in September.
Another alleged member of the group was detained by Brazilian authorities in October 2022. Key to their extortion plots was their adeptness at SIM swapping and prompt bombing attacks, which allowed them to gain unauthorized access to corporate networks following an extensive phase of social engineering.
The operation, driven by financial motives, also involved soliciting rogue insiders via their Telegram channel, who could provide access to organizations through Virtual Private Network (VPN), Virtual Desktop Infrastructure (VDI), or Citrix credentials.
A recent U.S. government report highlighted that the group offered up to $20,000 per week for access to telecommunications providers to facilitate their SIM swap attacks. The report described LAPSUS$ as unique due to its “effectiveness, speed, creativity, and boldness,” and its ability to weaponize a “playbook of effective techniques.”
The Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) explained that LAPSUS$ obtained basic victim information, such as names and phone numbers, through various means, including issuing fraudulent Emergency Disclosure Requests and using account takeover techniques to hijack the accounts of telecommunications provider employees and contractors. The group then executed fraudulent SIM swaps using the telecommunications provider’s customer management tools.
After executing the fraudulent SIM swaps, LAPSUS$ took over online accounts via sign-in and account recovery workflows that sent one-time links or MFA passcodes via SMS or voice calls. Other methods of initial access included employing initial access brokers (IABs) and exploiting security flaws.
Once inside, the hackers escalated privileges, moved laterally across the network, set up persistent access via remote desktop software such as AnyDesk and TeamViewer, and disabled security monitoring tools. Companies infiltrated by LAPSUS$ include BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Samsung, Ubisoft, and Vodafone. It remains unclear whether any of the breached companies paid the demanded ransoms.
The sentencing of the teenagers will take place at a later date. The CSRB noted that the group gained notoriety due to its successful attacks on well-defended organizations using highly effective social engineering. They targeted supply chains by compromising business process outsourcing (BPOs) and telecommunications providers, and used their public Telegram channel to discuss operations, targets, successes, and even to communicate with and extort their targets.