Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber
A group of teenagers — mostly from the UK and Brazil — extorted their way into Microsoft, Nvidia, Samsung, Okta, and Uber using SIM swapping, employee bribery, and dark web credential purchases rather than technical exploits.
Background
Lapsus$ was an unusual threat actor: loosely organised, financially motivated teenagers who operated openly on Telegram, taunted victims publicly, and made little effort to hide their identities. Their methods were almost exclusively social engineering rather than technical exploitation.
The Attack
Lapsus$ used multiple approaches: SIM swapping (bribing telecom employees to port victims' phone numbers to attacker SIMs, bypassing SMS-based MFA), purchasing stolen credentials on dark web markets, and in several cases directly advertising on Telegram offering cash to corporate employees willing to provide VPN access. They posted their exploits in real time on Telegram, leaking 190GB of Nvidia source code, Samsung's entire source code repository, and Ubisoft game source code. They accessed Okta's customer support systems via a subcontractor, potentially affecting 366 Okta customers.
Response
Microsoft published a detailed technical report on Lapsus$ tactics after the group published 37GB of Microsoft's source code. UK police arrested seven teenagers aged 16–21. The attacks prompted CISA and international agencies to issue guidance deprecating SMS-based MFA in favour of hardware tokens.
Outcome
Lapsus$ demonstrated that the most sophisticated defences can be bypassed by the oldest technique: bribing insiders. The group's willingness to operate publicly and taunt victims created significant reputational damage beyond the technical breach. Several members were sentenced to youth detention.
Key Takeaways
- SMS-based MFA is vulnerable to SIM swapping — replace with hardware security keys (FIDO2)
- Insider threat from bribed employees is as dangerous as external attackers
- Source code exposure enables subsequent supply chain and vulnerability research attacks
- Social engineering via financial incentives targets all levels of corporate hierarchy